Overview

overview

10

Static

static

3

eb64873d87...cs.exe

windows7-x64

10

eb64873d87...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    25/05/2024, 01:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eb64873d877969358cb324f6fc35bea0_NeikiAnalytics.exe

  • Size

    66KB

  • MD5

    eb64873d877969358cb324f6fc35bea0

  • SHA1

    e53ab8e99b0a097f7c473a9c542eb5dcbae315bb

  • SHA256

    9ee06eb562f51b3ca0b44d019a25339363f5f07df8ac99eee70145cba8eda904

  • SHA512

    fa9968d50e2d50d6cd096c3fc631b975acad5153142f26ad89b77dd72472c41aef717ff627075d334263d1492000085201f5836b9052333a06a9acc45799d94c

  • SSDEEP

    1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXiaNNNNNNNNNNNNNNNNNNNNX:IeklMMYJhqezw/pXzH9iaNNNNNNNNNNX

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Detects BazaLoader malware 1 IoCs

    BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.

    trojan
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eb64873d877969358cb324f6fc35bea0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\eb64873d877969358cb324f6fc35bea0_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2368
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2988
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2708
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3008
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2496
          • C:\Windows\SysWOW64\at.exe
            at 01:13 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:2944
            • C:\Windows\SysWOW64\at.exe
              at 01:14 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:2980
              • C:\Windows\SysWOW64\at.exe
                at 01:15 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:1788

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\mrsys.exe
          Filesize

          66KB

          MD5

          0732124fa835d051c1a29a0de03c42f1

          SHA1

          7fef1c17bb8a787e92bc5d291d3410d82944b095

          SHA256

          77904f03dafa77c13cf492dbb6f4de8d37de2a287797d5ee27009d089a7b0069

          SHA512

          e4bc99df87ecf75c5f96b416a483ea37896b007abfcf793cb6725c8eff30f3185237c76a7315898ab0409191b1bf6ec595b982e4fa13813d3976586f1400019b

          Download Submit

        • \Windows\system\explorer.exe
          Filesize

          66KB

          MD5

          6bec62c9599ef4296f1c6ebccd6ae593

          SHA1

          51db14e7dc53e52f02b202f732ef7987aa8173d0

          SHA256

          3e00a675fafd776623b5b930ace370331ddc1980c91c5a7e7b9042cd7c453abc

          SHA512

          6f4df8718f8750bcbcd2b5792d8172c2dfdfb5ce011df3ad9a0254c42fa98d0c5231ed5d2a731210f970f1e84ccb2807fa89b6c8af435f8b075e8b4402413703

          Download Submit

        • \Windows\system\spoolsv.exe
          Filesize

          66KB

          MD5

          f7c7073e260b53e1532f2787458c7657

          SHA1

          4ad11ed06c65cbd3198a0784d3b38257a94552bd

          SHA256

          4aef4a0e37386a5c5f03252321301858623c61e4599efc81be6315d0dbdbac67

          SHA512

          c10734067f4fe00675ebf8558123d63516a30b7b0b89bab0a5e5f1705a67e7b338de2635bd2b476a64bc7ae90b6e3c8be7f561a2bce59f02057e5e93b64166fb

          Download Submit

        • \Windows\system\svchost.exe
          Filesize

          66KB

          MD5

          36e5e4091e8a1cc9df1a5f98f6a39a2f

          SHA1

          00420bfbf017150acd8b695de0743f1f4169d8e8

          SHA256

          a5036e41b61d6580cc16f5d7fbfe2f98d83b761a77b25f3a485f33898d475531

          SHA512

          476d47b5e536859f67d5de5cb19dd69e8a211195e87cbe8032bb91f16c9d169028b17e4d6c6e5a61d50af610187929db2933ce88a8b9628be1f1caeb7acb59fd

          Download Submit

        • memory/2368-2-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2368-3-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2368-4-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/2368-18-0x00000000026A0000-0x00000000026D1000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2368-17-0x00000000026A0000-0x00000000026D1000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2368-78-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2368-79-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/2368-0-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2368-1-0x0000000000020000-0x0000000000024000-memory.dmp

          Filesize

          16KB

          Download

        • memory/2368-65-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/2496-66-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2496-72-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2496-67-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2708-53-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2708-48-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2708-36-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2708-74-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2988-19-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2988-41-0x0000000002CF0000-0x0000000002D21000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2988-40-0x0000000002CF0000-0x0000000002D21000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2988-23-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2988-20-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2988-81-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2988-92-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3008-60-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3008-55-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3008-83-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download