4a2f863a2f9b0e3f5ff688434f48a571c5f2ee64a2f7b12792717002e7fa6a19

General

Target

ab4158da9692aac9326d2fad63e5c180_NeikiAnalytics.exe
Size

66KB
MD5

ab4158da9692aac9326d2fad63e5c180
SHA1

35fc1725dde59cbfb1b63ac5d5fe7f93a99fc228
SHA256

4a2f863a2f9b0e3f5ff688434f48a571c5f2ee64a2f7b12792717002e7fa6a19
SHA512

608fc0f8fb4e3716e68ed36664ba4a6e06d62e30ad28a3d1396d34592cdbd12ec258f8b00e28431f0e0d7e00357112325adbdecde2b9349430908dea209e72b6
SSDEEP

1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXix:IeklMMYJhqezw/pXzH9ix

Score

10^/10

Malware Config

Signatures

Detects BazaLoader malware 1 IoCs

BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.

trojan

Processes:

resource	yara_rule
behavioral1/memory/2724-54-0x0000000072940000-0x0000000072A93000-memory.dmp	BazaLoader

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Executes dropped EXE 4 IoCs

Processes:

explorer.exespoolsv.exesvchost.exespoolsv.exe

pid process

2144 explorer.exe
2504 spoolsv.exe
2724 svchost.exe
2568 spoolsv.exe

pid	process
2144	explorer.exe
2504	spoolsv.exe
2724	svchost.exe
2568	spoolsv.exe

Loads dropped DLL 8 IoCs

Processes:

ab4158da9692aac9326d2fad63e5c180_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exe

pid	process
2028	ab4158da9692aac9326d2fad63e5c180_NeikiAnalytics.exe
2028	ab4158da9692aac9326d2fad63e5c180_NeikiAnalytics.exe
2144	explorer.exe
2144	explorer.exe
2504	spoolsv.exe
2504	spoolsv.exe
2724	svchost.exe
2724	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

Processes:

spoolsv.exeexplorer.exesvchost.exeab4158da9692aac9326d2fad63e5c180_NeikiAnalytics.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	ab4158da9692aac9326d2fad63e5c180_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ab4158da9692aac9326d2fad63e5c180_NeikiAnalytics.exeexplorer.exesvchost.exe

pid	process
2028	ab4158da9692aac9326d2fad63e5c180_NeikiAnalytics.exe
2144	explorer.exe
2144	explorer.exe
2144	explorer.exe
2724	svchost.exe
2724	svchost.exe
2144	explorer.exe
2724	svchost.exe
2144	explorer.exe
2724	svchost.exe
2144	explorer.exe
2724	svchost.exe
2144	explorer.exe
2724	svchost.exe
2144	explorer.exe
2724	svchost.exe
2144	explorer.exe
2724	svchost.exe
2144	explorer.exe
2724	svchost.exe
2144	explorer.exe
2724	svchost.exe
2144	explorer.exe
2724	svchost.exe
2144	explorer.exe
2724	svchost.exe
2144	explorer.exe
2724	svchost.exe
2144	explorer.exe
2724	svchost.exe
2144	explorer.exe
2724	svchost.exe
2144	explorer.exe
2724	svchost.exe
2144	explorer.exe
2724	svchost.exe
2144	explorer.exe
2724	svchost.exe
2144	explorer.exe
2724	svchost.exe
2144	explorer.exe
2724	svchost.exe
2144	explorer.exe
2724	svchost.exe
2144	explorer.exe
2724	svchost.exe
2144	explorer.exe
2724	svchost.exe
2144	explorer.exe
2724	svchost.exe
2144	explorer.exe
2724	svchost.exe
2144	explorer.exe
2724	svchost.exe
2144	explorer.exe
2724	svchost.exe
2144	explorer.exe
2724	svchost.exe
2144	explorer.exe
2724	svchost.exe
2144	explorer.exe
2724	svchost.exe
2144	explorer.exe
2724	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

2144 explorer.exe
2724 svchost.exe

pid	process
2144	explorer.exe
2724	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

ab4158da9692aac9326d2fad63e5c180_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
2028	ab4158da9692aac9326d2fad63e5c180_NeikiAnalytics.exe
2028	ab4158da9692aac9326d2fad63e5c180_NeikiAnalytics.exe
2144	explorer.exe
2144	explorer.exe
2504	spoolsv.exe
2504	spoolsv.exe
2724	svchost.exe
2724	svchost.exe
2568	spoolsv.exe
2568	spoolsv.exe
2144	explorer.exe
2144	explorer.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

ab4158da9692aac9326d2fad63e5c180_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 2028 wrote to memory of 2144	2028	ab4158da9692aac9326d2fad63e5c180_NeikiAnalytics.exe	explorer.exe
PID 2028 wrote to memory of 2144	2028	ab4158da9692aac9326d2fad63e5c180_NeikiAnalytics.exe	explorer.exe
PID 2028 wrote to memory of 2144	2028	ab4158da9692aac9326d2fad63e5c180_NeikiAnalytics.exe	explorer.exe
PID 2028 wrote to memory of 2144	2028	ab4158da9692aac9326d2fad63e5c180_NeikiAnalytics.exe	explorer.exe
PID 2144 wrote to memory of 2504	2144	explorer.exe	spoolsv.exe
PID 2144 wrote to memory of 2504	2144	explorer.exe	spoolsv.exe
PID 2144 wrote to memory of 2504	2144	explorer.exe	spoolsv.exe
PID 2144 wrote to memory of 2504	2144	explorer.exe	spoolsv.exe
PID 2504 wrote to memory of 2724	2504	spoolsv.exe	svchost.exe
PID 2504 wrote to memory of 2724	2504	spoolsv.exe	svchost.exe
PID 2504 wrote to memory of 2724	2504	spoolsv.exe	svchost.exe
PID 2504 wrote to memory of 2724	2504	spoolsv.exe	svchost.exe
PID 2724 wrote to memory of 2568	2724	svchost.exe	spoolsv.exe
PID 2724 wrote to memory of 2568	2724	svchost.exe	spoolsv.exe
PID 2724 wrote to memory of 2568	2724	svchost.exe	spoolsv.exe
PID 2724 wrote to memory of 2568	2724	svchost.exe	spoolsv.exe
PID 2724 wrote to memory of 1324	2724	svchost.exe	at.exe
PID 2724 wrote to memory of 1324	2724	svchost.exe	at.exe
PID 2724 wrote to memory of 1324	2724	svchost.exe	at.exe
PID 2724 wrote to memory of 1324	2724	svchost.exe	at.exe
PID 2724 wrote to memory of 1644	2724	svchost.exe	at.exe
PID 2724 wrote to memory of 1644	2724	svchost.exe	at.exe
PID 2724 wrote to memory of 1644	2724	svchost.exe	at.exe
PID 2724 wrote to memory of 1644	2724	svchost.exe	at.exe
PID 2724 wrote to memory of 548	2724	svchost.exe	at.exe
PID 2724 wrote to memory of 548	2724	svchost.exe	at.exe
PID 2724 wrote to memory of 548	2724	svchost.exe	at.exe
PID 2724 wrote to memory of 548	2724	svchost.exe	at.exe

C:\Users\Admin\AppData\Local\Temp\ab4158da9692aac9326d2fad63e5c180_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\ab4158da9692aac9326d2fad63e5c180_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2028

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2144

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2504

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2724

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe PR
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2568

C:\Windows\SysWOW64\at.exe
at 04:50 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
5⤵
PID:1324

C:\Windows\SysWOW64\at.exe
at 04:51 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
5⤵
PID:1644

C:\Windows\SysWOW64\at.exe
at 04:52 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
5⤵
PID:548

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

4

T1112

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe
Filesize
66KB

MD5
cc0878d544b5c3ac81c25b0943d36569

SHA1
6894e8c95f2be013e9a8ea66b8ce1c0f4241fb2b

SHA256
ad4967b5748d69277008739b56827a59ed3b2907b2933b684948d1ac5fd04e76

SHA512
06afd4bb0d0d7829cf40cdd43cdadb1411f2dd61c4ca7bd342013223e31df050a156451fc8640f7701f54d4c3183fa01e0c7de76d1315e88bc008c90ac477eec

Download Submit
\Windows\system\explorer.exe
Filesize
66KB

MD5
cfe99e4ee1c47b9e48fe803dd9a49bd8

SHA1
d29beff2ea437215dd17b7ac910641c7579b564a

SHA256
bb4061e6daad7e8d4bed9b69ad2a8ec8466ddfe3edc94ded836a23a6f0099df8

SHA512
7512b1a591310383d3a5affa5fcab52a9b92a615dab15376c9359c86f655fc5d21965eb579588cd9ed4c558a37ce110d0d47e6205531a6e50bd55abe67444dbe

Download Submit
\Windows\system\spoolsv.exe
Filesize
66KB

MD5
68dfe377059618b57e8b81260497ed36

SHA1
5018d1df1e68c86dd6e717c63218154c493b43e4

SHA256
5f00cc05a3e1d952d07daade0babba62d5b3bebcf2ed2c28906e112468266c31

SHA512
47bbdd58634eb70bff4bf2a29c968ae4f6f225e648ca7cbb5ea5becf503babd31871de4cde21edc00d930db949702146615dcb10fecdf30d8612ec2df4884a54

Download Submit
\Windows\system\svchost.exe
Filesize
66KB

MD5
879b5137f4a193a3d0e9689106254278

SHA1
7fb51e3877f569b247015c6ab939ba21d554d1fd

SHA256
9e2040945c989528f39c81b7f552812ca5cdca28ea34cba5ac3537bc47c58b35

SHA512
5c459a7cf795fc9089cde89595cab027e119bfe30ead214cef6b1346a32942ff274d04eeec1e436930329b0968b00f170c168d74ec437a400a708b3792ee45bd

Download Submit
memory/2028-1-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2028-4-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/2028-16-0x00000000032B0000-0x00000000032E1000-memory.dmp

Filesize
196KB

Download
memory/2028-3-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2028-79-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2028-2-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/2028-80-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/2028-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2028-56-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/2144-64-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2144-34-0x0000000002680000-0x00000000026B1000-memory.dmp

Filesize
196KB

Download
memory/2144-92-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2144-82-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2144-20-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2144-35-0x0000000002680000-0x00000000026B1000-memory.dmp

Filesize
196KB

Download
memory/2144-18-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2504-36-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2504-37-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2504-52-0x0000000002740000-0x0000000002771000-memory.dmp

Filesize
196KB

Download
memory/2504-41-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2504-77-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2568-67-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2568-73-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2724-54-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2724-83-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2724-59-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2724-60-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads