Analysis
-
max time kernel
150s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
01-06-2024 04:00
Static task
static1
Behavioral task
behavioral1
Sample
8cb289f744a3bafac8a23b64448dc080_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
8cb289f744a3bafac8a23b64448dc080_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
8cb289f744a3bafac8a23b64448dc080_NeikiAnalytics.exe
-
Size
66KB
-
MD5
8cb289f744a3bafac8a23b64448dc080
-
SHA1
0b104f60726430d679477ecff9514e3267227fcf
-
SHA256
d6aa28b2c2adf47ea35bf96a70feb793429327efa89f4bb98c83ef6360c8c79f
-
SHA512
8a8bc8eb9c4af52a0b44631a36e8812ad539c558b07b4c6e070c68d47d8ebd2cea556cf15c062f406ea143b192e82d6a9b6fa54bd037ba67d2cf3699c31c1b9b
-
SSDEEP
1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXiR:IeklMMYJhqezw/pXzH9iR
Malware Config
Signatures
-
Detects BazaLoader malware 1 IoCs
BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.
resource yara_rule behavioral2/memory/2676-38-0x0000000075760000-0x00000000758BD000-memory.dmp BazaLoader -
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 2744 explorer.exe 4888 spoolsv.exe 2676 svchost.exe 2072 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\explorer.exe 8cb289f744a3bafac8a23b64448dc080_NeikiAnalytics.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2148 8cb289f744a3bafac8a23b64448dc080_NeikiAnalytics.exe 2148 8cb289f744a3bafac8a23b64448dc080_NeikiAnalytics.exe 2744 explorer.exe 2744 explorer.exe 2744 explorer.exe 2744 explorer.exe 2744 explorer.exe 2744 explorer.exe 2744 explorer.exe 2676 svchost.exe 2744 explorer.exe 2676 svchost.exe 2676 svchost.exe 2676 svchost.exe 2744 explorer.exe 2676 svchost.exe 2744 explorer.exe 2676 svchost.exe 2744 explorer.exe 2744 explorer.exe 2676 svchost.exe 2676 svchost.exe 2744 explorer.exe 2676 svchost.exe 2744 explorer.exe 2676 svchost.exe 2676 svchost.exe 2744 explorer.exe 2744 explorer.exe 2676 svchost.exe 2744 explorer.exe 2676 svchost.exe 2744 explorer.exe 2676 svchost.exe 2744 explorer.exe 2676 svchost.exe 2676 svchost.exe 2744 explorer.exe 2744 explorer.exe 2676 svchost.exe 2744 explorer.exe 2676 svchost.exe 2744 explorer.exe 2676 svchost.exe 2744 explorer.exe 2676 svchost.exe 2744 explorer.exe 2676 svchost.exe 2744 explorer.exe 2676 svchost.exe 2744 explorer.exe 2676 svchost.exe 2744 explorer.exe 2676 svchost.exe 2744 explorer.exe 2676 svchost.exe 2744 explorer.exe 2676 svchost.exe 2744 explorer.exe 2676 svchost.exe 2744 explorer.exe 2676 svchost.exe 2744 explorer.exe 2676 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2744 explorer.exe 2676 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2148 8cb289f744a3bafac8a23b64448dc080_NeikiAnalytics.exe 2148 8cb289f744a3bafac8a23b64448dc080_NeikiAnalytics.exe 2744 explorer.exe 2744 explorer.exe 4888 spoolsv.exe 4888 spoolsv.exe 2676 svchost.exe 2676 svchost.exe 2072 spoolsv.exe 2072 spoolsv.exe 2744 explorer.exe 2744 explorer.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2148 wrote to memory of 2744 2148 8cb289f744a3bafac8a23b64448dc080_NeikiAnalytics.exe 81 PID 2148 wrote to memory of 2744 2148 8cb289f744a3bafac8a23b64448dc080_NeikiAnalytics.exe 81 PID 2148 wrote to memory of 2744 2148 8cb289f744a3bafac8a23b64448dc080_NeikiAnalytics.exe 81 PID 2744 wrote to memory of 4888 2744 explorer.exe 82 PID 2744 wrote to memory of 4888 2744 explorer.exe 82 PID 2744 wrote to memory of 4888 2744 explorer.exe 82 PID 4888 wrote to memory of 2676 4888 spoolsv.exe 83 PID 4888 wrote to memory of 2676 4888 spoolsv.exe 83 PID 4888 wrote to memory of 2676 4888 spoolsv.exe 83 PID 2676 wrote to memory of 2072 2676 svchost.exe 84 PID 2676 wrote to memory of 2072 2676 svchost.exe 84 PID 2676 wrote to memory of 2072 2676 svchost.exe 84 PID 2676 wrote to memory of 2848 2676 svchost.exe 85 PID 2676 wrote to memory of 2848 2676 svchost.exe 85 PID 2676 wrote to memory of 2848 2676 svchost.exe 85 PID 2676 wrote to memory of 1776 2676 svchost.exe 95 PID 2676 wrote to memory of 1776 2676 svchost.exe 95 PID 2676 wrote to memory of 1776 2676 svchost.exe 95 PID 2676 wrote to memory of 1260 2676 svchost.exe 97 PID 2676 wrote to memory of 1260 2676 svchost.exe 97 PID 2676 wrote to memory of 1260 2676 svchost.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\8cb289f744a3bafac8a23b64448dc080_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\8cb289f744a3bafac8a23b64448dc080_NeikiAnalytics.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2148 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4888 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2676 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2072
-
-
C:\Windows\SysWOW64\at.exeat 04:02 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2848
-
-
C:\Windows\SysWOW64\at.exeat 04:03 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1776
-
-
C:\Windows\SysWOW64\at.exeat 04:04 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1260
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66KB
MD55406d6dc743e6fc69b1b84c868b46908
SHA171d2795a73794dc0a8c27e136840cdb8ad5b81fe
SHA256dd2070f7ff687c6002b6b0ab3f0a0f3d1b23f091e33802d231b9f34c5367b19e
SHA512f345c4bafaca2e238384a4001a45c2d35e9969e65c656f969e68e17632cbafc2613fc15c950f18a28d2c0447ffa264439279a5ff86537ab1349b92fba0e61d4a
-
Filesize
66KB
MD531ae92996268ad3f13b3110f28f8a5be
SHA19b1a675cf36a37eacd7fa9b12afe2d69ece5b1a6
SHA256c00e52122d721eedfece5f61fbdd17e2f50addfaa9fe2b70a8e8b15d5d54711d
SHA512a561fa1a4d917b1a025fb062ee97c9fdbaa578513e1a4e266b44547b2d3a2d938e81694c0f1b9aaa32e82843f89b7b258e1ecbba280800f1ce764a9c6e9656af
-
Filesize
66KB
MD50993b0e55f6aebc79d723569b36e0ce5
SHA1a7385c523c72f4210dc034ea6140d4f085a30cf2
SHA256b538ac4b446aa78f0b13a7a56d6416c6e0b0bbf4f804823b5c40419956ee764a
SHA512d58d687a5b56b428a75ef55f02afd9b3538301e021a826b1c36983e6b0633f9157db416058c662a38b860707a758b004f979466e1830cf6d6bf8895abd1b7874
-
Filesize
66KB
MD58bdc8efe8e8e6bfa3b93dc18d6b3c6dd
SHA1550576bb6783a84e5751c7b87767d132938b2c68
SHA256ab91b1ec713fe86357bfe4492fb832ed9adb120506570e3ee5d23ca578db41d2
SHA512aecaccc6c4c28a6ffc78034787e96eb48d281d21f51abc6ac4f7ab063298d232901ba7de03beffeff90f8f34be83520ad2e78952e57bc099bf2ec6670b7fb699