Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
30-05-2024 13:09
Static task
static1
Behavioral task
behavioral1
Sample
de39c54c503bffd2d9dd6827d3b128a0_NeikiAnalytics.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
de39c54c503bffd2d9dd6827d3b128a0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
de39c54c503bffd2d9dd6827d3b128a0_NeikiAnalytics.exe
-
Size
66KB
-
MD5
de39c54c503bffd2d9dd6827d3b128a0
-
SHA1
387d7dc4b773480cc33c4573019bd584f5581cc1
-
SHA256
58db54e0af022ae3e759e7fbe74ceca33853f81ad09d6af4ecc231e6aa844681
-
SHA512
3886ab4a2323500f59a52bdbb615389e4cd692933d2e5a0b7ae95323eed6de7060600d392a26cd36d7b01d1b90c25d7632107063d9b157b3835b9283180bee74
-
SSDEEP
1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXiU:IeklMMYJhqezw/pXzH9iU
Malware Config
Signatures
-
Detects BazaLoader malware 1 IoCs
BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.
resource yara_rule behavioral1/memory/2728-54-0x0000000072940000-0x0000000072A93000-memory.dmp BazaLoader -
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 2492 explorer.exe 2556 spoolsv.exe 2728 svchost.exe 2392 spoolsv.exe -
Loads dropped DLL 8 IoCs
pid Process 2872 de39c54c503bffd2d9dd6827d3b128a0_NeikiAnalytics.exe 2872 de39c54c503bffd2d9dd6827d3b128a0_NeikiAnalytics.exe 2492 explorer.exe 2492 explorer.exe 2556 spoolsv.exe 2556 spoolsv.exe 2728 svchost.exe 2728 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\explorer.exe de39c54c503bffd2d9dd6827d3b128a0_NeikiAnalytics.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2872 de39c54c503bffd2d9dd6827d3b128a0_NeikiAnalytics.exe 2492 explorer.exe 2492 explorer.exe 2492 explorer.exe 2492 explorer.exe 2728 svchost.exe 2728 svchost.exe 2492 explorer.exe 2728 svchost.exe 2492 explorer.exe 2728 svchost.exe 2492 explorer.exe 2728 svchost.exe 2728 svchost.exe 2492 explorer.exe 2728 svchost.exe 2492 explorer.exe 2728 svchost.exe 2492 explorer.exe 2728 svchost.exe 2492 explorer.exe 2492 explorer.exe 2728 svchost.exe 2492 explorer.exe 2728 svchost.exe 2492 explorer.exe 2728 svchost.exe 2728 svchost.exe 2492 explorer.exe 2492 explorer.exe 2728 svchost.exe 2492 explorer.exe 2728 svchost.exe 2492 explorer.exe 2728 svchost.exe 2728 svchost.exe 2492 explorer.exe 2728 svchost.exe 2492 explorer.exe 2728 svchost.exe 2492 explorer.exe 2492 explorer.exe 2728 svchost.exe 2728 svchost.exe 2492 explorer.exe 2492 explorer.exe 2728 svchost.exe 2492 explorer.exe 2728 svchost.exe 2728 svchost.exe 2492 explorer.exe 2492 explorer.exe 2728 svchost.exe 2492 explorer.exe 2728 svchost.exe 2492 explorer.exe 2728 svchost.exe 2492 explorer.exe 2728 svchost.exe 2728 svchost.exe 2492 explorer.exe 2492 explorer.exe 2728 svchost.exe 2728 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2492 explorer.exe 2728 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2872 de39c54c503bffd2d9dd6827d3b128a0_NeikiAnalytics.exe 2872 de39c54c503bffd2d9dd6827d3b128a0_NeikiAnalytics.exe 2492 explorer.exe 2492 explorer.exe 2556 spoolsv.exe 2556 spoolsv.exe 2728 svchost.exe 2728 svchost.exe 2392 spoolsv.exe 2392 spoolsv.exe 2492 explorer.exe 2492 explorer.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2872 wrote to memory of 2492 2872 de39c54c503bffd2d9dd6827d3b128a0_NeikiAnalytics.exe 28 PID 2872 wrote to memory of 2492 2872 de39c54c503bffd2d9dd6827d3b128a0_NeikiAnalytics.exe 28 PID 2872 wrote to memory of 2492 2872 de39c54c503bffd2d9dd6827d3b128a0_NeikiAnalytics.exe 28 PID 2872 wrote to memory of 2492 2872 de39c54c503bffd2d9dd6827d3b128a0_NeikiAnalytics.exe 28 PID 2492 wrote to memory of 2556 2492 explorer.exe 29 PID 2492 wrote to memory of 2556 2492 explorer.exe 29 PID 2492 wrote to memory of 2556 2492 explorer.exe 29 PID 2492 wrote to memory of 2556 2492 explorer.exe 29 PID 2556 wrote to memory of 2728 2556 spoolsv.exe 30 PID 2556 wrote to memory of 2728 2556 spoolsv.exe 30 PID 2556 wrote to memory of 2728 2556 spoolsv.exe 30 PID 2556 wrote to memory of 2728 2556 spoolsv.exe 30 PID 2728 wrote to memory of 2392 2728 svchost.exe 31 PID 2728 wrote to memory of 2392 2728 svchost.exe 31 PID 2728 wrote to memory of 2392 2728 svchost.exe 31 PID 2728 wrote to memory of 2392 2728 svchost.exe 31 PID 2728 wrote to memory of 1564 2728 svchost.exe 32 PID 2728 wrote to memory of 1564 2728 svchost.exe 32 PID 2728 wrote to memory of 1564 2728 svchost.exe 32 PID 2728 wrote to memory of 1564 2728 svchost.exe 32 PID 2728 wrote to memory of 2004 2728 svchost.exe 36 PID 2728 wrote to memory of 2004 2728 svchost.exe 36 PID 2728 wrote to memory of 2004 2728 svchost.exe 36 PID 2728 wrote to memory of 2004 2728 svchost.exe 36 PID 2728 wrote to memory of 612 2728 svchost.exe 38 PID 2728 wrote to memory of 612 2728 svchost.exe 38 PID 2728 wrote to memory of 612 2728 svchost.exe 38 PID 2728 wrote to memory of 612 2728 svchost.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\de39c54c503bffd2d9dd6827d3b128a0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\de39c54c503bffd2d9dd6827d3b128a0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2872 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2492 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2556 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2392
-
-
C:\Windows\SysWOW64\at.exeat 13:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1564
-
-
C:\Windows\SysWOW64\at.exeat 13:12 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2004
-
-
C:\Windows\SysWOW64\at.exeat 13:13 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:612
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66KB
MD583201eb93e5217604f3e3fbb7ba38f02
SHA1e761f2ef90e68a49e18eab3719fd8e63a46a5492
SHA256f4ff6e5e7ceebd2660b8cf375fa32e07fa0b029c2fb61618e66d4e39d048e692
SHA512befbae43aa78c1f59961b3025d8a3f842ee4a90c6f3103e2aa376220a0b6f592f23533b7c5b36bc75eabe154325514adaaba24bf3778ca783f228b9f2a8e139d
-
Filesize
66KB
MD50dc58a0eece5a30d4f35a301f10b63ba
SHA1e2f4df7c84d0b5db68faa262833afec56cf6eb8b
SHA25690b664c594607be3c713323cb37c683b43b97fe8e7b06139ac5a7f1fb9f0ca0d
SHA5120d80c6369263fc9cc19823aaf6a76783e7bfadfc687c6c131bfd1ae8a69010979e9d26af35d06ace93ba7bbde287755345ba7ff9d8ec02b2d8058ecdd6fbcdf4
-
Filesize
66KB
MD5526de2939fd4f65eb2278e3a65f49652
SHA1afe9fa4ee2a92b3f23504ca70cc08ccdf82bbef9
SHA25696da65dc0fa461714ea3aa81a4b9f71ef9dd70d88bced0282c01aced9ae13f6f
SHA5129d6d11e5031dd372145d4e6c25f3b173bccb354800739a2ec424a3de72dce2ab9da38a19a0aba02958e16ad706f2649be001915c86dbc464f6a771a689b017a5
-
Filesize
66KB
MD58e8ff15eff63b0d91a394365ea891517
SHA1f3ce6f2c386747f71293a366e78d5c9767427c08
SHA2564e72f4f99e4f6d6dbddb7ca281fbe36d48ec10d72b322c4490549793dfe7cf42
SHA5128c764842f5c0dba7c43cfe18f9907b1f010ebc2715c1f6b7f52c6af56d851576e202cfa9f140221e31f3fcfa1cd9eae7a5140657b1d6fa7d7bb9c79986943623