Overview

overview

10

Static

static

3

422d639534...cs.exe

windows7-x64

10

422d639534...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-05-2024 11:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    422d63953428c5873365c145f11cf440_NeikiAnalytics.exe

  • Size

    65KB

  • MD5

    422d63953428c5873365c145f11cf440

  • SHA1

    748fc2e62f2775f77325d2fb464ce4d2fb83fa30

  • SHA256

    b0235aa6db349166f0b94fdfcfac7397207e6f6653c0c4803cb792f40ada4a2f

  • SHA512

    3ce428bfcc8b1b45f5de4fdb697964915981fc71a43d17a9c270dc5aac765f5cc22bfa8ed4708fd3425801f4ba9270f86c4f9370439a53e08d223da832059e44

  • SSDEEP

    1536:ECq3yRuqrI01eArdW/O7JnI2e13XiLij40MkTUVqa/Ou6:7WNqkOJWmo1HpM0MkTUmu6

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Detects BazaLoader malware 1 IoCs

    BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.

    trojan
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\422d63953428c5873365c145f11cf440_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\422d63953428c5873365c145f11cf440_NeikiAnalytics.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3480
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3712
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3332
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2572
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:4852
          • C:\Windows\SysWOW64\at.exe
            at 11:54 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:2588
            • C:\Windows\SysWOW64\at.exe
              at 11:55 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:2536
              • C:\Windows\SysWOW64\at.exe
                at 11:56 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:3512

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\mrsys.exe
          Filesize

          65KB

          MD5

          8c6c922e661828e76216d0e4ba114e46

          SHA1

          7807ac06d62d33d0689d68a3119173d7a4adb1fd

          SHA256

          6108917e35e5975c1a4e1c3f5c09e9be7950533e46e5f3b983f7b397ee82e323

          SHA512

          f5d33a1a77ba798f2601fe3f04f799533267211595c5752081b9274cbbf1f3112b94053b0ac5678ba99e6714ae75bbaf4c8d584e97375ff5d52fdd6f32ead086

          Download Submit

        • C:\Windows\System\spoolsv.exe
          Filesize

          65KB

          MD5

          49cf01b8c3efe72362b43c688a7fdf87

          SHA1

          89a43be2ed1a9bcf03918e28fe6baa1b5b726cca

          SHA256

          0a6576369ea3f7ed750a0161a41be6470aad3aa1f61c37633a36ae7f88544215

          SHA512

          ceac488602d75f8a8187370c07ac695c0dfc10defc8721f049064a7b4e67c09ca19a71a61a868536bac6575244759e227de01ffc301cec33858b4b27b048e306

          Download Submit

        • \??\c:\windows\system\explorer.exe
          Filesize

          65KB

          MD5

          75fe30a2d5f94c6110afd0c70c92ebb4

          SHA1

          db526637e5b8ac3116d02ec53408e28fc0dc1b32

          SHA256

          78ae27c8249c835951602dc7a33207a2d0ccfe746927ca903e392109c8faf66a

          SHA512

          79690c50663823a0d7c72a0e746c7808402cfd549cbd27eb735d3ae12451335670089b1d9acd1d5a6f35bf85150982f14505d44e711969d5465c290c07a91fbe

          Download Submit

        • \??\c:\windows\system\svchost.exe
          Filesize

          65KB

          MD5

          bb9a9b67534e8a12cbe50f55a18ebdde

          SHA1

          f51c7cc0f23eaa85f34e1b564cf25eaee8ddfa3a

          SHA256

          2375bc2566c2e4be9d27d8d22a65bbbee777e59c8246bf510baa2f7e19f5ba0d

          SHA512

          760f0c3bfd738f587f42e3c739060b80cf4f356718142b364d2e788819e90d2b64c24a7a5fff6e8a260af78171b3899e5db2091d8f7ceb5dcef7dd11da0e502f

          Download Submit

        • memory/2572-57-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2572-36-0x0000000074FA0000-0x00000000750FD000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3332-52-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3332-24-0x0000000074FA0000-0x00000000750FD000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3332-30-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3332-28-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3480-53-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3480-0-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3480-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

          Filesize

          16KB

          Download

        • memory/3480-3-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3480-2-0x0000000074FA0000-0x00000000750FD000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3480-54-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/3480-5-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/3712-56-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3712-15-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3712-66-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3712-13-0x0000000074FA0000-0x00000000750FD000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/4852-49-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4852-43-0x0000000074FA0000-0x00000000750FD000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/4852-42-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download