14b0b3a0b564441b3a46c18399ddbf56580e34198606a5b24229a11b0b6aad8d

General

Target

0fa1eca4e2d944d64eed15f0185e6270_NeikiAnalytics.exe
Size

66KB
MD5

0fa1eca4e2d944d64eed15f0185e6270
SHA1

db36b7720d954d51199ba3c6ea5874d14a65bf29
SHA256

14b0b3a0b564441b3a46c18399ddbf56580e34198606a5b24229a11b0b6aad8d
SHA512

a44b574383028330bf840cfe77f58e81ed0ee6dcfb0e9bc953b7b8363a9dbec25deb3aa3d1035234fb18d9bae64628db018f7e5baeb3238338a431b64131563f
SSDEEP

1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXie:IeklMMYJhqezw/pXzH9ie

Score

10^/10

Malware Config

Signatures

Detects BazaLoader malware 1 IoCs

BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.

trojan

Processes:

resource	yara_rule
behavioral1/memory/2776-57-0x0000000072940000-0x0000000072A93000-memory.dmp	BazaLoader

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

svchost.exeexplorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exeexplorer.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe

Executes dropped EXE 4 IoCs

Processes:

explorer.exespoolsv.exesvchost.exespoolsv.exe

pid process

2840 explorer.exe
2772 spoolsv.exe
2776 svchost.exe
2552 spoolsv.exe

pid	process
2840	explorer.exe
2772	spoolsv.exe
2776	svchost.exe
2552	spoolsv.exe

Loads dropped DLL 8 IoCs

Processes:

0fa1eca4e2d944d64eed15f0185e6270_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exe

pid	process
1312	0fa1eca4e2d944d64eed15f0185e6270_NeikiAnalytics.exe
1312	0fa1eca4e2d944d64eed15f0185e6270_NeikiAnalytics.exe
2840	explorer.exe
2840	explorer.exe
2772	spoolsv.exe
2772	spoolsv.exe
2776	svchost.exe
2776	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

Processes:

0fa1eca4e2d944d64eed15f0185e6270_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	0fa1eca4e2d944d64eed15f0185e6270_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

0fa1eca4e2d944d64eed15f0185e6270_NeikiAnalytics.exeexplorer.exesvchost.exe

pid	process
1312	0fa1eca4e2d944d64eed15f0185e6270_NeikiAnalytics.exe
2840	explorer.exe
2840	explorer.exe
2840	explorer.exe
2840	explorer.exe
2776	svchost.exe
2776	svchost.exe
2776	svchost.exe
2840	explorer.exe
2776	svchost.exe
2840	explorer.exe
2776	svchost.exe
2840	explorer.exe
2776	svchost.exe
2840	explorer.exe
2840	explorer.exe
2776	svchost.exe
2840	explorer.exe
2776	svchost.exe
2776	svchost.exe
2840	explorer.exe
2840	explorer.exe
2776	svchost.exe
2776	svchost.exe
2840	explorer.exe
2776	svchost.exe
2840	explorer.exe
2776	svchost.exe
2840	explorer.exe
2840	explorer.exe
2776	svchost.exe
2840	explorer.exe
2776	svchost.exe
2776	svchost.exe
2840	explorer.exe
2776	svchost.exe
2840	explorer.exe
2840	explorer.exe
2776	svchost.exe
2776	svchost.exe
2840	explorer.exe
2776	svchost.exe
2840	explorer.exe
2776	svchost.exe
2840	explorer.exe
2840	explorer.exe
2776	svchost.exe
2776	svchost.exe
2840	explorer.exe
2840	explorer.exe
2776	svchost.exe
2840	explorer.exe
2776	svchost.exe
2776	svchost.exe
2840	explorer.exe
2840	explorer.exe
2776	svchost.exe
2776	svchost.exe
2840	explorer.exe
2840	explorer.exe
2776	svchost.exe
2840	explorer.exe
2776	svchost.exe
2776	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

2840 explorer.exe
2776 svchost.exe

pid	process
2840	explorer.exe
2776	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

0fa1eca4e2d944d64eed15f0185e6270_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
1312	0fa1eca4e2d944d64eed15f0185e6270_NeikiAnalytics.exe
1312	0fa1eca4e2d944d64eed15f0185e6270_NeikiAnalytics.exe
2840	explorer.exe
2840	explorer.exe
2772	spoolsv.exe
2772	spoolsv.exe
2776	svchost.exe
2776	svchost.exe
2552	spoolsv.exe
2552	spoolsv.exe
2840	explorer.exe
2840	explorer.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

0fa1eca4e2d944d64eed15f0185e6270_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 1312 wrote to memory of 2840	1312	0fa1eca4e2d944d64eed15f0185e6270_NeikiAnalytics.exe	explorer.exe
PID 1312 wrote to memory of 2840	1312	0fa1eca4e2d944d64eed15f0185e6270_NeikiAnalytics.exe	explorer.exe
PID 1312 wrote to memory of 2840	1312	0fa1eca4e2d944d64eed15f0185e6270_NeikiAnalytics.exe	explorer.exe
PID 1312 wrote to memory of 2840	1312	0fa1eca4e2d944d64eed15f0185e6270_NeikiAnalytics.exe	explorer.exe
PID 2840 wrote to memory of 2772	2840	explorer.exe	spoolsv.exe
PID 2840 wrote to memory of 2772	2840	explorer.exe	spoolsv.exe
PID 2840 wrote to memory of 2772	2840	explorer.exe	spoolsv.exe
PID 2840 wrote to memory of 2772	2840	explorer.exe	spoolsv.exe
PID 2772 wrote to memory of 2776	2772	spoolsv.exe	svchost.exe
PID 2772 wrote to memory of 2776	2772	spoolsv.exe	svchost.exe
PID 2772 wrote to memory of 2776	2772	spoolsv.exe	svchost.exe
PID 2772 wrote to memory of 2776	2772	spoolsv.exe	svchost.exe
PID 2776 wrote to memory of 2552	2776	svchost.exe	spoolsv.exe
PID 2776 wrote to memory of 2552	2776	svchost.exe	spoolsv.exe
PID 2776 wrote to memory of 2552	2776	svchost.exe	spoolsv.exe
PID 2776 wrote to memory of 2552	2776	svchost.exe	spoolsv.exe
PID 2776 wrote to memory of 1448	2776	svchost.exe	at.exe
PID 2776 wrote to memory of 1448	2776	svchost.exe	at.exe
PID 2776 wrote to memory of 1448	2776	svchost.exe	at.exe
PID 2776 wrote to memory of 1448	2776	svchost.exe	at.exe
PID 2776 wrote to memory of 1636	2776	svchost.exe	at.exe
PID 2776 wrote to memory of 1636	2776	svchost.exe	at.exe
PID 2776 wrote to memory of 1636	2776	svchost.exe	at.exe
PID 2776 wrote to memory of 1636	2776	svchost.exe	at.exe
PID 2776 wrote to memory of 1076	2776	svchost.exe	at.exe
PID 2776 wrote to memory of 1076	2776	svchost.exe	at.exe
PID 2776 wrote to memory of 1076	2776	svchost.exe	at.exe
PID 2776 wrote to memory of 1076	2776	svchost.exe	at.exe

C:\Users\Admin\AppData\Local\Temp\0fa1eca4e2d944d64eed15f0185e6270_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0fa1eca4e2d944d64eed15f0185e6270_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1312

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2840

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2772

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2776

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe PR
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2552

C:\Windows\SysWOW64\at.exe
at 09:42 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
5⤵
PID:1448

C:\Windows\SysWOW64\at.exe
at 09:43 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
5⤵
PID:1636

C:\Windows\SysWOW64\at.exe
at 09:44 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
5⤵
PID:1076

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

4

T1112

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe
Filesize
66KB

MD5
b0839df570785cfc4b52fcb57a074750

SHA1
24920e7b413f0e4455154862972a9bfe602cb241

SHA256
e21be183e7b21faf4531d80e43ba55f1f1892febd758f5a92349e16083d8f917

SHA512
3947796885a81766840aac5923d2deb3b254c5fdf8080d6e6cb3a954d93aa6b5efe0b24e8d1d6b612ef396d3d5fc6d2b2f8a9cc42b3ded5de2372411803ca4d8

Download Submit
C:\Windows\system\spoolsv.exe
Filesize
66KB

MD5
cbfd515336bfec8f29067d68ca7fe2f6

SHA1
55edd007e1700575be37725ca1b0a9c4506ba0b2

SHA256
28240ca2b730928ad3aeae4c80c7748a603f556fcd7b068bebf5505a7281ab0a

SHA512
29dae0e5588f1d10d0b0fc0b77fd39b2443815f3348e17775a9ee8cb26e92813698deb43e3ac34f87551d07d7812a66b92ec7c5c4fa29bfd5f4c3f7b4786b187

Download Submit
\Windows\system\explorer.exe
Filesize
66KB

MD5
cea3aaeb329ae7e6af153d83908723ec

SHA1
56c3aa853cc8275f50814d866ff071b30d5b2e9c

SHA256
c34de5aa3b1a3bd4c728cd83c87b7aa18b1f7cde3a506e1af55e3369e0f4cf35

SHA512
08a180541485edd1f638513a0f8f979f8fb42cdb059a876c86a05bd92803917b17b42bcd12c0fbd64d13979990c30512888d2cef6196f65499a0f1845db6e420

Download Submit
\Windows\system\svchost.exe
Filesize
66KB

MD5
ba5813d65b27dbc8ceb4dcd7128e9d91

SHA1
7ae8268fa0eb5271eafea106b0ca869dbe8c321c

SHA256
7d9c994627baf7f379a02b503609ffc1ee9a3fab9611ffffa498e2d38af6ca6a

SHA512
2d31dba7b5dd78518a7ae8569298ef092768fd96a8d74c20bf012d26d84a60da443fd224c7af00143a03c4774e5c8104a147bb355d6f9d669d081367f8aa2cde

Download Submit
memory/1312-17-0x0000000002600000-0x0000000002631000-memory.dmp

Filesize
196KB

Download
memory/1312-4-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/1312-3-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1312-16-0x0000000002600000-0x0000000002631000-memory.dmp

Filesize
196KB

Download
memory/1312-2-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1312-80-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1312-81-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/1312-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1312-1-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/1312-54-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/1312-47-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/2552-74-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2552-68-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2772-78-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2772-55-0x0000000002850000-0x0000000002881000-memory.dmp

Filesize
196KB

Download
memory/2772-37-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2772-41-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2776-56-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2776-57-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2776-61-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2776-84-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2840-30-0x0000000002BF0000-0x0000000002C21000-memory.dmp

Filesize
196KB

Download
memory/2840-36-0x0000000002BF0000-0x0000000002C21000-memory.dmp

Filesize
196KB

Download
memory/2840-23-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2840-19-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2840-83-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2840-65-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2840-93-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads