Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
01-06-2024 04:00
Static task
static1
Behavioral task
behavioral1
Sample
8cb289f744a3bafac8a23b64448dc080_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
8cb289f744a3bafac8a23b64448dc080_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
8cb289f744a3bafac8a23b64448dc080_NeikiAnalytics.exe
-
Size
66KB
-
MD5
8cb289f744a3bafac8a23b64448dc080
-
SHA1
0b104f60726430d679477ecff9514e3267227fcf
-
SHA256
d6aa28b2c2adf47ea35bf96a70feb793429327efa89f4bb98c83ef6360c8c79f
-
SHA512
8a8bc8eb9c4af52a0b44631a36e8812ad539c558b07b4c6e070c68d47d8ebd2cea556cf15c062f406ea143b192e82d6a9b6fa54bd037ba67d2cf3699c31c1b9b
-
SSDEEP
1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXiR:IeklMMYJhqezw/pXzH9iR
Malware Config
Signatures
-
Detects BazaLoader malware 1 IoCs
BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.
resource yara_rule behavioral1/memory/2388-54-0x0000000072940000-0x0000000072A93000-memory.dmp BazaLoader -
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 2508 explorer.exe 2740 spoolsv.exe 2388 svchost.exe 2440 spoolsv.exe -
Loads dropped DLL 8 IoCs
pid Process 2176 8cb289f744a3bafac8a23b64448dc080_NeikiAnalytics.exe 2176 8cb289f744a3bafac8a23b64448dc080_NeikiAnalytics.exe 2508 explorer.exe 2508 explorer.exe 2740 spoolsv.exe 2740 spoolsv.exe 2388 svchost.exe 2388 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\explorer.exe 8cb289f744a3bafac8a23b64448dc080_NeikiAnalytics.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2176 8cb289f744a3bafac8a23b64448dc080_NeikiAnalytics.exe 2508 explorer.exe 2508 explorer.exe 2508 explorer.exe 2508 explorer.exe 2388 svchost.exe 2388 svchost.exe 2388 svchost.exe 2508 explorer.exe 2508 explorer.exe 2388 svchost.exe 2388 svchost.exe 2508 explorer.exe 2508 explorer.exe 2388 svchost.exe 2508 explorer.exe 2388 svchost.exe 2508 explorer.exe 2388 svchost.exe 2388 svchost.exe 2508 explorer.exe 2388 svchost.exe 2508 explorer.exe 2388 svchost.exe 2508 explorer.exe 2508 explorer.exe 2388 svchost.exe 2388 svchost.exe 2508 explorer.exe 2508 explorer.exe 2388 svchost.exe 2388 svchost.exe 2508 explorer.exe 2508 explorer.exe 2388 svchost.exe 2388 svchost.exe 2508 explorer.exe 2508 explorer.exe 2388 svchost.exe 2388 svchost.exe 2508 explorer.exe 2508 explorer.exe 2388 svchost.exe 2388 svchost.exe 2508 explorer.exe 2388 svchost.exe 2508 explorer.exe 2508 explorer.exe 2388 svchost.exe 2508 explorer.exe 2388 svchost.exe 2508 explorer.exe 2388 svchost.exe 2508 explorer.exe 2388 svchost.exe 2508 explorer.exe 2388 svchost.exe 2388 svchost.exe 2508 explorer.exe 2388 svchost.exe 2508 explorer.exe 2388 svchost.exe 2508 explorer.exe 2388 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2508 explorer.exe 2388 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2176 8cb289f744a3bafac8a23b64448dc080_NeikiAnalytics.exe 2176 8cb289f744a3bafac8a23b64448dc080_NeikiAnalytics.exe 2508 explorer.exe 2508 explorer.exe 2740 spoolsv.exe 2740 spoolsv.exe 2388 svchost.exe 2388 svchost.exe 2440 spoolsv.exe 2440 spoolsv.exe 2508 explorer.exe 2508 explorer.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2176 wrote to memory of 2508 2176 8cb289f744a3bafac8a23b64448dc080_NeikiAnalytics.exe 28 PID 2176 wrote to memory of 2508 2176 8cb289f744a3bafac8a23b64448dc080_NeikiAnalytics.exe 28 PID 2176 wrote to memory of 2508 2176 8cb289f744a3bafac8a23b64448dc080_NeikiAnalytics.exe 28 PID 2176 wrote to memory of 2508 2176 8cb289f744a3bafac8a23b64448dc080_NeikiAnalytics.exe 28 PID 2508 wrote to memory of 2740 2508 explorer.exe 29 PID 2508 wrote to memory of 2740 2508 explorer.exe 29 PID 2508 wrote to memory of 2740 2508 explorer.exe 29 PID 2508 wrote to memory of 2740 2508 explorer.exe 29 PID 2740 wrote to memory of 2388 2740 spoolsv.exe 30 PID 2740 wrote to memory of 2388 2740 spoolsv.exe 30 PID 2740 wrote to memory of 2388 2740 spoolsv.exe 30 PID 2740 wrote to memory of 2388 2740 spoolsv.exe 30 PID 2388 wrote to memory of 2440 2388 svchost.exe 31 PID 2388 wrote to memory of 2440 2388 svchost.exe 31 PID 2388 wrote to memory of 2440 2388 svchost.exe 31 PID 2388 wrote to memory of 2440 2388 svchost.exe 31 PID 2388 wrote to memory of 1764 2388 svchost.exe 32 PID 2388 wrote to memory of 1764 2388 svchost.exe 32 PID 2388 wrote to memory of 1764 2388 svchost.exe 32 PID 2388 wrote to memory of 1764 2388 svchost.exe 32 PID 2388 wrote to memory of 2704 2388 svchost.exe 36 PID 2388 wrote to memory of 2704 2388 svchost.exe 36 PID 2388 wrote to memory of 2704 2388 svchost.exe 36 PID 2388 wrote to memory of 2704 2388 svchost.exe 36 PID 2388 wrote to memory of 1016 2388 svchost.exe 38 PID 2388 wrote to memory of 1016 2388 svchost.exe 38 PID 2388 wrote to memory of 1016 2388 svchost.exe 38 PID 2388 wrote to memory of 1016 2388 svchost.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\8cb289f744a3bafac8a23b64448dc080_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\8cb289f744a3bafac8a23b64448dc080_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2176 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2508 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2388 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2440
-
-
C:\Windows\SysWOW64\at.exeat 04:02 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1764
-
-
C:\Windows\SysWOW64\at.exeat 04:03 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2704
-
-
C:\Windows\SysWOW64\at.exeat 04:04 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1016
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66KB
MD521556afa4d5e3d47297f63728636519e
SHA1a529f68a202dd854c1f5cb10a37fd38a0fb5df49
SHA2561233c6feb0593bad61ca56b6d1b5b0012edc466a268ab81c8267cafd0d6ae3fa
SHA512f750fb03d7f9631d316f20f7d49aefecbb297c60e19f449741078fc411fe0d2bb340aaa1e34a4beb3002c0221d51a2355b1bd2c170192942567e9bdb6475734f
-
Filesize
66KB
MD5ddc36eed6e2df079de3b62374a00b7d5
SHA1cecaded0162d96953982dbdfb73bdfd988452371
SHA25628d10770a4fd76d2e9cdfa35323d281f78411e355166f1d351a6cb2db07e184a
SHA5124307dbb01825eca8b7d00936fefcf60d34b0949382f04fc31d1ce0b676f4942d48cda7d6927370a8dd1d860268481454bd24c4d2bcc69dc8a7881cf5194b222a
-
Filesize
66KB
MD57d374161042201b07b31bcb4173b4414
SHA1f8a1d63bc065ab5b5a331764ad1d1b3042145405
SHA256872b608bfcde2fd6184db5d62a72aff8c2336462e2caf76959fe0921ec3e181a
SHA512f1ea166392bd2de454a6c8829879b5e9737069f4278fd67f4ab2809794d5d5d7fe512f183650c92dc8f05a905d5d7a0220b4f7b5056ed9c34bfd23486d8b83e4
-
Filesize
66KB
MD5a383196c53e650e968076779e0728361
SHA13a137c72c953e6d7c1e37629db1945f111ccb7c0
SHA25699ac782e24c76d833e7daa6ecaa644afab8664f1d1e727f538d19efa8e89131f
SHA5127030dc1ee598a41f05764005941e7babb4ae212c216b5ec89a51466eac579a53b92998f9bfd3e9e37a79b44c9340c6f887507751e1eec73d439a076cacf3ca8d