Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
26/05/2024, 03:35
Static task
static1
Behavioral task
behavioral1
Sample
5c8240c58187f307d35c51c079639ff0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5c8240c58187f307d35c51c079639ff0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
5c8240c58187f307d35c51c079639ff0_NeikiAnalytics.exe
-
Size
65KB
-
MD5
5c8240c58187f307d35c51c079639ff0
-
SHA1
ffc92d800d8f4c7c12f70c9047c46beae5c9efe8
-
SHA256
a232079f2c9dd01e7105ac504d50a4ad8ceb75ae9a9285e003f14381251830be
-
SHA512
4e22a15e6eb7123588d4af0027a971f5f1711e0c0e556e9730af413ce33c11a1a15ffc8d17bd2768e884f88318e8225a9f9f60e33a28ef4f083b511f3cf19ee4
-
SSDEEP
1536:ECq3yRuqrI01eArdW/O7JnI2e13XiLij40MkTUVqa/OuHtttttttttttttttttt8:7WNqkOJWmo1HpM0MkTUmuHttttttttty
Malware Config
Signatures
-
Detects BazaLoader malware 1 IoCs
BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.
resource yara_rule behavioral2/memory/4412-37-0x00000000754B0000-0x000000007560D000-memory.dmp BazaLoader -
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 3192 explorer.exe 2788 spoolsv.exe 4412 svchost.exe 3680 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\explorer.exe 5c8240c58187f307d35c51c079639ff0_NeikiAnalytics.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3764 5c8240c58187f307d35c51c079639ff0_NeikiAnalytics.exe 3764 5c8240c58187f307d35c51c079639ff0_NeikiAnalytics.exe 3192 explorer.exe 3192 explorer.exe 3192 explorer.exe 3192 explorer.exe 3192 explorer.exe 3192 explorer.exe 4412 svchost.exe 4412 svchost.exe 4412 svchost.exe 4412 svchost.exe 3192 explorer.exe 3192 explorer.exe 4412 svchost.exe 4412 svchost.exe 3192 explorer.exe 3192 explorer.exe 4412 svchost.exe 4412 svchost.exe 3192 explorer.exe 3192 explorer.exe 4412 svchost.exe 4412 svchost.exe 3192 explorer.exe 3192 explorer.exe 4412 svchost.exe 4412 svchost.exe 3192 explorer.exe 3192 explorer.exe 4412 svchost.exe 4412 svchost.exe 3192 explorer.exe 3192 explorer.exe 4412 svchost.exe 4412 svchost.exe 3192 explorer.exe 3192 explorer.exe 4412 svchost.exe 4412 svchost.exe 3192 explorer.exe 3192 explorer.exe 4412 svchost.exe 4412 svchost.exe 3192 explorer.exe 3192 explorer.exe 4412 svchost.exe 4412 svchost.exe 3192 explorer.exe 3192 explorer.exe 4412 svchost.exe 4412 svchost.exe 3192 explorer.exe 3192 explorer.exe 4412 svchost.exe 4412 svchost.exe 3192 explorer.exe 3192 explorer.exe 4412 svchost.exe 4412 svchost.exe 3192 explorer.exe 3192 explorer.exe 4412 svchost.exe 4412 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3192 explorer.exe 4412 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 3764 5c8240c58187f307d35c51c079639ff0_NeikiAnalytics.exe 3764 5c8240c58187f307d35c51c079639ff0_NeikiAnalytics.exe 3192 explorer.exe 3192 explorer.exe 2788 spoolsv.exe 2788 spoolsv.exe 4412 svchost.exe 4412 svchost.exe 3680 spoolsv.exe 3680 spoolsv.exe 3192 explorer.exe 3192 explorer.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 3764 wrote to memory of 3192 3764 5c8240c58187f307d35c51c079639ff0_NeikiAnalytics.exe 83 PID 3764 wrote to memory of 3192 3764 5c8240c58187f307d35c51c079639ff0_NeikiAnalytics.exe 83 PID 3764 wrote to memory of 3192 3764 5c8240c58187f307d35c51c079639ff0_NeikiAnalytics.exe 83 PID 3192 wrote to memory of 2788 3192 explorer.exe 84 PID 3192 wrote to memory of 2788 3192 explorer.exe 84 PID 3192 wrote to memory of 2788 3192 explorer.exe 84 PID 2788 wrote to memory of 4412 2788 spoolsv.exe 86 PID 2788 wrote to memory of 4412 2788 spoolsv.exe 86 PID 2788 wrote to memory of 4412 2788 spoolsv.exe 86 PID 4412 wrote to memory of 3680 4412 svchost.exe 87 PID 4412 wrote to memory of 3680 4412 svchost.exe 87 PID 4412 wrote to memory of 3680 4412 svchost.exe 87 PID 4412 wrote to memory of 1356 4412 svchost.exe 89 PID 4412 wrote to memory of 1356 4412 svchost.exe 89 PID 4412 wrote to memory of 1356 4412 svchost.exe 89 PID 4412 wrote to memory of 1440 4412 svchost.exe 104 PID 4412 wrote to memory of 1440 4412 svchost.exe 104 PID 4412 wrote to memory of 1440 4412 svchost.exe 104 PID 4412 wrote to memory of 2292 4412 svchost.exe 114 PID 4412 wrote to memory of 2292 4412 svchost.exe 114 PID 4412 wrote to memory of 2292 4412 svchost.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\5c8240c58187f307d35c51c079639ff0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5c8240c58187f307d35c51c079639ff0_NeikiAnalytics.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3764 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3192 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4412 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3680
-
-
C:\Windows\SysWOW64\at.exeat 03:37 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1356
-
-
C:\Windows\SysWOW64\at.exeat 03:38 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1440
-
-
C:\Windows\SysWOW64\at.exeat 03:39 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2292
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD59bb2a21fd9ea8497338ad064f3a79e6c
SHA1b03f54c3f02b0f7ce116edc4080909832ee37543
SHA2568a206c442e38f68356a02d0e4bc57eb9fe76bfa11578695d3ee698b06744a753
SHA512e818034a939f632afe231c7f454c6d82f7ca77f6e1e75afa8d6ce6dfc23f11c48338d2f1bdbe1a09a0982597dc21803c8c5eecb23654b7550f15de16813b65b6
-
Filesize
65KB
MD569c98a1512d4ddbca4dd75ece612bc39
SHA1feed0f854caa46446c17fe566f7f22b8fe0e733e
SHA25679091a059087cd0b668f7745a72e7904c90f231aed8605752215702a7652dc5f
SHA5122d6007c78dbf4b9f9d131a045f4beb4a1b9ee98d3879b8a76c5753a6067d128d869bd90c3dc66e9d093c0e6400d1f137188e5ef1fb2d5eb02bb464c5f2fa0051
-
Filesize
65KB
MD5bb6b27eec0ab459285af071fc0b49664
SHA10eb369557d711436c340aedc751b0f793e430ba5
SHA25692696ce6b182559235780a21fead09ba5072e0bb0519d8a77bccf9d85d1c8d7f
SHA5127b83d9f47833045408cc4dafa3db624b759822bd5453df861da2e60ffd4eeb2aa39c119e35cfb659da81e1d5de6afe022bd612a058c5deb59533ed9c260d7ec7
-
Filesize
65KB
MD5b7eb82cce98c259f83df6848280d3f9e
SHA1697c7c34ef977729dab50dc682c32a44466ede6a
SHA25675f060ced9ef21a8da05d52a773ad8421b2c700910ddf2a00751335f783b235b
SHA51247bd61db07f9cdc00a53ffc6f6a856c2cedda144279d45df3b0a33ad87c59abb928419db6a5ccef70b0b62ca4f62b9cd4e9c20364a3a7290c2dbc749a9e9c444