Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02-06-2024 00:44
Static task
static1
Behavioral task
behavioral1
Sample
15edec74517a6782f2f92c29c4c0b3f0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
15edec74517a6782f2f92c29c4c0b3f0_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
General
-
Target
15edec74517a6782f2f92c29c4c0b3f0_NeikiAnalytics.exe
-
Size
66KB
-
MD5
15edec74517a6782f2f92c29c4c0b3f0
-
SHA1
cfc65e3486a1f838b490365c3d14fe0f722a02bb
-
SHA256
a29c7d4e0412390e69347593415f6c2b99efff5e875dcdd69dbd97353b46024f
-
SHA512
911239892ef95e5bea995d7c04df6b0cb276e0e15b2ee9aa44e5d1739170b6761b6d30dd5f9bda39bc06cbe553a57565024a9f9bfcafdfe98589dce476aaa75e
-
SSDEEP
1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXiJ:IeklMMYJhqezw/pXzH9iJ
Malware Config
Signatures
-
Detects BazaLoader malware 1 IoCs
BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.
resource yara_rule behavioral1/memory/2684-54-0x0000000072940000-0x0000000072A93000-memory.dmp BazaLoader -
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Executes dropped EXE 4 IoCs
pid Process 2148 explorer.exe 2540 spoolsv.exe 2684 svchost.exe 2400 spoolsv.exe -
Loads dropped DLL 8 IoCs
pid Process 2192 15edec74517a6782f2f92c29c4c0b3f0_NeikiAnalytics.exe 2192 15edec74517a6782f2f92c29c4c0b3f0_NeikiAnalytics.exe 2148 explorer.exe 2148 explorer.exe 2540 spoolsv.exe 2540 spoolsv.exe 2684 svchost.exe 2684 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe 15edec74517a6782f2f92c29c4c0b3f0_NeikiAnalytics.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2192 15edec74517a6782f2f92c29c4c0b3f0_NeikiAnalytics.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2148 explorer.exe 2684 svchost.exe 2684 svchost.exe 2148 explorer.exe 2684 svchost.exe 2148 explorer.exe 2684 svchost.exe 2148 explorer.exe 2684 svchost.exe 2148 explorer.exe 2684 svchost.exe 2148 explorer.exe 2684 svchost.exe 2148 explorer.exe 2684 svchost.exe 2148 explorer.exe 2684 svchost.exe 2148 explorer.exe 2684 svchost.exe 2148 explorer.exe 2684 svchost.exe 2148 explorer.exe 2684 svchost.exe 2148 explorer.exe 2684 svchost.exe 2148 explorer.exe 2684 svchost.exe 2148 explorer.exe 2684 svchost.exe 2148 explorer.exe 2684 svchost.exe 2148 explorer.exe 2684 svchost.exe 2148 explorer.exe 2684 svchost.exe 2148 explorer.exe 2684 svchost.exe 2148 explorer.exe 2684 svchost.exe 2148 explorer.exe 2684 svchost.exe 2148 explorer.exe 2684 svchost.exe 2148 explorer.exe 2684 svchost.exe 2148 explorer.exe 2684 svchost.exe 2148 explorer.exe 2684 svchost.exe 2148 explorer.exe 2684 svchost.exe 2148 explorer.exe 2684 svchost.exe 2148 explorer.exe 2684 svchost.exe 2148 explorer.exe 2684 svchost.exe 2148 explorer.exe 2684 svchost.exe 2148 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2148 explorer.exe 2684 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2192 15edec74517a6782f2f92c29c4c0b3f0_NeikiAnalytics.exe 2192 15edec74517a6782f2f92c29c4c0b3f0_NeikiAnalytics.exe 2148 explorer.exe 2148 explorer.exe 2540 spoolsv.exe 2540 spoolsv.exe 2684 svchost.exe 2684 svchost.exe 2400 spoolsv.exe 2400 spoolsv.exe 2148 explorer.exe 2148 explorer.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2192 wrote to memory of 2148 2192 15edec74517a6782f2f92c29c4c0b3f0_NeikiAnalytics.exe 28 PID 2192 wrote to memory of 2148 2192 15edec74517a6782f2f92c29c4c0b3f0_NeikiAnalytics.exe 28 PID 2192 wrote to memory of 2148 2192 15edec74517a6782f2f92c29c4c0b3f0_NeikiAnalytics.exe 28 PID 2192 wrote to memory of 2148 2192 15edec74517a6782f2f92c29c4c0b3f0_NeikiAnalytics.exe 28 PID 2148 wrote to memory of 2540 2148 explorer.exe 29 PID 2148 wrote to memory of 2540 2148 explorer.exe 29 PID 2148 wrote to memory of 2540 2148 explorer.exe 29 PID 2148 wrote to memory of 2540 2148 explorer.exe 29 PID 2540 wrote to memory of 2684 2540 spoolsv.exe 30 PID 2540 wrote to memory of 2684 2540 spoolsv.exe 30 PID 2540 wrote to memory of 2684 2540 spoolsv.exe 30 PID 2540 wrote to memory of 2684 2540 spoolsv.exe 30 PID 2684 wrote to memory of 2400 2684 svchost.exe 31 PID 2684 wrote to memory of 2400 2684 svchost.exe 31 PID 2684 wrote to memory of 2400 2684 svchost.exe 31 PID 2684 wrote to memory of 2400 2684 svchost.exe 31 PID 2684 wrote to memory of 2688 2684 svchost.exe 32 PID 2684 wrote to memory of 2688 2684 svchost.exe 32 PID 2684 wrote to memory of 2688 2684 svchost.exe 32 PID 2684 wrote to memory of 2688 2684 svchost.exe 32 PID 2684 wrote to memory of 2064 2684 svchost.exe 36 PID 2684 wrote to memory of 2064 2684 svchost.exe 36 PID 2684 wrote to memory of 2064 2684 svchost.exe 36 PID 2684 wrote to memory of 2064 2684 svchost.exe 36 PID 2684 wrote to memory of 1252 2684 svchost.exe 38 PID 2684 wrote to memory of 1252 2684 svchost.exe 38 PID 2684 wrote to memory of 1252 2684 svchost.exe 38 PID 2684 wrote to memory of 1252 2684 svchost.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\15edec74517a6782f2f92c29c4c0b3f0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\15edec74517a6782f2f92c29c4c0b3f0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2192 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2148 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2540 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2684 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2400
-
-
C:\Windows\SysWOW64\at.exeat 00:46 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2688
-
-
C:\Windows\SysWOW64\at.exeat 00:47 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2064
-
-
C:\Windows\SysWOW64\at.exeat 00:48 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1252
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66KB
MD58101b9963a04bd643f0ed44c77d87b53
SHA1a9e7b378fd77088619e0c1de860e64f7688c75e0
SHA256a2d0b2fa8edfee44d177fd9d43409e8664876dda20552c474d1826edafaa7ed6
SHA512394b085ca636abe34cb6056a1b82e369c9632b8aed5da3522dbd0562a7a6891398e8e81db1db8dddb32e7c9578262491919903aab4182ce77a1fd634bb7a4f87
-
Filesize
66KB
MD5bcd209679742445899850a83a5f8b524
SHA13bd209d9ed84e03eb5abf92922e2d623f9ce513a
SHA25690f7cdba864a37c1ebcd583ab54a40a9a90be5a2191da4bdda322d4ee8f0fc0c
SHA5123cea3ea76b8dad3b7a8d0f34c66d4112e18de269cc55a722b34d1841e00c2b3be4b81bb1fc1a2230ac37cc6281e9a5aea2a71817c9e332085b1fffda9a6e2d75
-
Filesize
66KB
MD5fc23a0861a9a971598bdf028093f2169
SHA1a8b29b9e913f5fc86384b88467bd25ea28512adf
SHA25622fa562dd5fcd636f3a8b5a7fd7010de3fdc080030c82f11f413c4f547ce64f7
SHA51232b29cc6aa0a261cc50652d9e519730294869c9eec3e82b81537602a4772928bf9b7103a3c70feac421941f3f1e4e1694c47e2f5a9e57b631ef2cb4998f2c3d7
-
Filesize
66KB
MD51ddb983ec33ff5ebe7780c2640258f7b
SHA13ad3b591098b5653c6b7fb677639d42bc3d76f06
SHA256406e48e75b7f5a9ba7a6600ca83464195cf51e8512c909fa929561de6229ea49
SHA512646eebe7565f0df842f7d7b022d23eda3bb800223277b2a999312808d36212240d778cff242eadf7480d0595430a70b967f74efc054abb12d358fb53f5d47bff