e39a2a092af3e3bbc81910a22bee932437896f9a3b99bbf16ab3bf3778081910

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
27/05/2024, 09:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

84724ce7f6587326f35e8cca361b8dc0_NeikiAnalytics.exe
Size

66KB
MD5

84724ce7f6587326f35e8cca361b8dc0
SHA1

be241b027c2537b6cd701ef983123525b6606b41
SHA256

e39a2a092af3e3bbc81910a22bee932437896f9a3b99bbf16ab3bf3778081910
SHA512

dced82edde223517781bb98358de19cb982d55dd20ea1379d92663958a69cc243397be3f495c201e5601f7705d49026b48d05c7a419dec846c7ca69247a43e5a
SSDEEP

1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXiXSSSSSSSSSSSSSSSSSSSSv:IeklMMYJhqezw/pXzH9iXSSSSSSSSSSH

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Detects BazaLoader malware 1 IoCs

BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.

trojan

resource	yara_rule
behavioral1/memory/2812-53-0x0000000072940000-0x0000000072A93000-memory.dmp	BazaLoader

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
2696	explorer.exe
2744	spoolsv.exe
2812	svchost.exe
2624	spoolsv.exe

Loads dropped DLL 8 IoCs

pid	Process
2232	84724ce7f6587326f35e8cca361b8dc0_NeikiAnalytics.exe
2232	84724ce7f6587326f35e8cca361b8dc0_NeikiAnalytics.exe
2696	explorer.exe
2696	explorer.exe
2744	spoolsv.exe
2744	spoolsv.exe
2812	svchost.exe
2812	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	84724ce7f6587326f35e8cca361b8dc0_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2232	84724ce7f6587326f35e8cca361b8dc0_NeikiAnalytics.exe
2696	explorer.exe
2696	explorer.exe
2696	explorer.exe
2696	explorer.exe
2812	svchost.exe
2812	svchost.exe
2696	explorer.exe
2812	svchost.exe
2696	explorer.exe
2812	svchost.exe
2696	explorer.exe
2812	svchost.exe
2696	explorer.exe
2812	svchost.exe
2696	explorer.exe
2812	svchost.exe
2696	explorer.exe
2812	svchost.exe
2696	explorer.exe
2812	svchost.exe
2696	explorer.exe
2812	svchost.exe
2696	explorer.exe
2812	svchost.exe
2696	explorer.exe
2812	svchost.exe
2696	explorer.exe
2812	svchost.exe
2696	explorer.exe
2812	svchost.exe
2696	explorer.exe
2812	svchost.exe
2696	explorer.exe
2812	svchost.exe
2696	explorer.exe
2812	svchost.exe
2696	explorer.exe
2812	svchost.exe
2696	explorer.exe
2812	svchost.exe
2696	explorer.exe
2812	svchost.exe
2696	explorer.exe
2812	svchost.exe
2696	explorer.exe
2812	svchost.exe
2696	explorer.exe
2812	svchost.exe
2696	explorer.exe
2812	svchost.exe
2696	explorer.exe
2812	svchost.exe
2696	explorer.exe
2812	svchost.exe
2696	explorer.exe
2812	svchost.exe
2696	explorer.exe
2812	svchost.exe
2696	explorer.exe
2812	svchost.exe
2696	explorer.exe
2812	svchost.exe
2696	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2696	explorer.exe
2812	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2232	84724ce7f6587326f35e8cca361b8dc0_NeikiAnalytics.exe
2232	84724ce7f6587326f35e8cca361b8dc0_NeikiAnalytics.exe
2696	explorer.exe
2696	explorer.exe
2744	spoolsv.exe
2744	spoolsv.exe
2812	svchost.exe
2812	svchost.exe
2624	spoolsv.exe
2624	spoolsv.exe
2696	explorer.exe
2696	explorer.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2696	2232	84724ce7f6587326f35e8cca361b8dc0_NeikiAnalytics.exe	28
PID 2232 wrote to memory of 2696	2232	84724ce7f6587326f35e8cca361b8dc0_NeikiAnalytics.exe	28
PID 2232 wrote to memory of 2696	2232	84724ce7f6587326f35e8cca361b8dc0_NeikiAnalytics.exe	28
PID 2232 wrote to memory of 2696	2232	84724ce7f6587326f35e8cca361b8dc0_NeikiAnalytics.exe	28
PID 2696 wrote to memory of 2744	2696	explorer.exe	29
PID 2696 wrote to memory of 2744	2696	explorer.exe	29
PID 2696 wrote to memory of 2744	2696	explorer.exe	29
PID 2696 wrote to memory of 2744	2696	explorer.exe	29
PID 2744 wrote to memory of 2812	2744	spoolsv.exe	30
PID 2744 wrote to memory of 2812	2744	spoolsv.exe	30
PID 2744 wrote to memory of 2812	2744	spoolsv.exe	30
PID 2744 wrote to memory of 2812	2744	spoolsv.exe	30
PID 2812 wrote to memory of 2624	2812	svchost.exe	31
PID 2812 wrote to memory of 2624	2812	svchost.exe	31
PID 2812 wrote to memory of 2624	2812	svchost.exe	31
PID 2812 wrote to memory of 2624	2812	svchost.exe	31
PID 2812 wrote to memory of 2172	2812	svchost.exe	32
PID 2812 wrote to memory of 2172	2812	svchost.exe	32
PID 2812 wrote to memory of 2172	2812	svchost.exe	32
PID 2812 wrote to memory of 2172	2812	svchost.exe	32
PID 2812 wrote to memory of 1036	2812	svchost.exe	36
PID 2812 wrote to memory of 1036	2812	svchost.exe	36
PID 2812 wrote to memory of 1036	2812	svchost.exe	36
PID 2812 wrote to memory of 1036	2812	svchost.exe	36
PID 2812 wrote to memory of 1964	2812	svchost.exe	38
PID 2812 wrote to memory of 1964	2812	svchost.exe	38
PID 2812 wrote to memory of 1964	2812	svchost.exe	38
PID 2812 wrote to memory of 1964	2812	svchost.exe	38

C:\Users\Admin\AppData\Local\Temp\84724ce7f6587326f35e8cca361b8dc0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\84724ce7f6587326f35e8cca361b8dc0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2232
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2696
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2812
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2624
    - - C:\Windows\SysWOW64\at.exe
        
        at 09:51 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2172
    - - C:\Windows\SysWOW64\at.exe
        
        at 09:52 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:1036
    - - C:\Windows\SysWOW64\at.exe
        
        at 09:53 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:1964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
66KB

MD5
31d0567e8fde11711abaae03cf477743

SHA1
3edfe45cf4110bec0fd74341fd69f41f9603bddc

SHA256
cdaec4c8ba58084ba00fc47e65aa6c655dd2f5f2f35956c30ad724c21dcedbe4

SHA512
876bd4d43ad24ff131229b8f54856b94f0019cd03adea13157239ef61d0fe3c86c60a468d5bde19bbe2fc90899ef99ae83386153256283496b3ceac78d48a57a

Download Submit
\Windows\system\explorer.exe

Filesize
66KB

MD5
1e3effaeca7ff15d99b9af2fd519be14

SHA1
cd014ded9ab3476101067182c16e43dbcd3d649a

SHA256
a3719945c0e46ee4bae115cb01c9c5734959cd31087c6c0ba2407cffaf47d59d

SHA512
066ac95da0ddc9951718f9db94096107a69d1bcb70fc97d7426a4c8dac41a0e30408567322bd313308a61f8cb4f43a2601fd1726d48049996e5a6d1c43f482de

Download Submit
\Windows\system\spoolsv.exe

Filesize
66KB

MD5
734ac902db632e3feffc681d0ac6d8c9

SHA1
9ca353e9ea0a4f6d233fd67c954b223f547a9dc9

SHA256
fea5bce3b93b566091be85ab2b61070668ee6a03d543b9772798f3a7ac29cc8c

SHA512
8268fb17efd77370cc64e24551859f6c1180cc52eb6431154d23fb8113cbccec5f4cb1d106f3d02e509c40886acd59bc2a7b050fa36b69059398bfa909c85d15

Download Submit
\Windows\system\svchost.exe

Filesize
66KB

MD5
895be2fc0f832672465810e3a44fabcf

SHA1
446a0a1ff1425d486f047efb1a37652f9142245d

SHA256
02cecd0d5387c7b505fee5283d1fc24f614133560db393aa815329bc73fa3515

SHA512
c279c7e6cb8dc6ba7e1f2a47e581cd3f101b7ad60db00e1df6449e30e8ad56dad196af2f43d90ecabe59b98893d62db530583889031ba5dc78a8132676c7e064

Download Submit
memory/2232-4-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/2232-3-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2232-2-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2232-17-0x00000000024A0000-0x00000000024D1000-memory.dmp

Filesize
196KB

Download
memory/2232-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2232-81-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/2232-1-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/2232-80-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2232-65-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/2624-74-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2624-68-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2696-21-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2696-18-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2696-94-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2696-83-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2696-19-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2696-35-0x00000000024A0000-0x00000000024D1000-memory.dmp

Filesize
196KB

Download
memory/2696-36-0x00000000024A0000-0x00000000024D1000-memory.dmp

Filesize
196KB

Download
memory/2744-42-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2744-37-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2744-79-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2744-57-0x0000000002630000-0x0000000002661000-memory.dmp

Filesize
196KB

Download
memory/2812-67-0x0000000002A40000-0x0000000002A71000-memory.dmp

Filesize
196KB

Download
memory/2812-66-0x0000000002A40000-0x0000000002A71000-memory.dmp

Filesize
196KB

Download
memory/2812-53-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2812-60-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2812-85-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2812-59-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download