Analysis
-
max time kernel
150s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
26/05/2024, 03:24
Static task
static1
Behavioral task
behavioral1
Sample
5af5800767fdad8ab5a0828193493180_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5af5800767fdad8ab5a0828193493180_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
5af5800767fdad8ab5a0828193493180_NeikiAnalytics.exe
-
Size
66KB
-
MD5
5af5800767fdad8ab5a0828193493180
-
SHA1
b295945b2ec3b280cda31b726e5505024cae9a77
-
SHA256
758bbc9096cb3457ef3d5b5edf66e1644875abb9dfc1b5b296f4796226cdd751
-
SHA512
a2ea3b3adb058eac958432e223f383d1fe46a468d23e1a3f28fae905eabc15c0bee5ed3f1ff6fa6a85b9227d9166d7130a4a003bf98504a444c64642f346a4ac
-
SSDEEP
1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXip:IeklMMYJhqezw/pXzH9ip
Malware Config
Signatures
-
Detects BazaLoader malware 1 IoCs
BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.
resource yara_rule behavioral2/memory/3928-37-0x0000000075700000-0x000000007585D000-memory.dmp BazaLoader -
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Executes dropped EXE 4 IoCs
pid Process 372 explorer.exe 3772 spoolsv.exe 3928 svchost.exe 2456 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\explorer.exe 5af5800767fdad8ab5a0828193493180_NeikiAnalytics.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 744 5af5800767fdad8ab5a0828193493180_NeikiAnalytics.exe 744 5af5800767fdad8ab5a0828193493180_NeikiAnalytics.exe 372 explorer.exe 372 explorer.exe 372 explorer.exe 372 explorer.exe 372 explorer.exe 372 explorer.exe 372 explorer.exe 372 explorer.exe 3928 svchost.exe 3928 svchost.exe 3928 svchost.exe 3928 svchost.exe 372 explorer.exe 372 explorer.exe 3928 svchost.exe 3928 svchost.exe 372 explorer.exe 372 explorer.exe 3928 svchost.exe 3928 svchost.exe 372 explorer.exe 372 explorer.exe 3928 svchost.exe 3928 svchost.exe 372 explorer.exe 372 explorer.exe 3928 svchost.exe 3928 svchost.exe 372 explorer.exe 372 explorer.exe 3928 svchost.exe 3928 svchost.exe 372 explorer.exe 372 explorer.exe 3928 svchost.exe 3928 svchost.exe 372 explorer.exe 372 explorer.exe 3928 svchost.exe 3928 svchost.exe 372 explorer.exe 372 explorer.exe 3928 svchost.exe 3928 svchost.exe 372 explorer.exe 372 explorer.exe 3928 svchost.exe 3928 svchost.exe 372 explorer.exe 372 explorer.exe 3928 svchost.exe 3928 svchost.exe 372 explorer.exe 372 explorer.exe 3928 svchost.exe 3928 svchost.exe 372 explorer.exe 372 explorer.exe 3928 svchost.exe 3928 svchost.exe 372 explorer.exe 372 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 372 explorer.exe 3928 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 744 5af5800767fdad8ab5a0828193493180_NeikiAnalytics.exe 744 5af5800767fdad8ab5a0828193493180_NeikiAnalytics.exe 372 explorer.exe 372 explorer.exe 3772 spoolsv.exe 3772 spoolsv.exe 3928 svchost.exe 3928 svchost.exe 2456 spoolsv.exe 2456 spoolsv.exe 372 explorer.exe 372 explorer.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 744 wrote to memory of 372 744 5af5800767fdad8ab5a0828193493180_NeikiAnalytics.exe 84 PID 744 wrote to memory of 372 744 5af5800767fdad8ab5a0828193493180_NeikiAnalytics.exe 84 PID 744 wrote to memory of 372 744 5af5800767fdad8ab5a0828193493180_NeikiAnalytics.exe 84 PID 372 wrote to memory of 3772 372 explorer.exe 85 PID 372 wrote to memory of 3772 372 explorer.exe 85 PID 372 wrote to memory of 3772 372 explorer.exe 85 PID 3772 wrote to memory of 3928 3772 spoolsv.exe 86 PID 3772 wrote to memory of 3928 3772 spoolsv.exe 86 PID 3772 wrote to memory of 3928 3772 spoolsv.exe 86 PID 3928 wrote to memory of 2456 3928 svchost.exe 87 PID 3928 wrote to memory of 2456 3928 svchost.exe 87 PID 3928 wrote to memory of 2456 3928 svchost.exe 87 PID 3928 wrote to memory of 4924 3928 svchost.exe 88 PID 3928 wrote to memory of 4924 3928 svchost.exe 88 PID 3928 wrote to memory of 4924 3928 svchost.exe 88 PID 3928 wrote to memory of 4232 3928 svchost.exe 103 PID 3928 wrote to memory of 4232 3928 svchost.exe 103 PID 3928 wrote to memory of 4232 3928 svchost.exe 103 PID 3928 wrote to memory of 1496 3928 svchost.exe 110 PID 3928 wrote to memory of 1496 3928 svchost.exe 110 PID 3928 wrote to memory of 1496 3928 svchost.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\5af5800767fdad8ab5a0828193493180_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5af5800767fdad8ab5a0828193493180_NeikiAnalytics.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:744 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:372 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3772 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3928 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2456
-
-
C:\Windows\SysWOW64\at.exeat 03:26 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:4924
-
-
C:\Windows\SysWOW64\at.exeat 03:27 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:4232
-
-
C:\Windows\SysWOW64\at.exeat 03:28 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1496
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66KB
MD5b5fdfa0322ba70a9a2ce2546e0619932
SHA166a61d606e08a2851d8c1b23ef421731f9b6f351
SHA256e67e002ccf588b500f2e3bab3cc49a4f310043d9b5449d283ccead4db450585b
SHA5127a37eccefdc8bf23ec3d9d4522cd8b5f4491a6f8754138b72ef56df0f6ae33a8c065cd2d7e397395385a58ad69fc6aa35fb82b98a82ead187b9823681c24e8a2
-
Filesize
66KB
MD55a1b544f2130b87f4e1282f201616434
SHA1f7a577780e9de834f9d94f3881acec9c0a835189
SHA256b4cbe98cf3175fb7a22394814887e2c9f26a6e12f00ec834f659c0a9c63e2628
SHA512cda8468a8b0f3c86cf7d7186c9dd9fae0123e748b6329c42383abe6f286e08d0a0b2d153a085b46540cff329c0ccd83555b078cbabbbdaf4ff0b161d0d10173d
-
Filesize
66KB
MD552d318c44b01635dffac492850dd7678
SHA18ce6c5a956005a57e88b696e5cdf6fe1e1e51fb6
SHA256e0eb91505325cd0630bcbcee976567dc87f175c447b414badf60506381e7db76
SHA512744361d1a33e025d2236edc25a92a393f2a33b42ba87e2f002392395a12d83ead9816628a7cd810e0d9df918f6ceaed84d9c9ab99dd79d9e32779fabe048d913
-
Filesize
66KB
MD5e9ebeeae8b9ebb686d876b96181e3be4
SHA10047c0b2f52bd272856ab568f98a2731ef61da70
SHA25601026b44620f2aab629f0c64be58baa2e4b1efe58d3dc8ce1620abfa72f2e19d
SHA512864e3211d6e794f9441992e4ea7823ad09fc041ea3adcecb34c87d4d4739a1e1d5b5b74fe0164fe97ebc8902cf594f8be87bcdd923e59fb659c76e11ecf65925