Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
01/06/2024, 13:30
General
-
Target
b03d14abb6a6bec4065d251a9ee1d880_NeikiAnalytics.exe
-
Size
65KB
-
MD5
b03d14abb6a6bec4065d251a9ee1d880
-
SHA1
77c9fcb66539a8cc79bcef3bed0a6be46137c6c5
-
SHA256
0931cce738d7aa8b3158870fdfd7f2db842c4681b9d256ef187ee9e5aa3e4926
-
SHA512
f7110e64973799cb18f45d2239cc2bd56b3002607828192e82778cd95f2dfaaa4900d2719f2fd30646bb32ec00de660aadd1b8912895ee53940eedd013ba3263
-
SSDEEP
1536:ECq3yRuqrI01eArdW/O7JnI2e13XiLij40MkTUVqa/OuGjjjjjjjjjjjjjjjjjjA:7WNqkOJWmo1HpM0MkTUmuGjjjjjjjjjE
Malware Config
Signatures
-
Detects BazaLoader malware 1 IoCs
BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Modifies Installed Components in the registry 2 TTPs 8 IoCs
-
Executes dropped EXE 4 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Drops file in Windows directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b03d14abb6a6bec4065d251a9ee1d880_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\b03d14abb6a6bec4065d251a9ee1d880_NeikiAnalytics.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\at.exeat 13:32 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
-
-
C:\Windows\SysWOW64\at.exeat 13:33 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
-
-
C:\Windows\SysWOW64\at.exeat 13:34 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4048 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD50b85d538325db6c3e49b14a4f81c3741
SHA17da8e58b221647376672362950d91c4c3fe6f40a
SHA256c364f55dd42e8c81adbbd5d28f4d6d62a6539b936bb88fd1a6ae4dbcc9e1eb75
SHA5120348e5d8b21a1f6acdc5853854cc34cf7fabd613caac2350311aebc94bf65c91a51f29fc4b09a2d4e850626f6e098e5ba6d4bbd041964404cc243e9468917a7b
-
Filesize
65KB
MD5e56f48b25f63a0b694ec549343b447de
SHA1f4541f73e63738269b63937efa8cafd7b21daaa9
SHA2567958c816e0777bce6fd3b161c511b782ff703cd0e83909f1f78f8d92012f0993
SHA512b6190a7209bbad3d8b8eba08290cf983271e029ac2a93b373dbc500c6397669289f81e80527e10c6e17379507509147c74740235c0efc4408a8dc71a4445ec15
-
Filesize
65KB
MD51d7357db6d12616360b303888c6b3bb7
SHA1cb829983f7727d8895c29dbe1f89ab3d79e2b78a
SHA25675dacb1ecbdd49aac635bae04b9e38aa6762e416f24a523d8fead901a4abeb31
SHA51292a0840a81ae90101e454d6bf526e10639cbb6cfd33690296202716970cd5285d840adc0487df2662206152795613463c0c98d6a0041055d64d13a8b91202202
-
Filesize
65KB
MD541f11a5f9764670d25b770d192496357
SHA18ec951f3e4fe2d5f90d0cd80f2c75203f787c3ac
SHA256bd45ff7196bbc66102909921a572dbd5ab6a398f0cbae85d34a22e58895417ca
SHA5127316d85ca1adf4855b41ffc96a705c421c60534bbdcc5a8757a4f89bc7aa10a2fb98892fc2b11357887cb23cf4aeea629a8fe58fbbad9930bab0bacfe920d384
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
1.4MB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
1.4MB
-
Filesize
196KB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
180KB
-
Filesize
16KB
-
Filesize
196KB
-
Filesize
180KB
-
Filesize
196KB
-
Filesize
180KB
-
Filesize
196KB
-
Filesize
1.4MB
-
Filesize
16KB