Overview

overview

10

Static

static

3

fd7e9fdf52...cs.exe

windows7-x64

10

fd7e9fdf52...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/05/2024, 11:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fd7e9fdf5213b638c66eb8d1f4f53d10_NeikiAnalytics.exe

  • Size

    66KB

  • MD5

    fd7e9fdf5213b638c66eb8d1f4f53d10

  • SHA1

    4629d06c2d4821da6334eb3eb57b2ec5bc4beb05

  • SHA256

    d9f629374fdd0bff8cf57f59e065646792f203655953f181b54b8bfac4fbf286

  • SHA512

    047afa9059467d0777066988451cb32e7bc95f0f89e611dfcb0ef513253caebfef2140ca541c5908e57445285b953ec2b5b6b3872b82dd184f005f822f57a9b5

  • SSDEEP

    1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXi5:IeklMMYJhqezw/pXzH9i5

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Detects BazaLoader malware 1 IoCs

    BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.

    trojan
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fd7e9fdf5213b638c66eb8d1f4f53d10_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\fd7e9fdf5213b638c66eb8d1f4f53d10_NeikiAnalytics.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3996
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4380
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3468
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:920
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:3664
          • C:\Windows\SysWOW64\at.exe
            at 11:14 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:4660
            • C:\Windows\SysWOW64\at.exe
              at 11:15 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:3204
              • C:\Windows\SysWOW64\at.exe
                at 11:16 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:3552

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\mrsys.exe
          Filesize

          66KB

          MD5

          3c98155d889fa5ad1b8b71230e002bae

          SHA1

          a68639c93c86320f0224bfa3dff8cd5af01115d5

          SHA256

          0b2b6c9484451412a8a1d14b039f1180d0adcb9860f018dfc8b3cd6ae4c85f96

          SHA512

          536cb109f1a55ca78db35ba7ff1b65043ee35f7ac265cbf7ff84b5f30c6fe40a00802d4de33322a559b82459ad3fb3d2210e8e9dc9ee18b4c1cad4d7075a6fd1

          Download Submit

        • C:\Windows\System\explorer.exe
          Filesize

          66KB

          MD5

          19792fd40484242a696efd2ff8a77bfc

          SHA1

          28fd019d2b24b3f94ca2e710428b9631b6c3acfc

          SHA256

          66228a03484ede345756f09179a650ec5eb188b767aa02c28d1008ec0e2af1d9

          SHA512

          f0f300840776f3b04da39ad218c9b2db86ff542265ce8e391992c371eb5bedf3bf14bc51c11cd0b45bcbf3d1bc56ea7a971a42e38929858d076838b565547d36

          Download Submit

        • C:\Windows\System\spoolsv.exe
          Filesize

          66KB

          MD5

          c585d0747bd835534a2e1f703c388842

          SHA1

          91adba006d6fb2c4772c1119ec3abfbae3a4c181

          SHA256

          e6be39bb18bc9303fc650f7213201cf0ad4ffad54b270c11e0f06c56e69a3dbc

          SHA512

          3f7f715b75821ef720126acb529453e79fc03831fdabb8576e53625a3e417c71d2995d177d9f4b1c6a797afd7a6653a455ce6ba2a7cda899f9ad25370cd18992

          Download Submit

        • C:\Windows\System\svchost.exe
          Filesize

          66KB

          MD5

          95118781158b5c41ac19ab4e5eecb96f

          SHA1

          81934b59149194c7678590fb1f5e197ec4266936

          SHA256

          d09861a6d80acb658591e775f2f8fd54056d5346cff371ed17695c33faa91df3

          SHA512

          b3067f6adf0927f40ee864e455831ac2da7ee834590143ca4a8cd3acf29b2712c22536ddcff8000ea5a9cb071af20e2a1ba256c00a6043ada743877073da7076

          Download Submit

        • memory/920-62-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/920-43-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/920-44-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/920-38-0x0000000075720000-0x000000007587D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3468-27-0x0000000075720000-0x000000007587D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3468-56-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3468-32-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3468-26-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3664-46-0x0000000075720000-0x000000007587D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3664-52-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3996-58-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/3996-1-0x0000000075720000-0x000000007587D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3996-0-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3996-4-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/3996-57-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3996-3-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3996-2-0x00000000001C0000-0x00000000001C4000-memory.dmp

          Filesize

          16KB

          Download

        • memory/4380-14-0x0000000075720000-0x000000007587D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/4380-17-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4380-13-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4380-16-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4380-60-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4380-71-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download