Analysis Overview
SHA256
a441982cf9d2fb555a97c2d7b3a240b4d30ff5ec4653c8e493515fd04e1030f7
Threat Level: Likely malicious
The file c50e1fae2032a895de7622eed4d3bb10_NEIKI was found to be: Likely malicious.
Malicious Activity Summary
Modifies AppInit DLL entries
Executes dropped EXE
ASPack v2.12-2.42
Drops file in Program Files directory
Unsigned PE
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-09 01:50
Signatures
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-09 01:50
Reported
2024-05-09 01:53
Platform
win7-20240215-en
Max time kernel
121s
Max time network
127s
Command Line
Signatures
Modifies AppInit DLL entries
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\PROGRA~3\Mozilla\racmzae.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\PROGRA~3\Mozilla\racmzae.exe | C:\Users\Admin\AppData\Local\Temp\c50e1fae2032a895de7622eed4d3bb10_NEIKI.exe | N/A |
| File created | C:\PROGRA~3\Mozilla\ttbtowf.dll | C:\PROGRA~3\Mozilla\racmzae.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c50e1fae2032a895de7622eed4d3bb10_NEIKI.exe | N/A |
| N/A | N/A | C:\PROGRA~3\Mozilla\racmzae.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3004 wrote to memory of 1964 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\racmzae.exe |
| PID 3004 wrote to memory of 1964 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\racmzae.exe |
| PID 3004 wrote to memory of 1964 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\racmzae.exe |
| PID 3004 wrote to memory of 1964 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\racmzae.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\c50e1fae2032a895de7622eed4d3bb10_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\c50e1fae2032a895de7622eed4d3bb10_NEIKI.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {AB338840-9FC1-4D20-A300-8F8D454CA16A} S-1-5-18:NT AUTHORITY\System:Service:
C:\PROGRA~3\Mozilla\racmzae.exe
C:\PROGRA~3\Mozilla\racmzae.exe -cddhnyc
Network
Files
memory/2804-0-0x0000000000400000-0x0000000000469000-memory.dmp
memory/2804-2-0x0000000000442000-0x0000000000443000-memory.dmp
memory/2804-1-0x0000000000400000-0x0000000000469000-memory.dmp
memory/2804-3-0x0000000000250000-0x00000000002AC000-memory.dmp
memory/2804-4-0x0000000000400000-0x000000000045B000-memory.dmp
memory/2804-6-0x0000000000400000-0x000000000045B000-memory.dmp
C:\PROGRA~3\Mozilla\racmzae.exe
| MD5 | c5e7c6fb4e7888a41fd9b2e230c099b1 |
| SHA1 | 45e721d662ee922cbf0c5d8258734972b3465fbf |
| SHA256 | 96a0f4ab3a13fe8f7a78124213ffb21cb20f0eab7c6e682223b053c2da31e801 |
| SHA512 | 57801edc46f7af6125450b92ba0367c777e7cd9ee404b193c89c38c79772ebee7644625a0c578f068adf0892289858de9ec9faed8c9ba802bf36ecb1c549bbc1 |
memory/1964-9-0x0000000000400000-0x0000000000469000-memory.dmp
memory/1964-11-0x0000000000400000-0x0000000000469000-memory.dmp
memory/1964-13-0x0000000000400000-0x000000000045B000-memory.dmp
memory/1964-12-0x0000000000470000-0x00000000004CC000-memory.dmp
memory/1964-15-0x0000000000400000-0x000000000045B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-09 01:50
Reported
2024-05-09 01:53
Platform
win10v2004-20240226-en
Max time kernel
139s
Max time network
165s
Command Line
Signatures
Modifies AppInit DLL entries
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\PROGRA~3\Mozilla\crdkdxb.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\PROGRA~3\Mozilla\crdkdxb.exe | C:\Users\Admin\AppData\Local\Temp\c50e1fae2032a895de7622eed4d3bb10_NEIKI.exe | N/A |
| File created | C:\PROGRA~3\Mozilla\xczzoaa.dll | C:\PROGRA~3\Mozilla\crdkdxb.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\c50e1fae2032a895de7622eed4d3bb10_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\c50e1fae2032a895de7622eed4d3bb10_NEIKI.exe"
C:\PROGRA~3\Mozilla\crdkdxb.exe
C:\PROGRA~3\Mozilla\crdkdxb.exe -ofessij
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1028 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| GB | 172.217.169.74:443 | tcp | |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.178.89.13.in-addr.arpa | udp |
Files
memory/452-0-0x0000000000400000-0x0000000000469000-memory.dmp
memory/452-1-0x0000000000400000-0x0000000000469000-memory.dmp
memory/452-2-0x0000000000442000-0x0000000000443000-memory.dmp
memory/452-3-0x0000000000400000-0x0000000000469000-memory.dmp
memory/452-4-0x0000000000400000-0x0000000000469000-memory.dmp
C:\PROGRA~3\Mozilla\crdkdxb.exe
| MD5 | ea23f377e284798f403725389f110ad7 |
| SHA1 | 01d224f072728f4a0dd3243c3bae2141d375c85f |
| SHA256 | c1b6333a8dc798c60725bcc6bd2a3f9575ddd2c7222e85b59660ae7f43ce4154 |
| SHA512 | b7c6cb9affe7fcd2da254ee9b130744cc6b78d1e9b1ec996b721963a0652c8d7370d0bd4d42df72030db5f3fa408ce122f7ad948dd778a0f506b3cc8d3e7f24a |
memory/452-10-0x0000000000400000-0x000000000045B000-memory.dmp
memory/4420-12-0x0000000000400000-0x0000000000469000-memory.dmp
memory/4420-11-0x0000000000400000-0x0000000000469000-memory.dmp
memory/4420-14-0x0000000000400000-0x0000000000469000-memory.dmp
memory/4420-13-0x0000000000400000-0x0000000000469000-memory.dmp
memory/4420-17-0x0000000000400000-0x000000000045B000-memory.dmp