Analysis Overview
SHA256
31ad5b6eaa002c74394f3111d3fa60c721ebd93931756fcdacf2ac57000a75f1
Threat Level: Likely malicious
The file 8563209274cd91effedd6b6c74c3abe0_NEIKI was found to be: Likely malicious.
Malicious Activity Summary
Modifies AppInit DLL entries
ASPack v2.12-2.42
Executes dropped EXE
Drops file in Program Files directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-08 22:48
Signatures
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-08 22:48
Reported
2024-05-08 22:50
Platform
win7-20240221-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Modifies AppInit DLL entries
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\PROGRA~3\Mozilla\pfwoyhh.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\PROGRA~3\Mozilla\bjvdwgg.dll | C:\PROGRA~3\Mozilla\pfwoyhh.exe | N/A |
| File created | C:\PROGRA~3\Mozilla\pfwoyhh.exe | C:\Users\Admin\AppData\Local\Temp\8563209274cd91effedd6b6c74c3abe0_NEIKI.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8563209274cd91effedd6b6c74c3abe0_NEIKI.exe | N/A |
| N/A | N/A | C:\PROGRA~3\Mozilla\pfwoyhh.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2036 wrote to memory of 2600 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\pfwoyhh.exe |
| PID 2036 wrote to memory of 2600 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\pfwoyhh.exe |
| PID 2036 wrote to memory of 2600 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\pfwoyhh.exe |
| PID 2036 wrote to memory of 2600 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\pfwoyhh.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\8563209274cd91effedd6b6c74c3abe0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\8563209274cd91effedd6b6c74c3abe0_NEIKI.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {C53DF466-E70C-4696-ABA3-86EFBA667D4D} S-1-5-18:NT AUTHORITY\System:Service:
C:\PROGRA~3\Mozilla\pfwoyhh.exe
C:\PROGRA~3\Mozilla\pfwoyhh.exe -zhxzcvh
Network
Files
memory/2848-0-0x0000000000400000-0x000000000045E000-memory.dmp
memory/2848-1-0x0000000000400000-0x000000000045E000-memory.dmp
memory/2848-2-0x0000000000400000-0x000000000045E000-memory.dmp
memory/2848-4-0x0000000000400000-0x000000000045B000-memory.dmp
memory/2848-3-0x0000000000260000-0x00000000002BB000-memory.dmp
memory/2848-6-0x0000000000400000-0x000000000045B000-memory.dmp
C:\PROGRA~3\Mozilla\pfwoyhh.exe
| MD5 | fcd5fb70037d7fa241bd9a1a4dde2143 |
| SHA1 | 00ea3639dc22256e814794d26b19b274ab7ef220 |
| SHA256 | bd5c5278cde1ab54c2e4c70d6b7de04e8246b147787ed543ad7051212badce50 |
| SHA512 | 5c183e6d4e16cf706e044eda78a9f2c57ec2f5f0b2a0523b301410fad34657180d1141168568b42c10d06ab31aaf10eb6866d135354670c03bb88bde3fe25440 |
memory/2600-10-0x0000000000400000-0x000000000045E000-memory.dmp
memory/2600-9-0x0000000000400000-0x000000000045E000-memory.dmp
memory/2600-11-0x00000000003A0000-0x00000000003FB000-memory.dmp
memory/2600-12-0x0000000000400000-0x000000000045B000-memory.dmp
memory/2600-14-0x0000000000400000-0x000000000045B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-08 22:48
Reported
2024-05-08 22:50
Platform
win10v2004-20240508-en
Max time kernel
120s
Max time network
127s
Command Line
Signatures
Modifies AppInit DLL entries
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\PROGRA~3\Mozilla\onvmijj.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\PROGRA~3\Mozilla\onvmijj.exe | C:\Users\Admin\AppData\Local\Temp\8563209274cd91effedd6b6c74c3abe0_NEIKI.exe | N/A |
| File created | C:\PROGRA~3\Mozilla\gmzywaj.dll | C:\PROGRA~3\Mozilla\onvmijj.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\8563209274cd91effedd6b6c74c3abe0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\8563209274cd91effedd6b6c74c3abe0_NEIKI.exe"
C:\PROGRA~3\Mozilla\onvmijj.exe
C:\PROGRA~3\Mozilla\onvmijj.exe -ibpmpgd
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
memory/3940-0-0x0000000000400000-0x000000000045E000-memory.dmp
memory/3940-1-0x0000000000400000-0x000000000045E000-memory.dmp
memory/3940-2-0x0000000000400000-0x000000000045E000-memory.dmp
memory/3940-4-0x0000000000400000-0x000000000045B000-memory.dmp
memory/3940-3-0x00000000020F0000-0x000000000214B000-memory.dmp
C:\ProgramData\Mozilla\onvmijj.exe
| MD5 | 98dd7f95439dad779bdc3b1d667ede55 |
| SHA1 | d3a90ab70af216731ee2fec62a23633342200d4e |
| SHA256 | da6af8a36cb1b88252e6f4b636cfa8b4ee9e3cef4e10276a52a6693061760186 |
| SHA512 | 7844ddc2c9d5211bc76bb2b9932f9bee9d8434122c0ef4b2a9821bd62fca01711ebcdb471bbb2e88d17b1c08395fb9e30c8d9a77b0f74fe28a1d39951f9e6a30 |
memory/1012-8-0x0000000000400000-0x000000000045E000-memory.dmp
memory/1012-10-0x0000000000400000-0x000000000045E000-memory.dmp
memory/1012-11-0x0000000000400000-0x000000000045E000-memory.dmp
memory/3940-15-0x00000000020F0000-0x000000000214B000-memory.dmp
memory/3940-14-0x0000000000400000-0x000000000045B000-memory.dmp
memory/1012-13-0x0000000000400000-0x000000000045E000-memory.dmp
memory/1012-12-0x0000000000400000-0x000000000045E000-memory.dmp
memory/1012-18-0x0000000000400000-0x000000000045B000-memory.dmp