6055510740afbda663d615beac7ec8cd86403d36a6fcc964d32f608b0516bc33

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
02-06-2024 05:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b92fb864ef1b3b2a1eb77b056a9e830_NeikiAnalytics.exe
Size

66KB
MD5

3b92fb864ef1b3b2a1eb77b056a9e830
SHA1

f6277118a0abb7e03fc2497d5cd529a14bc746c8
SHA256

6055510740afbda663d615beac7ec8cd86403d36a6fcc964d32f608b0516bc33
SHA512

9f0b93d2bc674425b7bf1f089c34562ee2fead11d959780ca0bd1e6fd8096fafcf20fc3700d4f26e28b3f508189ad66952bfa779a4654b8747d5d2f30a62b180
SSDEEP

1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXiB:IeklMMYJhqezw/pXzH9iB

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Detects BazaLoader malware 1 IoCs

BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.

trojan

resource	yara_rule
behavioral1/memory/2712-51-0x0000000072940000-0x0000000072A93000-memory.dmp	BazaLoader

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
2648	explorer.exe
2688	spoolsv.exe
2712	svchost.exe
2524	spoolsv.exe

Loads dropped DLL 8 IoCs

pid	Process
2056	3b92fb864ef1b3b2a1eb77b056a9e830_NeikiAnalytics.exe
2056	3b92fb864ef1b3b2a1eb77b056a9e830_NeikiAnalytics.exe
2648	explorer.exe
2648	explorer.exe
2688	spoolsv.exe
2688	spoolsv.exe
2712	svchost.exe
2712	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	3b92fb864ef1b3b2a1eb77b056a9e830_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2056	3b92fb864ef1b3b2a1eb77b056a9e830_NeikiAnalytics.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2712	svchost.exe
2712	svchost.exe
2648	explorer.exe
2712	svchost.exe
2648	explorer.exe
2648	explorer.exe
2712	svchost.exe
2648	explorer.exe
2712	svchost.exe
2712	svchost.exe
2648	explorer.exe
2648	explorer.exe
2712	svchost.exe
2712	svchost.exe
2648	explorer.exe
2712	svchost.exe
2648	explorer.exe
2648	explorer.exe
2712	svchost.exe
2712	svchost.exe
2648	explorer.exe
2648	explorer.exe
2712	svchost.exe
2648	explorer.exe
2712	svchost.exe
2712	svchost.exe
2648	explorer.exe
2712	svchost.exe
2648	explorer.exe
2648	explorer.exe
2712	svchost.exe
2712	svchost.exe
2648	explorer.exe
2712	svchost.exe
2648	explorer.exe
2648	explorer.exe
2712	svchost.exe
2648	explorer.exe
2712	svchost.exe
2712	svchost.exe
2648	explorer.exe
2648	explorer.exe
2712	svchost.exe
2648	explorer.exe
2712	svchost.exe
2648	explorer.exe
2712	svchost.exe
2712	svchost.exe
2648	explorer.exe
2712	svchost.exe
2648	explorer.exe
2712	svchost.exe
2648	explorer.exe
2648	explorer.exe
2712	svchost.exe
2712	svchost.exe
2648	explorer.exe
2648	explorer.exe
2712	svchost.exe
2712	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2648	explorer.exe
2712	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2056	3b92fb864ef1b3b2a1eb77b056a9e830_NeikiAnalytics.exe
2056	3b92fb864ef1b3b2a1eb77b056a9e830_NeikiAnalytics.exe
2648	explorer.exe
2648	explorer.exe
2688	spoolsv.exe
2688	spoolsv.exe
2712	svchost.exe
2712	svchost.exe
2524	spoolsv.exe
2524	spoolsv.exe
2648	explorer.exe
2648	explorer.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 2648	2056	3b92fb864ef1b3b2a1eb77b056a9e830_NeikiAnalytics.exe	28
PID 2056 wrote to memory of 2648	2056	3b92fb864ef1b3b2a1eb77b056a9e830_NeikiAnalytics.exe	28
PID 2056 wrote to memory of 2648	2056	3b92fb864ef1b3b2a1eb77b056a9e830_NeikiAnalytics.exe	28
PID 2056 wrote to memory of 2648	2056	3b92fb864ef1b3b2a1eb77b056a9e830_NeikiAnalytics.exe	28
PID 2648 wrote to memory of 2688	2648	explorer.exe	29
PID 2648 wrote to memory of 2688	2648	explorer.exe	29
PID 2648 wrote to memory of 2688	2648	explorer.exe	29
PID 2648 wrote to memory of 2688	2648	explorer.exe	29
PID 2688 wrote to memory of 2712	2688	spoolsv.exe	30
PID 2688 wrote to memory of 2712	2688	spoolsv.exe	30
PID 2688 wrote to memory of 2712	2688	spoolsv.exe	30
PID 2688 wrote to memory of 2712	2688	spoolsv.exe	30
PID 2712 wrote to memory of 2524	2712	svchost.exe	31
PID 2712 wrote to memory of 2524	2712	svchost.exe	31
PID 2712 wrote to memory of 2524	2712	svchost.exe	31
PID 2712 wrote to memory of 2524	2712	svchost.exe	31
PID 2712 wrote to memory of 2348	2712	svchost.exe	32
PID 2712 wrote to memory of 2348	2712	svchost.exe	32
PID 2712 wrote to memory of 2348	2712	svchost.exe	32
PID 2712 wrote to memory of 2348	2712	svchost.exe	32
PID 2712 wrote to memory of 1648	2712	svchost.exe	36
PID 2712 wrote to memory of 1648	2712	svchost.exe	36
PID 2712 wrote to memory of 1648	2712	svchost.exe	36
PID 2712 wrote to memory of 1648	2712	svchost.exe	36
PID 2712 wrote to memory of 648	2712	svchost.exe	38
PID 2712 wrote to memory of 648	2712	svchost.exe	38
PID 2712 wrote to memory of 648	2712	svchost.exe	38
PID 2712 wrote to memory of 648	2712	svchost.exe	38

C:\Users\Admin\AppData\Local\Temp\3b92fb864ef1b3b2a1eb77b056a9e830_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3b92fb864ef1b3b2a1eb77b056a9e830_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2056
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2648
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2712
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2524
    - - C:\Windows\SysWOW64\at.exe
        
        at 05:05 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2348
    - - C:\Windows\SysWOW64\at.exe
        
        at 05:06 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:1648
    - - C:\Windows\SysWOW64\at.exe
        
        at 05:07 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
66KB

MD5
5ab61926ab4ef3af7dce0f96be2e7269

SHA1
cea903abcb863def228995674153fd8a406b07ec

SHA256
7d3c7f5b7249a9401140e7f142223957525414a9a2625834276dd52bcad474b9

SHA512
f0437680001221773878e28e42b625fe2b54f65af43d44496ac527771636b7207f61c168a34ccb2dd748d2a5ee86a7b26999fef27745821ec40786a1ed60e6d1

Download Submit
\Windows\system\explorer.exe

Filesize
66KB

MD5
2c2ccf6e6ab1ba3d9ce33bc4ec77fb6e

SHA1
638b62206f3690e8b03c6a429e1fc26c1045db90

SHA256
1f2798655e3345f8f69944a73029c2b4b249fc65486b3d7de242ae55cbd43b26

SHA512
9b986c0ee04acf88257f83ea55c8e5cb396ccc8dcd1e7cbea9141f23a81a76dcdb8cedb98711317e28e2cc98c28f8cf034fd3a6547ff38af04d157d882a92ce7

Download Submit
\Windows\system\spoolsv.exe

Filesize
66KB

MD5
b5c1a0c48c50635d374417dd9d011c85

SHA1
c1ee753841a5205900cdecc4196deb3f3e418108

SHA256
be738d04894a62ad00134dd4ceb82b636a707c947b4662964ac75b7407da5350

SHA512
e503e14bc1225ee42542e4404c51f2743c9bdc786c060f14af1c9fbce67ca21414699b1450bb9990fdcdae4002181a872c64bca80d8b2fb07025ef18f7c50a26

Download Submit
\Windows\system\svchost.exe

Filesize
66KB

MD5
712c9dd8b3ca846dee6b44b92d8b1842

SHA1
cac02808201aa29403f1633c7e7e3264536112e7

SHA256
d66684ec86858f0e4ccdc52e0bc04edb522a6598d7079f37a4e1d2a14cdb5036

SHA512
4222be2754b4c061d08ebc744d955f2d64ae2e33661b1589f361a183d9639c57ab77e1350cdc01dbaab6c2a42eff78b0f5c5fb329807611986cbf04551267fde

Download Submit
memory/2056-4-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/2056-17-0x0000000003240000-0x0000000003271000-memory.dmp

Filesize
196KB

Download
memory/2056-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2056-2-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2056-76-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2056-3-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2056-77-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/2056-1-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/2056-62-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/2524-65-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2524-71-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2524-64-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2648-18-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2648-19-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2648-21-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2648-79-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2648-90-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2688-55-0x0000000002600000-0x0000000002631000-memory.dmp

Filesize
196KB

Download
memory/2688-39-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2688-74-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2688-35-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2712-63-0x0000000002520000-0x0000000002551000-memory.dmp

Filesize
196KB

Download
memory/2712-56-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2712-51-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2712-81-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download