Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26/05/2024, 03:35
Static task
static1
Behavioral task
behavioral1
Sample
5c8240c58187f307d35c51c079639ff0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5c8240c58187f307d35c51c079639ff0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
5c8240c58187f307d35c51c079639ff0_NeikiAnalytics.exe
-
Size
65KB
-
MD5
5c8240c58187f307d35c51c079639ff0
-
SHA1
ffc92d800d8f4c7c12f70c9047c46beae5c9efe8
-
SHA256
a232079f2c9dd01e7105ac504d50a4ad8ceb75ae9a9285e003f14381251830be
-
SHA512
4e22a15e6eb7123588d4af0027a971f5f1711e0c0e556e9730af413ce33c11a1a15ffc8d17bd2768e884f88318e8225a9f9f60e33a28ef4f083b511f3cf19ee4
-
SSDEEP
1536:ECq3yRuqrI01eArdW/O7JnI2e13XiLij40MkTUVqa/OuHtttttttttttttttttt8:7WNqkOJWmo1HpM0MkTUmuHttttttttty
Malware Config
Signatures
-
Detects BazaLoader malware 1 IoCs
BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.
resource yara_rule behavioral1/memory/1736-55-0x0000000072940000-0x0000000072A93000-memory.dmp BazaLoader -
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 2336 explorer.exe 2572 spoolsv.exe 1736 svchost.exe 2660 spoolsv.exe -
Loads dropped DLL 8 IoCs
pid Process 1948 5c8240c58187f307d35c51c079639ff0_NeikiAnalytics.exe 1948 5c8240c58187f307d35c51c079639ff0_NeikiAnalytics.exe 2336 explorer.exe 2336 explorer.exe 2572 spoolsv.exe 2572 spoolsv.exe 1736 svchost.exe 1736 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\explorer.exe 5c8240c58187f307d35c51c079639ff0_NeikiAnalytics.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1948 5c8240c58187f307d35c51c079639ff0_NeikiAnalytics.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 1736 svchost.exe 1736 svchost.exe 2336 explorer.exe 1736 svchost.exe 2336 explorer.exe 1736 svchost.exe 2336 explorer.exe 1736 svchost.exe 2336 explorer.exe 1736 svchost.exe 2336 explorer.exe 1736 svchost.exe 2336 explorer.exe 1736 svchost.exe 2336 explorer.exe 1736 svchost.exe 2336 explorer.exe 1736 svchost.exe 2336 explorer.exe 1736 svchost.exe 2336 explorer.exe 1736 svchost.exe 2336 explorer.exe 1736 svchost.exe 2336 explorer.exe 1736 svchost.exe 2336 explorer.exe 1736 svchost.exe 2336 explorer.exe 1736 svchost.exe 2336 explorer.exe 1736 svchost.exe 2336 explorer.exe 1736 svchost.exe 2336 explorer.exe 1736 svchost.exe 2336 explorer.exe 1736 svchost.exe 2336 explorer.exe 1736 svchost.exe 2336 explorer.exe 1736 svchost.exe 2336 explorer.exe 1736 svchost.exe 2336 explorer.exe 1736 svchost.exe 2336 explorer.exe 1736 svchost.exe 2336 explorer.exe 1736 svchost.exe 2336 explorer.exe 1736 svchost.exe 2336 explorer.exe 1736 svchost.exe 2336 explorer.exe 1736 svchost.exe 2336 explorer.exe 1736 svchost.exe 2336 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2336 explorer.exe 1736 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 1948 5c8240c58187f307d35c51c079639ff0_NeikiAnalytics.exe 1948 5c8240c58187f307d35c51c079639ff0_NeikiAnalytics.exe 2336 explorer.exe 2336 explorer.exe 2572 spoolsv.exe 2572 spoolsv.exe 1736 svchost.exe 1736 svchost.exe 2660 spoolsv.exe 2660 spoolsv.exe 2336 explorer.exe 2336 explorer.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1948 wrote to memory of 2336 1948 5c8240c58187f307d35c51c079639ff0_NeikiAnalytics.exe 28 PID 1948 wrote to memory of 2336 1948 5c8240c58187f307d35c51c079639ff0_NeikiAnalytics.exe 28 PID 1948 wrote to memory of 2336 1948 5c8240c58187f307d35c51c079639ff0_NeikiAnalytics.exe 28 PID 1948 wrote to memory of 2336 1948 5c8240c58187f307d35c51c079639ff0_NeikiAnalytics.exe 28 PID 2336 wrote to memory of 2572 2336 explorer.exe 29 PID 2336 wrote to memory of 2572 2336 explorer.exe 29 PID 2336 wrote to memory of 2572 2336 explorer.exe 29 PID 2336 wrote to memory of 2572 2336 explorer.exe 29 PID 2572 wrote to memory of 1736 2572 spoolsv.exe 30 PID 2572 wrote to memory of 1736 2572 spoolsv.exe 30 PID 2572 wrote to memory of 1736 2572 spoolsv.exe 30 PID 2572 wrote to memory of 1736 2572 spoolsv.exe 30 PID 1736 wrote to memory of 2660 1736 svchost.exe 31 PID 1736 wrote to memory of 2660 1736 svchost.exe 31 PID 1736 wrote to memory of 2660 1736 svchost.exe 31 PID 1736 wrote to memory of 2660 1736 svchost.exe 31 PID 1736 wrote to memory of 2884 1736 svchost.exe 32 PID 1736 wrote to memory of 2884 1736 svchost.exe 32 PID 1736 wrote to memory of 2884 1736 svchost.exe 32 PID 1736 wrote to memory of 2884 1736 svchost.exe 32 PID 1736 wrote to memory of 592 1736 svchost.exe 36 PID 1736 wrote to memory of 592 1736 svchost.exe 36 PID 1736 wrote to memory of 592 1736 svchost.exe 36 PID 1736 wrote to memory of 592 1736 svchost.exe 36 PID 1736 wrote to memory of 560 1736 svchost.exe 38 PID 1736 wrote to memory of 560 1736 svchost.exe 38 PID 1736 wrote to memory of 560 1736 svchost.exe 38 PID 1736 wrote to memory of 560 1736 svchost.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\5c8240c58187f307d35c51c079639ff0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5c8240c58187f307d35c51c079639ff0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1948 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2336 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2572 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1736 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2660
-
-
C:\Windows\SysWOW64\at.exeat 03:37 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2884
-
-
C:\Windows\SysWOW64\at.exeat 03:38 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:592
-
-
C:\Windows\SysWOW64\at.exeat 03:39 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:560
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD56f02be24e1135f5a998673fba3d54cf7
SHA1be633c1227c6f365ab13d262f313d64376eef233
SHA256517ecc499d897417c7280639c267dc8a9c8701d4d409e3f7b1cbe17ed462d01d
SHA512ae7a16f43cc5c999976e40acfe18bc28f05b0a8daf68cab9552c5cfe26676ba3e05fe4e973b162804827030bee7e4f87283a6c1f8cf377655b65d5c8415067aa
-
Filesize
65KB
MD58ab8b61ff4a32028f27c2dae64e45792
SHA1c7cf4fb4711e57b050daa320d336db10580eb7a7
SHA2568a2b1abbc005ac6244168d90d04786279de103e96646325b2ef83f2cd055ec39
SHA512f7c55786724e573a1c616cb0358b76d1a1b3d0fff1b0eeae92a0c9c64eb61dd0537238dcefa20716228cf1928578e407464141c9514140ae0a8ee7253be1c4ff
-
Filesize
65KB
MD598b7a63e3f909aed7801eecf4b4aa41d
SHA1712caec4bb8ed7790856d9ecdb8bf98aa1d63ad4
SHA256ed14a3ee572a6605f998cab1b8d1b3357012a2006d287c65b9ec33f4809966b2
SHA5125cf6e669a79b3eaac016c4e3bff234cd376339c3347516cd8aa14296062f097ec8096c2f01e17de0160693eb97cf430a3ecf189f99dbee04cc0c146257625741
-
Filesize
65KB
MD5b547ea416b127007f0e0ed3c4e7ba55b
SHA163f0898ffe66122a9624a28acd147bd71921a1d4
SHA256701cd59ccbccb02443e8c8b8fa429d859b2a0797fb5fe159667e0276c5bfdb8f
SHA5120ffa482d20b43a4ab8f80d3d39848b4c73b1034fffbde57f79f894f0b39b14cc718162a6a9a618117569e1c9580e1756f841c5bdb814c6b9b92d5882021a4a03