Malware Analysis Report

2025-03-15 05:42

Sample ID 240509-1tr8bagf5y
Target 09019e2c74592a818c89c056e6271ba0_NeikiAnalytics
SHA256 334712b004f71b5c5440bcc0fd20a34305ebdde49cb5c1f3f1ce25a8ec33e401
Tags
aspackv2 persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

334712b004f71b5c5440bcc0fd20a34305ebdde49cb5c1f3f1ce25a8ec33e401

Threat Level: Likely malicious

The file 09019e2c74592a818c89c056e6271ba0_NeikiAnalytics was found to be: Likely malicious.

Malicious Activity Summary

aspackv2 persistence

Modifies AppInit DLL entries

ASPack v2.12-2.42

Executes dropped EXE

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 21:56

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 21:56

Reported

2024-05-09 21:59

Platform

win7-20240221-en

Max time kernel

117s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\09019e2c74592a818c89c056e6271ba0_NeikiAnalytics.exe"

Signatures

Modifies AppInit DLL entries

persistence

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\PROGRA~3\Mozilla\pfwoyhh.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\Mozilla\pfwoyhh.exe C:\Users\Admin\AppData\Local\Temp\09019e2c74592a818c89c056e6271ba0_NeikiAnalytics.exe N/A
File created C:\PROGRA~3\Mozilla\bjvdwgg.dll C:\PROGRA~3\Mozilla\pfwoyhh.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\09019e2c74592a818c89c056e6271ba0_NeikiAnalytics.exe N/A
N/A N/A C:\PROGRA~3\Mozilla\pfwoyhh.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1944 wrote to memory of 2552 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\pfwoyhh.exe
PID 1944 wrote to memory of 2552 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\pfwoyhh.exe
PID 1944 wrote to memory of 2552 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\pfwoyhh.exe
PID 1944 wrote to memory of 2552 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\pfwoyhh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\09019e2c74592a818c89c056e6271ba0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\09019e2c74592a818c89c056e6271ba0_NeikiAnalytics.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {2A157E6C-DBE1-4A1C-AECD-087CDED79858} S-1-5-18:NT AUTHORITY\System:Service:

C:\PROGRA~3\Mozilla\pfwoyhh.exe

C:\PROGRA~3\Mozilla\pfwoyhh.exe -zhxzcvh

Network

N/A

Files

memory/2264-0-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2264-3-0x0000000001BF0000-0x0000000001C4B000-memory.dmp

memory/2264-2-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2264-4-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2264-1-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2264-6-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2264-7-0x0000000001BF0000-0x0000000001C4B000-memory.dmp

C:\PROGRA~3\Mozilla\pfwoyhh.exe

MD5 8f914b24fa4fdc62c8988e25cc53ea03
SHA1 67f58f4074b202c4b4902dda7fc9e5843541bb4f
SHA256 f38f127160c2f304c3ccdd93938771b7c58790073d55cf24706cfd9b450ffcf6
SHA512 83177591c1ec7053e8316c7919ee58f2bd6361796dffff9c5f7bbf040bcfa756943e35f3355e84508c7a212627e880b39b8a646acfc925a30db9eb421d0b977e

memory/2552-10-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2552-12-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2552-11-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2552-13-0x0000000000460000-0x00000000004BB000-memory.dmp

memory/2552-14-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2552-16-0x0000000000400000-0x000000000045B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 21:56

Reported

2024-05-09 21:59

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\09019e2c74592a818c89c056e6271ba0_NeikiAnalytics.exe"

Signatures

Modifies AppInit DLL entries

persistence

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\PROGRA~3\Mozilla\lrjbnqc.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\Mozilla\lrjbnqc.exe C:\Users\Admin\AppData\Local\Temp\09019e2c74592a818c89c056e6271ba0_NeikiAnalytics.exe N/A
File created C:\PROGRA~3\Mozilla\vbwqqmn.dll C:\PROGRA~3\Mozilla\lrjbnqc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\09019e2c74592a818c89c056e6271ba0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\09019e2c74592a818c89c056e6271ba0_NeikiAnalytics.exe"

C:\PROGRA~3\Mozilla\lrjbnqc.exe

C:\PROGRA~3\Mozilla\lrjbnqc.exe -lihtnse

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 131.253.33.237:443 g.bing.com tcp
BE 2.17.196.96:443 www.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 237.33.253.131.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 96.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 udp

Files

memory/2400-4-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2400-2-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2400-3-0x00000000020A0000-0x00000000020FB000-memory.dmp

memory/2400-0-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2400-1-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2400-10-0x0000000000400000-0x000000000045B000-memory.dmp

memory/4900-14-0x0000000000400000-0x000000000045E000-memory.dmp

memory/4900-13-0x0000000000400000-0x000000000045E000-memory.dmp

memory/4900-12-0x0000000000400000-0x000000000045E000-memory.dmp

memory/4900-11-0x0000000000400000-0x000000000045E000-memory.dmp

C:\PROGRA~3\Mozilla\lrjbnqc.exe

MD5 0a2a3dd09e78f3cdb5e72d251b78ee39
SHA1 6d743823e170083159a339136660a47d1fb1f473
SHA256 577641f1df841cf5fd8139f6f3836a855e552322278745a8835961e79b5dd9b1
SHA512 4ba76bb2420c0496f7756d799b512263ad566797ed61c229f2074675d81a4fefa48a0bc47d81909d4427c0a34214ad2f2216a413de72f57bc84eb203e2f4dc56

memory/4900-7-0x0000000000400000-0x000000000045E000-memory.dmp

memory/4900-17-0x0000000000400000-0x000000000045B000-memory.dmp