Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
04-06-2024 01:38
Static task
static1
Behavioral task
behavioral1
Sample
1db53fb00e27e3b5cde19816d55800d0_NeikiAnalytics.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
1db53fb00e27e3b5cde19816d55800d0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
1db53fb00e27e3b5cde19816d55800d0_NeikiAnalytics.exe
-
Size
66KB
-
MD5
1db53fb00e27e3b5cde19816d55800d0
-
SHA1
fe2c7b8ad6bead7dff531e8f03b6065f9ad25728
-
SHA256
8a97c0167aa6144e0f66aaa6f17a3ff1df9b5ef4d90ba749c65aad87b670c7ab
-
SHA512
79e88cc0d0c1b85eaa63822d06a1da0efc74e75200337e78c16db200ac269164a7f87da3d83010f43ebb669d7a06cdb7b7cf555242afb7e24acacb68d0110ac5
-
SSDEEP
1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXiN:IeklMMYJhqezw/pXzH9iN
Malware Config
Signatures
-
Detects BazaLoader malware 1 IoCs
BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.
resource yara_rule behavioral1/memory/2804-52-0x0000000072940000-0x0000000072A93000-memory.dmp BazaLoader -
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 2504 explorer.exe 2716 spoolsv.exe 2804 svchost.exe 2416 spoolsv.exe -
Loads dropped DLL 8 IoCs
pid Process 1992 1db53fb00e27e3b5cde19816d55800d0_NeikiAnalytics.exe 1992 1db53fb00e27e3b5cde19816d55800d0_NeikiAnalytics.exe 2504 explorer.exe 2504 explorer.exe 2716 spoolsv.exe 2716 spoolsv.exe 2804 svchost.exe 2804 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe 1db53fb00e27e3b5cde19816d55800d0_NeikiAnalytics.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1992 1db53fb00e27e3b5cde19816d55800d0_NeikiAnalytics.exe 2504 explorer.exe 2504 explorer.exe 2504 explorer.exe 2804 svchost.exe 2804 svchost.exe 2504 explorer.exe 2804 svchost.exe 2504 explorer.exe 2804 svchost.exe 2504 explorer.exe 2804 svchost.exe 2504 explorer.exe 2804 svchost.exe 2504 explorer.exe 2804 svchost.exe 2504 explorer.exe 2804 svchost.exe 2504 explorer.exe 2804 svchost.exe 2504 explorer.exe 2804 svchost.exe 2504 explorer.exe 2804 svchost.exe 2504 explorer.exe 2804 svchost.exe 2504 explorer.exe 2804 svchost.exe 2504 explorer.exe 2804 svchost.exe 2504 explorer.exe 2804 svchost.exe 2504 explorer.exe 2804 svchost.exe 2504 explorer.exe 2804 svchost.exe 2504 explorer.exe 2804 svchost.exe 2504 explorer.exe 2804 svchost.exe 2504 explorer.exe 2804 svchost.exe 2504 explorer.exe 2804 svchost.exe 2504 explorer.exe 2804 svchost.exe 2504 explorer.exe 2804 svchost.exe 2504 explorer.exe 2804 svchost.exe 2504 explorer.exe 2804 svchost.exe 2504 explorer.exe 2804 svchost.exe 2504 explorer.exe 2804 svchost.exe 2504 explorer.exe 2804 svchost.exe 2504 explorer.exe 2804 svchost.exe 2504 explorer.exe 2804 svchost.exe 2504 explorer.exe 2804 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2504 explorer.exe 2804 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 1992 1db53fb00e27e3b5cde19816d55800d0_NeikiAnalytics.exe 1992 1db53fb00e27e3b5cde19816d55800d0_NeikiAnalytics.exe 2504 explorer.exe 2504 explorer.exe 2716 spoolsv.exe 2716 spoolsv.exe 2804 svchost.exe 2804 svchost.exe 2416 spoolsv.exe 2416 spoolsv.exe 2504 explorer.exe 2504 explorer.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1992 wrote to memory of 2504 1992 1db53fb00e27e3b5cde19816d55800d0_NeikiAnalytics.exe 28 PID 1992 wrote to memory of 2504 1992 1db53fb00e27e3b5cde19816d55800d0_NeikiAnalytics.exe 28 PID 1992 wrote to memory of 2504 1992 1db53fb00e27e3b5cde19816d55800d0_NeikiAnalytics.exe 28 PID 1992 wrote to memory of 2504 1992 1db53fb00e27e3b5cde19816d55800d0_NeikiAnalytics.exe 28 PID 2504 wrote to memory of 2716 2504 explorer.exe 29 PID 2504 wrote to memory of 2716 2504 explorer.exe 29 PID 2504 wrote to memory of 2716 2504 explorer.exe 29 PID 2504 wrote to memory of 2716 2504 explorer.exe 29 PID 2716 wrote to memory of 2804 2716 spoolsv.exe 30 PID 2716 wrote to memory of 2804 2716 spoolsv.exe 30 PID 2716 wrote to memory of 2804 2716 spoolsv.exe 30 PID 2716 wrote to memory of 2804 2716 spoolsv.exe 30 PID 2804 wrote to memory of 2416 2804 svchost.exe 31 PID 2804 wrote to memory of 2416 2804 svchost.exe 31 PID 2804 wrote to memory of 2416 2804 svchost.exe 31 PID 2804 wrote to memory of 2416 2804 svchost.exe 31 PID 2804 wrote to memory of 1892 2804 svchost.exe 32 PID 2804 wrote to memory of 1892 2804 svchost.exe 32 PID 2804 wrote to memory of 1892 2804 svchost.exe 32 PID 2804 wrote to memory of 1892 2804 svchost.exe 32 PID 2804 wrote to memory of 2104 2804 svchost.exe 36 PID 2804 wrote to memory of 2104 2804 svchost.exe 36 PID 2804 wrote to memory of 2104 2804 svchost.exe 36 PID 2804 wrote to memory of 2104 2804 svchost.exe 36 PID 2804 wrote to memory of 2968 2804 svchost.exe 38 PID 2804 wrote to memory of 2968 2804 svchost.exe 38 PID 2804 wrote to memory of 2968 2804 svchost.exe 38 PID 2804 wrote to memory of 2968 2804 svchost.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\1db53fb00e27e3b5cde19816d55800d0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\1db53fb00e27e3b5cde19816d55800d0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1992 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2504 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2716 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2416
-
-
C:\Windows\SysWOW64\at.exeat 01:41 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1892
-
-
C:\Windows\SysWOW64\at.exeat 01:42 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2104
-
-
C:\Windows\SysWOW64\at.exeat 01:43 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2968
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66KB
MD5737137a203618d13aba1af750429ca9f
SHA1a0fcd4b51b03ceff5bc8a5150f954fe171089969
SHA256983ac94a69dc3ab735ab100426aed8b1cc6e7ec39875471cfa64f025158c529a
SHA512bdf3d6d09cc5ae0791174f6592cdb1402aae065fd6655e177c06fdf2d774a0f507efcbea483e9a8f8197340d3403a170f8858d63c6320d161727a060fbabf89c
-
Filesize
66KB
MD53539d32997123cb05d43a043840ba31c
SHA127b57261d17e8b7775012a51eef24f5312543700
SHA256b635c720fe6f9612bf36315239d720a140a0c4725bb8852bb9d68bf60bdde997
SHA5123d026a6265261a0247462151f3e040fd0e2d01f5d96cb4604911ef3fef8fc54889440b985d21ee191f7963bef3d1181d0fcfd7fbc04444330f1acd7776c87b39
-
Filesize
66KB
MD51cf7c1d4f802e6e680b0c422df721a2d
SHA1d6747981fa371b924dc20428fb49ff874404bb65
SHA256f5c6fd710d089bbb83364c3a9407e9bde05be5078f10fc5fd92edddffaa90321
SHA512ee79572e94c042c71d010ce8e08c4c4d25bc2793e1a4c9c75c064dadebcf295c42726f2bb4ca34a9a0c0452657510aad58174012200a207b0bcdd8d79ce97dd8
-
Filesize
66KB
MD52979516a72119bb4d8745a626b4af285
SHA1434de048dfc27209d758b6b75502f4d3ea6f5755
SHA25654db52c8b8d7c285e7335c256626ae177419a1b0f0e5229e62cd89b3836fb9f0
SHA5121e5096b1a4571cceede4d52c99fd806270a8b1d43a99f611fe6dd1a794ad5b57a37276ad75897bb17929c5e85a7a4a79726f0dfd2bf5548f3e443d4597fbc39e