Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
-
submitted
23-05-2024 09:16
General
-
Target
fe1a7571c9807b27e8776e1349733430_NeikiAnalytics.exe
-
Size
65KB
-
MD5
fe1a7571c9807b27e8776e1349733430
-
SHA1
d3aa49a8533a2cfdf31ae694ab56139ee06c544a
-
SHA256
331a08fff9e8d20fc5db7ce52ac5a0f1051bde9b84ab91e2d41d3042670c1337
-
SHA512
e6641b0ce17bfd8c3d115b830f95611d76acd995f05a503e7e1cbff48201ee9980b8911632bda0121aef92ed98eb968c60ac4e9d8f815e8208a0ad2ee2f7d65b
-
SSDEEP
1536:ECq3yRuqrI01eArdW/O7JnI2e13XiLij40MkTUVqa/OuP:7WNqkOJWmo1HpM0MkTUmuP
Malware Config
Signatures
-
Detects BazaLoader malware 1 IoCs
BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Modifies Installed Components in the registry 2 TTPs 8 IoCs
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 8 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Drops file in Windows directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 28 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe1a7571c9807b27e8776e1349733430_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\fe1a7571c9807b27e8776e1349733430_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\at.exeat 09:18 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
-
C:\Windows\SysWOW64\at.exeat 09:19 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
-
C:\Windows\SysWOW64\at.exeat 09:20 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD5db41377a731650b0d90666cf0e2195e7
SHA11420dc90692a840bde6cabffa7222238a1c554a3
SHA256dea3f82c2a3300ed08334b2baf0f7facdf36841912d21f5d83ce3b7f065657bf
SHA5121a5f75c91640dda4129a04a7f6eaa20d76f0a7a447b77f65ddf95c7adda7ec1658250bb6691d04e796a7f14db523bd4be14526c918cee2bd7bf38ddaa09c15df
-
Filesize
65KB
MD573873040c5eccd3d1b3a82e59c5a243a
SHA1860643e22cdca2d0e3e210c53c40ba90124a502a
SHA256fbdf5586cfc5046a772f979e8c2474d5659188dbb4414464d517e7e1e20830b7
SHA5122d2b9710834129abd9795c759b9b605244c54dbff7a974914004c8a34c772df27011a8937e5ff36d5ef16ef78e34f38b4c2a414666f1a61739de78849bebc8af
-
Filesize
65KB
MD51deb19963cad83fa61b32c8275589f9b
SHA156f770d80068601c31cde55243ce192b271859d8
SHA2562f09cdc04cc42a5323137a6c84bd96696094350813ca9ec34d411ab66ccbfca2
SHA5122bb111d988b43b130b98a8744eb56b81f2bb3fb9bf0e13bdd11f73a6a0d59d723121e5300f62e8b74ee1de498305441c9a170051bd6269e83ece847799588ee2
-
Filesize
65KB
MD5210574c08ab3e354470c3255ba24264b
SHA1a9badb96211a6da151ba57cbbff9e43ca7b3e2cb
SHA25601fccce6c8e4bb701c845c9428541c35c469ffcb4614c375e99f9ae9c87b8965
SHA5121c6028ea07f952008aa3c714ae003c21de4417157355d16a2921ddb6d3eb50511b8fcc087155dcdc9815f369cefff212c25aede4a9fa9e935ee60e3f39b5afeb
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
1.3MB
-
Filesize
196KB
-
Filesize
1.3MB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
16KB
-
Filesize
180KB
-
Filesize
180KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
180KB
-
Filesize
16KB
-
Filesize
1.3MB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
1.3MB
-
Filesize
196KB
-
Filesize
1.3MB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB