Malware Analysis Report

2025-03-15 05:44

Sample ID 240509-b9hldabh2w
Target c50e1fae2032a895de7622eed4d3bb10_NEIKI
SHA256 a441982cf9d2fb555a97c2d7b3a240b4d30ff5ec4653c8e493515fd04e1030f7
Tags
aspackv2 persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

a441982cf9d2fb555a97c2d7b3a240b4d30ff5ec4653c8e493515fd04e1030f7

Threat Level: Likely malicious

The file c50e1fae2032a895de7622eed4d3bb10_NEIKI was found to be: Likely malicious.

Malicious Activity Summary

aspackv2 persistence

Modifies AppInit DLL entries

Executes dropped EXE

ASPack v2.12-2.42

Drops file in Program Files directory

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 01:50

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 01:50

Reported

2024-05-09 01:53

Platform

win7-20240215-en

Max time kernel

121s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c50e1fae2032a895de7622eed4d3bb10_NEIKI.exe"

Signatures

Modifies AppInit DLL entries

persistence

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\PROGRA~3\Mozilla\racmzae.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\Mozilla\racmzae.exe C:\Users\Admin\AppData\Local\Temp\c50e1fae2032a895de7622eed4d3bb10_NEIKI.exe N/A
File created C:\PROGRA~3\Mozilla\ttbtowf.dll C:\PROGRA~3\Mozilla\racmzae.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c50e1fae2032a895de7622eed4d3bb10_NEIKI.exe N/A
N/A N/A C:\PROGRA~3\Mozilla\racmzae.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3004 wrote to memory of 1964 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\racmzae.exe
PID 3004 wrote to memory of 1964 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\racmzae.exe
PID 3004 wrote to memory of 1964 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\racmzae.exe
PID 3004 wrote to memory of 1964 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\racmzae.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c50e1fae2032a895de7622eed4d3bb10_NEIKI.exe

"C:\Users\Admin\AppData\Local\Temp\c50e1fae2032a895de7622eed4d3bb10_NEIKI.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {AB338840-9FC1-4D20-A300-8F8D454CA16A} S-1-5-18:NT AUTHORITY\System:Service:

C:\PROGRA~3\Mozilla\racmzae.exe

C:\PROGRA~3\Mozilla\racmzae.exe -cddhnyc

Network

N/A

Files

memory/2804-0-0x0000000000400000-0x0000000000469000-memory.dmp

memory/2804-2-0x0000000000442000-0x0000000000443000-memory.dmp

memory/2804-1-0x0000000000400000-0x0000000000469000-memory.dmp

memory/2804-3-0x0000000000250000-0x00000000002AC000-memory.dmp

memory/2804-4-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2804-6-0x0000000000400000-0x000000000045B000-memory.dmp

C:\PROGRA~3\Mozilla\racmzae.exe

MD5 c5e7c6fb4e7888a41fd9b2e230c099b1
SHA1 45e721d662ee922cbf0c5d8258734972b3465fbf
SHA256 96a0f4ab3a13fe8f7a78124213ffb21cb20f0eab7c6e682223b053c2da31e801
SHA512 57801edc46f7af6125450b92ba0367c777e7cd9ee404b193c89c38c79772ebee7644625a0c578f068adf0892289858de9ec9faed8c9ba802bf36ecb1c549bbc1

memory/1964-9-0x0000000000400000-0x0000000000469000-memory.dmp

memory/1964-11-0x0000000000400000-0x0000000000469000-memory.dmp

memory/1964-13-0x0000000000400000-0x000000000045B000-memory.dmp

memory/1964-12-0x0000000000470000-0x00000000004CC000-memory.dmp

memory/1964-15-0x0000000000400000-0x000000000045B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 01:50

Reported

2024-05-09 01:53

Platform

win10v2004-20240226-en

Max time kernel

139s

Max time network

165s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c50e1fae2032a895de7622eed4d3bb10_NEIKI.exe"

Signatures

Modifies AppInit DLL entries

persistence

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\PROGRA~3\Mozilla\crdkdxb.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\Mozilla\crdkdxb.exe C:\Users\Admin\AppData\Local\Temp\c50e1fae2032a895de7622eed4d3bb10_NEIKI.exe N/A
File created C:\PROGRA~3\Mozilla\xczzoaa.dll C:\PROGRA~3\Mozilla\crdkdxb.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c50e1fae2032a895de7622eed4d3bb10_NEIKI.exe

"C:\Users\Admin\AppData\Local\Temp\c50e1fae2032a895de7622eed4d3bb10_NEIKI.exe"

C:\PROGRA~3\Mozilla\crdkdxb.exe

C:\PROGRA~3\Mozilla\crdkdxb.exe -ofessij

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1028 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
GB 172.217.169.74:443 tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp

Files

memory/452-0-0x0000000000400000-0x0000000000469000-memory.dmp

memory/452-1-0x0000000000400000-0x0000000000469000-memory.dmp

memory/452-2-0x0000000000442000-0x0000000000443000-memory.dmp

memory/452-3-0x0000000000400000-0x0000000000469000-memory.dmp

memory/452-4-0x0000000000400000-0x0000000000469000-memory.dmp

C:\PROGRA~3\Mozilla\crdkdxb.exe

MD5 ea23f377e284798f403725389f110ad7
SHA1 01d224f072728f4a0dd3243c3bae2141d375c85f
SHA256 c1b6333a8dc798c60725bcc6bd2a3f9575ddd2c7222e85b59660ae7f43ce4154
SHA512 b7c6cb9affe7fcd2da254ee9b130744cc6b78d1e9b1ec996b721963a0652c8d7370d0bd4d42df72030db5f3fa408ce122f7ad948dd778a0f506b3cc8d3e7f24a

memory/452-10-0x0000000000400000-0x000000000045B000-memory.dmp

memory/4420-12-0x0000000000400000-0x0000000000469000-memory.dmp

memory/4420-11-0x0000000000400000-0x0000000000469000-memory.dmp

memory/4420-14-0x0000000000400000-0x0000000000469000-memory.dmp

memory/4420-13-0x0000000000400000-0x0000000000469000-memory.dmp

memory/4420-17-0x0000000000400000-0x000000000045B000-memory.dmp