Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
24-05-2024 04:48
Static task
static1
Behavioral task
behavioral1
Sample
ab4158da9692aac9326d2fad63e5c180_NeikiAnalytics.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
ab4158da9692aac9326d2fad63e5c180_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
ab4158da9692aac9326d2fad63e5c180_NeikiAnalytics.exe
-
Size
66KB
-
MD5
ab4158da9692aac9326d2fad63e5c180
-
SHA1
35fc1725dde59cbfb1b63ac5d5fe7f93a99fc228
-
SHA256
4a2f863a2f9b0e3f5ff688434f48a571c5f2ee64a2f7b12792717002e7fa6a19
-
SHA512
608fc0f8fb4e3716e68ed36664ba4a6e06d62e30ad28a3d1396d34592cdbd12ec258f8b00e28431f0e0d7e00357112325adbdecde2b9349430908dea209e72b6
-
SSDEEP
1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXix:IeklMMYJhqezw/pXzH9ix
Malware Config
Signatures
-
Detects BazaLoader malware 1 IoCs
BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.
Processes:
resource yara_rule behavioral1/memory/2724-54-0x0000000072940000-0x0000000072A93000-memory.dmp BazaLoader -
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
Processes:
svchost.exeexplorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Executes dropped EXE 4 IoCs
Processes:
explorer.exespoolsv.exesvchost.exespoolsv.exepid process 2144 explorer.exe 2504 spoolsv.exe 2724 svchost.exe 2568 spoolsv.exe -
Loads dropped DLL 8 IoCs
Processes:
ab4158da9692aac9326d2fad63e5c180_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exepid process 2028 ab4158da9692aac9326d2fad63e5c180_NeikiAnalytics.exe 2028 ab4158da9692aac9326d2fad63e5c180_NeikiAnalytics.exe 2144 explorer.exe 2144 explorer.exe 2504 spoolsv.exe 2504 spoolsv.exe 2724 svchost.exe 2724 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
Processes:
spoolsv.exeexplorer.exesvchost.exeab4158da9692aac9326d2fad63e5c180_NeikiAnalytics.exedescription ioc process File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe ab4158da9692aac9326d2fad63e5c180_NeikiAnalytics.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
ab4158da9692aac9326d2fad63e5c180_NeikiAnalytics.exeexplorer.exesvchost.exepid process 2028 ab4158da9692aac9326d2fad63e5c180_NeikiAnalytics.exe 2144 explorer.exe 2144 explorer.exe 2144 explorer.exe 2724 svchost.exe 2724 svchost.exe 2144 explorer.exe 2724 svchost.exe 2144 explorer.exe 2724 svchost.exe 2144 explorer.exe 2724 svchost.exe 2144 explorer.exe 2724 svchost.exe 2144 explorer.exe 2724 svchost.exe 2144 explorer.exe 2724 svchost.exe 2144 explorer.exe 2724 svchost.exe 2144 explorer.exe 2724 svchost.exe 2144 explorer.exe 2724 svchost.exe 2144 explorer.exe 2724 svchost.exe 2144 explorer.exe 2724 svchost.exe 2144 explorer.exe 2724 svchost.exe 2144 explorer.exe 2724 svchost.exe 2144 explorer.exe 2724 svchost.exe 2144 explorer.exe 2724 svchost.exe 2144 explorer.exe 2724 svchost.exe 2144 explorer.exe 2724 svchost.exe 2144 explorer.exe 2724 svchost.exe 2144 explorer.exe 2724 svchost.exe 2144 explorer.exe 2724 svchost.exe 2144 explorer.exe 2724 svchost.exe 2144 explorer.exe 2724 svchost.exe 2144 explorer.exe 2724 svchost.exe 2144 explorer.exe 2724 svchost.exe 2144 explorer.exe 2724 svchost.exe 2144 explorer.exe 2724 svchost.exe 2144 explorer.exe 2724 svchost.exe 2144 explorer.exe 2724 svchost.exe 2144 explorer.exe 2724 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 2144 explorer.exe 2724 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
ab4158da9692aac9326d2fad63e5c180_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 2028 ab4158da9692aac9326d2fad63e5c180_NeikiAnalytics.exe 2028 ab4158da9692aac9326d2fad63e5c180_NeikiAnalytics.exe 2144 explorer.exe 2144 explorer.exe 2504 spoolsv.exe 2504 spoolsv.exe 2724 svchost.exe 2724 svchost.exe 2568 spoolsv.exe 2568 spoolsv.exe 2144 explorer.exe 2144 explorer.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
ab4158da9692aac9326d2fad63e5c180_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exedescription pid process target process PID 2028 wrote to memory of 2144 2028 ab4158da9692aac9326d2fad63e5c180_NeikiAnalytics.exe explorer.exe PID 2028 wrote to memory of 2144 2028 ab4158da9692aac9326d2fad63e5c180_NeikiAnalytics.exe explorer.exe PID 2028 wrote to memory of 2144 2028 ab4158da9692aac9326d2fad63e5c180_NeikiAnalytics.exe explorer.exe PID 2028 wrote to memory of 2144 2028 ab4158da9692aac9326d2fad63e5c180_NeikiAnalytics.exe explorer.exe PID 2144 wrote to memory of 2504 2144 explorer.exe spoolsv.exe PID 2144 wrote to memory of 2504 2144 explorer.exe spoolsv.exe PID 2144 wrote to memory of 2504 2144 explorer.exe spoolsv.exe PID 2144 wrote to memory of 2504 2144 explorer.exe spoolsv.exe PID 2504 wrote to memory of 2724 2504 spoolsv.exe svchost.exe PID 2504 wrote to memory of 2724 2504 spoolsv.exe svchost.exe PID 2504 wrote to memory of 2724 2504 spoolsv.exe svchost.exe PID 2504 wrote to memory of 2724 2504 spoolsv.exe svchost.exe PID 2724 wrote to memory of 2568 2724 svchost.exe spoolsv.exe PID 2724 wrote to memory of 2568 2724 svchost.exe spoolsv.exe PID 2724 wrote to memory of 2568 2724 svchost.exe spoolsv.exe PID 2724 wrote to memory of 2568 2724 svchost.exe spoolsv.exe PID 2724 wrote to memory of 1324 2724 svchost.exe at.exe PID 2724 wrote to memory of 1324 2724 svchost.exe at.exe PID 2724 wrote to memory of 1324 2724 svchost.exe at.exe PID 2724 wrote to memory of 1324 2724 svchost.exe at.exe PID 2724 wrote to memory of 1644 2724 svchost.exe at.exe PID 2724 wrote to memory of 1644 2724 svchost.exe at.exe PID 2724 wrote to memory of 1644 2724 svchost.exe at.exe PID 2724 wrote to memory of 1644 2724 svchost.exe at.exe PID 2724 wrote to memory of 548 2724 svchost.exe at.exe PID 2724 wrote to memory of 548 2724 svchost.exe at.exe PID 2724 wrote to memory of 548 2724 svchost.exe at.exe PID 2724 wrote to memory of 548 2724 svchost.exe at.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab4158da9692aac9326d2fad63e5c180_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\ab4158da9692aac9326d2fad63e5c180_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\at.exeat 04:50 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
-
C:\Windows\SysWOW64\at.exeat 04:51 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
-
C:\Windows\SysWOW64\at.exeat 04:52 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\mrsys.exeFilesize
66KB
MD5cc0878d544b5c3ac81c25b0943d36569
SHA16894e8c95f2be013e9a8ea66b8ce1c0f4241fb2b
SHA256ad4967b5748d69277008739b56827a59ed3b2907b2933b684948d1ac5fd04e76
SHA51206afd4bb0d0d7829cf40cdd43cdadb1411f2dd61c4ca7bd342013223e31df050a156451fc8640f7701f54d4c3183fa01e0c7de76d1315e88bc008c90ac477eec
-
\Windows\system\explorer.exeFilesize
66KB
MD5cfe99e4ee1c47b9e48fe803dd9a49bd8
SHA1d29beff2ea437215dd17b7ac910641c7579b564a
SHA256bb4061e6daad7e8d4bed9b69ad2a8ec8466ddfe3edc94ded836a23a6f0099df8
SHA5127512b1a591310383d3a5affa5fcab52a9b92a615dab15376c9359c86f655fc5d21965eb579588cd9ed4c558a37ce110d0d47e6205531a6e50bd55abe67444dbe
-
\Windows\system\spoolsv.exeFilesize
66KB
MD568dfe377059618b57e8b81260497ed36
SHA15018d1df1e68c86dd6e717c63218154c493b43e4
SHA2565f00cc05a3e1d952d07daade0babba62d5b3bebcf2ed2c28906e112468266c31
SHA51247bbdd58634eb70bff4bf2a29c968ae4f6f225e648ca7cbb5ea5becf503babd31871de4cde21edc00d930db949702146615dcb10fecdf30d8612ec2df4884a54
-
\Windows\system\svchost.exeFilesize
66KB
MD5879b5137f4a193a3d0e9689106254278
SHA17fb51e3877f569b247015c6ab939ba21d554d1fd
SHA2569e2040945c989528f39c81b7f552812ca5cdca28ea34cba5ac3537bc47c58b35
SHA5125c459a7cf795fc9089cde89595cab027e119bfe30ead214cef6b1346a32942ff274d04eeec1e436930329b0968b00f170c168d74ec437a400a708b3792ee45bd
-
memory/2028-1-0x0000000072940000-0x0000000072A93000-memory.dmpFilesize
1.3MB
-
memory/2028-4-0x0000000000401000-0x000000000042E000-memory.dmpFilesize
180KB
-
memory/2028-16-0x00000000032B0000-0x00000000032E1000-memory.dmpFilesize
196KB
-
memory/2028-3-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2028-79-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2028-2-0x0000000000020000-0x0000000000024000-memory.dmpFilesize
16KB
-
memory/2028-80-0x0000000000401000-0x000000000042E000-memory.dmpFilesize
180KB
-
memory/2028-0-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2028-56-0x0000000000401000-0x000000000042E000-memory.dmpFilesize
180KB
-
memory/2144-64-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2144-34-0x0000000002680000-0x00000000026B1000-memory.dmpFilesize
196KB
-
memory/2144-92-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2144-82-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2144-20-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2144-35-0x0000000002680000-0x00000000026B1000-memory.dmpFilesize
196KB
-
memory/2144-18-0x0000000072940000-0x0000000072A93000-memory.dmpFilesize
1.3MB
-
memory/2504-36-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2504-37-0x0000000072940000-0x0000000072A93000-memory.dmpFilesize
1.3MB
-
memory/2504-52-0x0000000002740000-0x0000000002771000-memory.dmpFilesize
196KB
-
memory/2504-41-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2504-77-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2568-67-0x0000000072940000-0x0000000072A93000-memory.dmpFilesize
1.3MB
-
memory/2568-73-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2724-54-0x0000000072940000-0x0000000072A93000-memory.dmpFilesize
1.3MB
-
memory/2724-83-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2724-59-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2724-60-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB