Overview

overview

10

Static

static

3

84724ce7f6...cs.exe

windows7-x64

10

84724ce7f6...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-05-2024 09:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    84724ce7f6587326f35e8cca361b8dc0_NeikiAnalytics.exe

  • Size

    66KB

  • MD5

    84724ce7f6587326f35e8cca361b8dc0

  • SHA1

    be241b027c2537b6cd701ef983123525b6606b41

  • SHA256

    e39a2a092af3e3bbc81910a22bee932437896f9a3b99bbf16ab3bf3778081910

  • SHA512

    dced82edde223517781bb98358de19cb982d55dd20ea1379d92663958a69cc243397be3f495c201e5601f7705d49026b48d05c7a419dec846c7ca69247a43e5a

  • SSDEEP

    1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXiXSSSSSSSSSSSSSSSSSSSSv:IeklMMYJhqezw/pXzH9iXSSSSSSSSSSH

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Detects BazaLoader malware 1 IoCs

    BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.

    trojan
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\84724ce7f6587326f35e8cca361b8dc0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\84724ce7f6587326f35e8cca361b8dc0_NeikiAnalytics.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4408
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2284
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3840
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:5044
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:1492
          • C:\Windows\SysWOW64\at.exe
            at 09:51 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:4952
            • C:\Windows\SysWOW64\at.exe
              at 09:52 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:2848
              • C:\Windows\SysWOW64\at.exe
                at 09:53 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:3576

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\mrsys.exe
          Filesize

          66KB

          MD5

          3c70f6a0412f59402ba1f61531a6100e

          SHA1

          0c229a5c5921d8f074d2b03730df10e924e91e2c

          SHA256

          931d57aff4f4b5e3dbf0b1c77567a47243f77fdb5c9287cb55c18c0760c58edd

          SHA512

          5db398f2fc7065e053a3adb0615c0f96b3b2931102eadc3423cfee0e186cdaea5a4e67696e55cfa56a0b366c1b2635a34167ffce350d4df1d22e303b1634f850

          Download Submit

        • C:\Windows\System\spoolsv.exe
          Filesize

          66KB

          MD5

          fb9c79b1e8c3a3973a7c55e3d740fd95

          SHA1

          c312c3d376aa331b91e165b8ad13dbd487d96591

          SHA256

          6573b9a401d0bbf27aeb9b5880e8f6f0925f51d17c9fc8ae6c26def4d0cde7b9

          SHA512

          83f9e8c860191277548fbcf25f9b4c2ef942f475aefd13ec32307d92d00a841a0c4f15fc71e017cf68aa25841e582443c7dee6ab6ce76d47f8247fe97852a0e0

          Download Submit

        • C:\Windows\System\svchost.exe
          Filesize

          66KB

          MD5

          aa7043c794b4621dfed068047da4f32d

          SHA1

          ffbcdd4d81b65854ec24f90aac19040f674948e1

          SHA256

          29356958d7d7ad105f631dc62ebcaaecb6f3d88fc4dedfa345743cc8963e3327

          SHA512

          591c8bc428c28e5153ce3f56de25a9d88c68cec8ac375f0ecf3c77d386dd2f84fa3236a117cfb501a271c7043a84ae833c11b3888f096fcd17fe0da425c66044

          Download Submit

        • \??\c:\windows\system\explorer.exe
          Filesize

          66KB

          MD5

          6f96b3da58ca279450e48b1b2f56f268

          SHA1

          aa34041cd2c226708ccb945b101cff85640c4c81

          SHA256

          17a86576600c88267782c4c7cf5aa5add87850a7ad537b10332d47d353340ae0

          SHA512

          cec1b1f50240674a21c1512c91c54f2d4acd274c8a2e822039e8801db5184e2ef2e3988b29cc4e28e2924bdc0d21da00a8b1adbff9ccc1f0d43361bfd2d16e7a

          Download Submit

        • memory/1492-51-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/1492-43-0x00000000756B0000-0x000000007580D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2284-13-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2284-14-0x00000000756B0000-0x000000007580D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2284-16-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2284-69-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2284-58-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3840-25-0x00000000756B0000-0x000000007580D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3840-30-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3840-53-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4408-2-0x00000000756B0000-0x000000007580D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/4408-3-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4408-56-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/4408-55-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4408-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

          Filesize

          16KB

          Download

        • memory/4408-4-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/4408-0-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/5044-40-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/5044-36-0x00000000756B0000-0x000000007580D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/5044-60-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download