Analysis
-
max time kernel
155s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
05/06/2024, 01:26
General
-
Target
2595d6ebf78378d12a336c0b5ff44040_NeikiAnalytics.exe
-
Size
66KB
-
MD5
2595d6ebf78378d12a336c0b5ff44040
-
SHA1
3c4a6ee5ef4ebfbafcb96fcbd11e2b24a0a7bf79
-
SHA256
2a695d24933483add379f6d553d1a6742eb05f7678f6714cee2d2c930558e912
-
SHA512
2a1cf201597fd21968772d351fdbc9664e9781041afc443ce0fafa74059fbd4f90f5a1f9e5a1ddc1f42393714381eb137fa908a136062fddc40713564f6f32df
-
SSDEEP
1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXil:IeklMMYJhqezw/pXzH9il
Malware Config
Signatures
-
Detects BazaLoader malware 1 IoCs
BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Modifies Installed Components in the registry 2 TTPs 8 IoCs
-
Executes dropped EXE 4 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Drops file in Windows directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2595d6ebf78378d12a336c0b5ff44040_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\2595d6ebf78378d12a336c0b5ff44040_NeikiAnalytics.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\at.exeat 01:28 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
-
-
C:\Windows\SysWOW64\at.exeat 01:29 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
-
-
C:\Windows\SysWOW64\at.exeat 01:30 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4048 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66KB
MD59f3e0447f9527cb7b711cddcb9f57e3c
SHA1c97d57ecc4514a199f90d28efc98682fab2be14c
SHA2565cd01902245bc6ec5f6fa0607d4def36841e1183f59c0b8807b3e69d1ff0bcd9
SHA512537ecade1c78fdbfda060679f16c7a5a9d32b781c2f29b2eaee2ea8f8e766d36a1ceb29b87fe9c4ba2ed69a0495fea3355d7cc9cc436a571b69d0a30894f0461
-
Filesize
66KB
MD5273d8ac9be56222c25db21e46dffdf26
SHA1ae779262d4e4e6590d47c42794601cf65a8e98bd
SHA25618d05104c9ed4c90ec72015a70df2603169f30a46fdc2e0bcbfef235a6d8a754
SHA51231907de4acc1e54e919c75e45c46a1b9753a2c566aeaee6a751116d0a73e1635d01ba2e8ec29794b8707917d9dbc6c8f63a47a6d2052944808f56c5aecc1180c
-
Filesize
66KB
MD5d1fa72760871dea982b3f2aa71313798
SHA125ea94c841d841b01050b618a47a9ec8f29065af
SHA25694b81bb7851cd8c55d1d3e008312cad3b59bbb087d124561414a9c6c38363f00
SHA5122702dec1989b7e1b0387b43faed33cb2c141e0123ff86d528383c0486bd524804de6345eadc97499bdedb4d9679feb1de66bfc4f85c06fe3dcc451a15e7d60f0
-
Filesize
66KB
MD543495a7d39a70b86a2c1601b7c702931
SHA1345fb45f62fa3dc80431cef5c2906f78fecae4a9
SHA256362b416e8948cf932527f7435428939ff3fb529c217021b5dc0105bc88320011
SHA51243b250529e8993fa35b77eb40e135c5c4afcf03d935d94d01f9c456a4e340a570ceb76166d45c567c883cc49cfca87cfb9e349dc074b81ad67da8a914b40685f
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
1.4MB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
1.4MB
-
Filesize
196KB
-
Filesize
1.4MB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
180KB
-
Filesize
196KB
-
Filesize
16KB
-
Filesize
180KB
-
Filesize
196KB
-
Filesize
1.4MB
-
Filesize
180KB
-
Filesize
196KB
-
Filesize
16KB
-
Filesize
196KB
-
Filesize
1.4MB
-
Filesize
196KB