Analysis
-
max time kernel
150s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
30-05-2024 13:09
Static task
static1
Behavioral task
behavioral1
Sample
de39c54c503bffd2d9dd6827d3b128a0_NeikiAnalytics.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
de39c54c503bffd2d9dd6827d3b128a0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
de39c54c503bffd2d9dd6827d3b128a0_NeikiAnalytics.exe
-
Size
66KB
-
MD5
de39c54c503bffd2d9dd6827d3b128a0
-
SHA1
387d7dc4b773480cc33c4573019bd584f5581cc1
-
SHA256
58db54e0af022ae3e759e7fbe74ceca33853f81ad09d6af4ecc231e6aa844681
-
SHA512
3886ab4a2323500f59a52bdbb615389e4cd692933d2e5a0b7ae95323eed6de7060600d392a26cd36d7b01d1b90c25d7632107063d9b157b3835b9283180bee74
-
SSDEEP
1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXiU:IeklMMYJhqezw/pXzH9iU
Malware Config
Signatures
-
Detects BazaLoader malware 1 IoCs
BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.
resource yara_rule behavioral2/memory/4896-38-0x0000000074F20000-0x000000007507D000-memory.dmp BazaLoader -
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 1420 explorer.exe 2512 spoolsv.exe 4896 svchost.exe 1936 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe de39c54c503bffd2d9dd6827d3b128a0_NeikiAnalytics.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3956 de39c54c503bffd2d9dd6827d3b128a0_NeikiAnalytics.exe 3956 de39c54c503bffd2d9dd6827d3b128a0_NeikiAnalytics.exe 1420 explorer.exe 1420 explorer.exe 1420 explorer.exe 1420 explorer.exe 1420 explorer.exe 1420 explorer.exe 1420 explorer.exe 1420 explorer.exe 4896 svchost.exe 4896 svchost.exe 4896 svchost.exe 4896 svchost.exe 1420 explorer.exe 1420 explorer.exe 4896 svchost.exe 4896 svchost.exe 1420 explorer.exe 1420 explorer.exe 4896 svchost.exe 4896 svchost.exe 1420 explorer.exe 1420 explorer.exe 4896 svchost.exe 4896 svchost.exe 1420 explorer.exe 1420 explorer.exe 4896 svchost.exe 4896 svchost.exe 1420 explorer.exe 1420 explorer.exe 4896 svchost.exe 4896 svchost.exe 1420 explorer.exe 1420 explorer.exe 4896 svchost.exe 4896 svchost.exe 1420 explorer.exe 1420 explorer.exe 4896 svchost.exe 4896 svchost.exe 1420 explorer.exe 1420 explorer.exe 4896 svchost.exe 4896 svchost.exe 1420 explorer.exe 1420 explorer.exe 4896 svchost.exe 4896 svchost.exe 1420 explorer.exe 1420 explorer.exe 4896 svchost.exe 4896 svchost.exe 1420 explorer.exe 1420 explorer.exe 4896 svchost.exe 4896 svchost.exe 1420 explorer.exe 1420 explorer.exe 4896 svchost.exe 4896 svchost.exe 1420 explorer.exe 1420 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1420 explorer.exe 4896 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 3956 de39c54c503bffd2d9dd6827d3b128a0_NeikiAnalytics.exe 3956 de39c54c503bffd2d9dd6827d3b128a0_NeikiAnalytics.exe 1420 explorer.exe 1420 explorer.exe 2512 spoolsv.exe 2512 spoolsv.exe 4896 svchost.exe 4896 svchost.exe 1936 spoolsv.exe 1936 spoolsv.exe 1420 explorer.exe 1420 explorer.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 3956 wrote to memory of 1420 3956 de39c54c503bffd2d9dd6827d3b128a0_NeikiAnalytics.exe 82 PID 3956 wrote to memory of 1420 3956 de39c54c503bffd2d9dd6827d3b128a0_NeikiAnalytics.exe 82 PID 3956 wrote to memory of 1420 3956 de39c54c503bffd2d9dd6827d3b128a0_NeikiAnalytics.exe 82 PID 1420 wrote to memory of 2512 1420 explorer.exe 83 PID 1420 wrote to memory of 2512 1420 explorer.exe 83 PID 1420 wrote to memory of 2512 1420 explorer.exe 83 PID 2512 wrote to memory of 4896 2512 spoolsv.exe 84 PID 2512 wrote to memory of 4896 2512 spoolsv.exe 84 PID 2512 wrote to memory of 4896 2512 spoolsv.exe 84 PID 4896 wrote to memory of 1936 4896 svchost.exe 86 PID 4896 wrote to memory of 1936 4896 svchost.exe 86 PID 4896 wrote to memory of 1936 4896 svchost.exe 86 PID 4896 wrote to memory of 1944 4896 svchost.exe 88 PID 4896 wrote to memory of 1944 4896 svchost.exe 88 PID 4896 wrote to memory of 1944 4896 svchost.exe 88 PID 4896 wrote to memory of 2400 4896 svchost.exe 99 PID 4896 wrote to memory of 2400 4896 svchost.exe 99 PID 4896 wrote to memory of 2400 4896 svchost.exe 99 PID 4896 wrote to memory of 848 4896 svchost.exe 101 PID 4896 wrote to memory of 848 4896 svchost.exe 101 PID 4896 wrote to memory of 848 4896 svchost.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\de39c54c503bffd2d9dd6827d3b128a0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\de39c54c503bffd2d9dd6827d3b128a0_NeikiAnalytics.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3956 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1420 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2512 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4896 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1936
-
-
C:\Windows\SysWOW64\at.exeat 13:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1944
-
-
C:\Windows\SysWOW64\at.exeat 13:12 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2400
-
-
C:\Windows\SysWOW64\at.exeat 13:13 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:848
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66KB
MD5d405202312f8a11914f2e39d42ec2f15
SHA11dc6d4cac791a1f0dd65fc6c0600a0830db3d125
SHA256ac5c4acce1d5f73a4581b2f808bf3487fec6050dea5c92a23c611d9c20b27af1
SHA512274da7ec11622c06889b9beb940e1c4245d3753fe18fb9a77c1b145fa4f44973310657622ab3eaa6cd31c3f7123a7d0706eea34b77761f1fde52b5be472e92df
-
Filesize
66KB
MD548d432e3bf4ab60a623168ea7d592bf5
SHA1a585897d8f67cee0d2590b962b9fb0f0bfd44dc9
SHA256aa51a55cddb8c3f777feeb2aef4ca92a3d758df50cfe516cee3d353b88a53f54
SHA512c08cf54e23ae501b7b16c7acf97e23245ca7572b0f2f092927af83f97a38bae78a55684a9e8a76d4435b39cae2b01c19a1f197a1926b1c879c4670708a4987f1
-
Filesize
66KB
MD574cd80c9ec33a0a3673a9cf4605d951f
SHA1f998ce9b3a27057e9240e4db808a0f40be11d624
SHA25615f5c9a24e84e78155fe91223f38ba02ea562328ca6e140cf96fec93321233d7
SHA512b865de7c5233f14b9904992f66cb15f883c82e6bc16612948e4838f8816abd669286d417d63c92dea9ebf78c4c3603e209dcc3e165b94adbe4f7346b4074f2e7
-
Filesize
66KB
MD56bc9b2beebaf611918edcd5b3541bc96
SHA18a0dfc9d52a6605dbc81bbf5d7fc318f7245ae29
SHA25666d4ada375cfbc5f8e9bd489858c48f7816bffb9af8e8b6b2a019ab7f7db31a9
SHA5121f0c2e42f906b329822b6d46a20518565d770dadf6968de602c8e478fefdda03cee5d5e8e0f1a20c4ea007d3e781bb73352f22fa0a6b41ba550dd7f4f446fdb9