Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
04-06-2024 01:38
Static task
static1
Behavioral task
behavioral1
Sample
1db53fb00e27e3b5cde19816d55800d0_NeikiAnalytics.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
1db53fb00e27e3b5cde19816d55800d0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
1db53fb00e27e3b5cde19816d55800d0_NeikiAnalytics.exe
-
Size
66KB
-
MD5
1db53fb00e27e3b5cde19816d55800d0
-
SHA1
fe2c7b8ad6bead7dff531e8f03b6065f9ad25728
-
SHA256
8a97c0167aa6144e0f66aaa6f17a3ff1df9b5ef4d90ba749c65aad87b670c7ab
-
SHA512
79e88cc0d0c1b85eaa63822d06a1da0efc74e75200337e78c16db200ac269164a7f87da3d83010f43ebb669d7a06cdb7b7cf555242afb7e24acacb68d0110ac5
-
SSDEEP
1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXiN:IeklMMYJhqezw/pXzH9iN
Malware Config
Signatures
-
Detects BazaLoader malware 1 IoCs
BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.
resource yara_rule behavioral2/memory/3132-37-0x0000000075080000-0x00000000751DD000-memory.dmp BazaLoader -
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 4340 explorer.exe 4148 spoolsv.exe 3132 svchost.exe 4764 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe 1db53fb00e27e3b5cde19816d55800d0_NeikiAnalytics.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2900 1db53fb00e27e3b5cde19816d55800d0_NeikiAnalytics.exe 2900 1db53fb00e27e3b5cde19816d55800d0_NeikiAnalytics.exe 4340 explorer.exe 4340 explorer.exe 4340 explorer.exe 4340 explorer.exe 4340 explorer.exe 4340 explorer.exe 3132 svchost.exe 3132 svchost.exe 3132 svchost.exe 3132 svchost.exe 4340 explorer.exe 4340 explorer.exe 3132 svchost.exe 3132 svchost.exe 4340 explorer.exe 4340 explorer.exe 3132 svchost.exe 3132 svchost.exe 4340 explorer.exe 4340 explorer.exe 3132 svchost.exe 3132 svchost.exe 4340 explorer.exe 4340 explorer.exe 3132 svchost.exe 3132 svchost.exe 4340 explorer.exe 4340 explorer.exe 3132 svchost.exe 3132 svchost.exe 4340 explorer.exe 4340 explorer.exe 3132 svchost.exe 3132 svchost.exe 4340 explorer.exe 4340 explorer.exe 3132 svchost.exe 3132 svchost.exe 4340 explorer.exe 4340 explorer.exe 3132 svchost.exe 3132 svchost.exe 4340 explorer.exe 4340 explorer.exe 3132 svchost.exe 3132 svchost.exe 4340 explorer.exe 4340 explorer.exe 3132 svchost.exe 3132 svchost.exe 4340 explorer.exe 4340 explorer.exe 3132 svchost.exe 3132 svchost.exe 4340 explorer.exe 4340 explorer.exe 3132 svchost.exe 3132 svchost.exe 4340 explorer.exe 4340 explorer.exe 3132 svchost.exe 3132 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 4340 explorer.exe 3132 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2900 1db53fb00e27e3b5cde19816d55800d0_NeikiAnalytics.exe 2900 1db53fb00e27e3b5cde19816d55800d0_NeikiAnalytics.exe 4340 explorer.exe 4340 explorer.exe 4148 spoolsv.exe 4148 spoolsv.exe 3132 svchost.exe 3132 svchost.exe 4764 spoolsv.exe 4764 spoolsv.exe 4340 explorer.exe 4340 explorer.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2900 wrote to memory of 4340 2900 1db53fb00e27e3b5cde19816d55800d0_NeikiAnalytics.exe 83 PID 2900 wrote to memory of 4340 2900 1db53fb00e27e3b5cde19816d55800d0_NeikiAnalytics.exe 83 PID 2900 wrote to memory of 4340 2900 1db53fb00e27e3b5cde19816d55800d0_NeikiAnalytics.exe 83 PID 4340 wrote to memory of 4148 4340 explorer.exe 84 PID 4340 wrote to memory of 4148 4340 explorer.exe 84 PID 4340 wrote to memory of 4148 4340 explorer.exe 84 PID 4148 wrote to memory of 3132 4148 spoolsv.exe 86 PID 4148 wrote to memory of 3132 4148 spoolsv.exe 86 PID 4148 wrote to memory of 3132 4148 spoolsv.exe 86 PID 3132 wrote to memory of 4764 3132 svchost.exe 88 PID 3132 wrote to memory of 4764 3132 svchost.exe 88 PID 3132 wrote to memory of 4764 3132 svchost.exe 88 PID 3132 wrote to memory of 1708 3132 svchost.exe 89 PID 3132 wrote to memory of 1708 3132 svchost.exe 89 PID 3132 wrote to memory of 1708 3132 svchost.exe 89 PID 3132 wrote to memory of 2944 3132 svchost.exe 106 PID 3132 wrote to memory of 2944 3132 svchost.exe 106 PID 3132 wrote to memory of 2944 3132 svchost.exe 106 PID 3132 wrote to memory of 1636 3132 svchost.exe 116 PID 3132 wrote to memory of 1636 3132 svchost.exe 116 PID 3132 wrote to memory of 1636 3132 svchost.exe 116
Processes
-
C:\Users\Admin\AppData\Local\Temp\1db53fb00e27e3b5cde19816d55800d0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\1db53fb00e27e3b5cde19816d55800d0_NeikiAnalytics.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2900 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4340 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4148 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3132 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4764
-
-
C:\Windows\SysWOW64\at.exeat 01:41 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1708
-
-
C:\Windows\SysWOW64\at.exeat 01:42 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2944
-
-
C:\Windows\SysWOW64\at.exeat 01:43 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1636
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66KB
MD5a4dc8632f57ce52bf85ac09545f714f8
SHA10e4a3a889cf767a0b472a546db059e7f0f20a40e
SHA256cf14580843d7d04f1831c7dbddeea60fd077b97ad63113c06b6b000899b12c05
SHA51211d176551362bcb9f29ae3a19bc386fb94b1a8b59bab9591e531a1d8868cdbcd42411506e63dfcbfac081c38e1ac529a0b4cf5407847105af43b9993b3e3fef4
-
Filesize
66KB
MD56e01434c2029151b66ff510533e51219
SHA1def7f589f389f163d0480f3d70fcb32a6a371ca6
SHA2566cd6b3dead41167cb64af16963ae609f7eef8e1ce7fb48976b3a092499863dc0
SHA51261a26556abf553ec74a6b6ac414a57d71e5019a8386743e71ab9b248003bab39ce23aacc258c4772fa4f98abd438867d50b16d6331b26b71e54a9e6e56ff2b00
-
Filesize
66KB
MD5d1e296b0949c0b3f799d69ac02c27753
SHA1bc48f774448d4fa5281d2fa98d161a71ee8449bd
SHA256deb3d6c4e9776374b48da0fb2f0d90d92f67122e2f6b9d353f83dcd8c3710b7e
SHA51284817ab6a9f3a54ba04ad683b6791a72d830f8a4a444e86679ad2007d69be00f32b1a95f5e561559c382720ba39ecf8e0995852cc5d4e41848333acce509433b
-
Filesize
66KB
MD5c461276f5b62d5772a133184a65dc76e
SHA1ebdb787c03bd74291925c53a97844f3949538eff
SHA25678d50bcd8ed4713c3640bd164bbefaf72ee6bea9b6358961922507f6ee006fa6
SHA512ae55c33cc50e0f3c69f81f23780c16bf7ac03cdb10eba97da82fe5b42a09a36b88a933ac81e6f77e20b9e3680a95ec58beb791e5abcf1e1780974e8c4acdbab2