Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26/05/2024, 03:24
Static task
static1
Behavioral task
behavioral1
Sample
5af5800767fdad8ab5a0828193493180_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5af5800767fdad8ab5a0828193493180_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
5af5800767fdad8ab5a0828193493180_NeikiAnalytics.exe
-
Size
66KB
-
MD5
5af5800767fdad8ab5a0828193493180
-
SHA1
b295945b2ec3b280cda31b726e5505024cae9a77
-
SHA256
758bbc9096cb3457ef3d5b5edf66e1644875abb9dfc1b5b296f4796226cdd751
-
SHA512
a2ea3b3adb058eac958432e223f383d1fe46a468d23e1a3f28fae905eabc15c0bee5ed3f1ff6fa6a85b9227d9166d7130a4a003bf98504a444c64642f346a4ac
-
SSDEEP
1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXip:IeklMMYJhqezw/pXzH9ip
Malware Config
Signatures
-
Detects BazaLoader malware 1 IoCs
BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.
resource yara_rule behavioral1/memory/2388-53-0x0000000072940000-0x0000000072A93000-memory.dmp BazaLoader -
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Executes dropped EXE 4 IoCs
pid Process 2640 explorer.exe 2600 spoolsv.exe 2388 svchost.exe 2444 spoolsv.exe -
Loads dropped DLL 8 IoCs
pid Process 1312 5af5800767fdad8ab5a0828193493180_NeikiAnalytics.exe 1312 5af5800767fdad8ab5a0828193493180_NeikiAnalytics.exe 2640 explorer.exe 2640 explorer.exe 2600 spoolsv.exe 2600 spoolsv.exe 2388 svchost.exe 2388 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe 5af5800767fdad8ab5a0828193493180_NeikiAnalytics.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1312 5af5800767fdad8ab5a0828193493180_NeikiAnalytics.exe 2640 explorer.exe 2640 explorer.exe 2640 explorer.exe 2640 explorer.exe 2388 svchost.exe 2388 svchost.exe 2640 explorer.exe 2388 svchost.exe 2640 explorer.exe 2388 svchost.exe 2640 explorer.exe 2388 svchost.exe 2640 explorer.exe 2388 svchost.exe 2388 svchost.exe 2640 explorer.exe 2640 explorer.exe 2388 svchost.exe 2640 explorer.exe 2388 svchost.exe 2640 explorer.exe 2388 svchost.exe 2640 explorer.exe 2388 svchost.exe 2388 svchost.exe 2640 explorer.exe 2388 svchost.exe 2640 explorer.exe 2388 svchost.exe 2640 explorer.exe 2388 svchost.exe 2640 explorer.exe 2388 svchost.exe 2640 explorer.exe 2640 explorer.exe 2388 svchost.exe 2388 svchost.exe 2640 explorer.exe 2388 svchost.exe 2640 explorer.exe 2640 explorer.exe 2388 svchost.exe 2640 explorer.exe 2388 svchost.exe 2388 svchost.exe 2640 explorer.exe 2388 svchost.exe 2640 explorer.exe 2640 explorer.exe 2388 svchost.exe 2388 svchost.exe 2640 explorer.exe 2640 explorer.exe 2388 svchost.exe 2388 svchost.exe 2640 explorer.exe 2640 explorer.exe 2388 svchost.exe 2388 svchost.exe 2640 explorer.exe 2640 explorer.exe 2388 svchost.exe 2388 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2640 explorer.exe 2388 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 1312 5af5800767fdad8ab5a0828193493180_NeikiAnalytics.exe 1312 5af5800767fdad8ab5a0828193493180_NeikiAnalytics.exe 2640 explorer.exe 2640 explorer.exe 2600 spoolsv.exe 2600 spoolsv.exe 2388 svchost.exe 2388 svchost.exe 2444 spoolsv.exe 2444 spoolsv.exe 2640 explorer.exe 2640 explorer.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1312 wrote to memory of 2640 1312 5af5800767fdad8ab5a0828193493180_NeikiAnalytics.exe 28 PID 1312 wrote to memory of 2640 1312 5af5800767fdad8ab5a0828193493180_NeikiAnalytics.exe 28 PID 1312 wrote to memory of 2640 1312 5af5800767fdad8ab5a0828193493180_NeikiAnalytics.exe 28 PID 1312 wrote to memory of 2640 1312 5af5800767fdad8ab5a0828193493180_NeikiAnalytics.exe 28 PID 2640 wrote to memory of 2600 2640 explorer.exe 29 PID 2640 wrote to memory of 2600 2640 explorer.exe 29 PID 2640 wrote to memory of 2600 2640 explorer.exe 29 PID 2640 wrote to memory of 2600 2640 explorer.exe 29 PID 2600 wrote to memory of 2388 2600 spoolsv.exe 30 PID 2600 wrote to memory of 2388 2600 spoolsv.exe 30 PID 2600 wrote to memory of 2388 2600 spoolsv.exe 30 PID 2600 wrote to memory of 2388 2600 spoolsv.exe 30 PID 2388 wrote to memory of 2444 2388 svchost.exe 31 PID 2388 wrote to memory of 2444 2388 svchost.exe 31 PID 2388 wrote to memory of 2444 2388 svchost.exe 31 PID 2388 wrote to memory of 2444 2388 svchost.exe 31 PID 2388 wrote to memory of 1444 2388 svchost.exe 32 PID 2388 wrote to memory of 1444 2388 svchost.exe 32 PID 2388 wrote to memory of 1444 2388 svchost.exe 32 PID 2388 wrote to memory of 1444 2388 svchost.exe 32 PID 2388 wrote to memory of 2284 2388 svchost.exe 36 PID 2388 wrote to memory of 2284 2388 svchost.exe 36 PID 2388 wrote to memory of 2284 2388 svchost.exe 36 PID 2388 wrote to memory of 2284 2388 svchost.exe 36 PID 2388 wrote to memory of 2424 2388 svchost.exe 38 PID 2388 wrote to memory of 2424 2388 svchost.exe 38 PID 2388 wrote to memory of 2424 2388 svchost.exe 38 PID 2388 wrote to memory of 2424 2388 svchost.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\5af5800767fdad8ab5a0828193493180_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5af5800767fdad8ab5a0828193493180_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1312 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2640 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2600 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2388 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2444
-
-
C:\Windows\SysWOW64\at.exeat 03:26 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1444
-
-
C:\Windows\SysWOW64\at.exeat 03:27 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2284
-
-
C:\Windows\SysWOW64\at.exeat 03:28 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2424
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66KB
MD53a97d677a2f3c44ace9c061a350d0d06
SHA1c6af582cf6c2c8115da11cc530aaa2dcde666497
SHA2564a2cdaa6cf0ddb6ee869de4ade9cca139078b2e65a52e3613147b7beddb6f42c
SHA512882ab0e82d76c40bac1d39a25cc514ddf230634ab6b73bb75d9c3f7e3d314f9cadece3ab1e80f146c989d26becca225e426cc3f3b16220061866346c1e7e1916
-
Filesize
66KB
MD58ac71da89956bf98916452a872c398a5
SHA1305af6ad4463345ddf75ccf3a964e39f3a4be9e6
SHA256066ee427677b4763b8bfee336a2baa26464e9d31e7619237451151702759d992
SHA512a33967a0de627a17c85815775d3bca631470fbb8164e7222445e88420bd8a1a8af2374da9984b2035b8b7f2b0b448a4b3efbb54bfe299d9a418d96a257b62c6b
-
Filesize
66KB
MD5212038753ac5bce5e19fa278448ff2e6
SHA1238a2a08a849982c6af6e7740dda0c9d35366581
SHA256880944fb51ececd983d10aab5674a555b13bce2db90cf1404185f3147094df35
SHA51294dd9c1e70e24f75743cda2babcea3c4d7e87e27363562474d53bcc74a49d55e4429d3e5781415df3b76d4ffc01bf64f79409c2ed140e6bfe31476ebcced4edf
-
Filesize
66KB
MD5523b8f39f0cf85c0335ca9e7b2a50c71
SHA1ed0f15ccbf01762100323856fa6cb2f89becfd47
SHA256cafea76e2c9edd3ba4d9348b4adfac5dab357b2416566f5e5380c35420fbc253
SHA51217d169730d8f495ff63d5a5af8982aea9a4cdf784655cd92f2d0388f5ab3d6fed2d123e66e831ba4b405d10cf8cb8a969b8a0cc08275953ca7aff640fddc24ec