Malware Analysis Report

2025-03-15 05:44

Sample ID 240509-c38dwsgg26
Target d18c14e521f61cfee9e4f39a7a779c00_NEIKI
SHA256 99d70bd519fd63196ff7f1687513b2229e2ced9c2b71fee83362b2e8ec9210e1
Tags
aspackv2 persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

99d70bd519fd63196ff7f1687513b2229e2ced9c2b71fee83362b2e8ec9210e1

Threat Level: Likely malicious

The file d18c14e521f61cfee9e4f39a7a779c00_NEIKI was found to be: Likely malicious.

Malicious Activity Summary

aspackv2 persistence

Modifies AppInit DLL entries

Executes dropped EXE

ASPack v2.12-2.42

Drops file in Program Files directory

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 02:37

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 02:37

Reported

2024-05-09 02:39

Platform

win7-20240508-en

Max time kernel

119s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d18c14e521f61cfee9e4f39a7a779c00_NEIKI.exe"

Signatures

Modifies AppInit DLL entries

persistence

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\PROGRA~3\Mozilla\banehvg.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\Mozilla\banehvg.exe C:\Users\Admin\AppData\Local\Temp\d18c14e521f61cfee9e4f39a7a779c00_NEIKI.exe N/A
File created C:\PROGRA~3\Mozilla\xwmsnym.dll C:\PROGRA~3\Mozilla\banehvg.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d18c14e521f61cfee9e4f39a7a779c00_NEIKI.exe N/A
N/A N/A C:\PROGRA~3\Mozilla\banehvg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2064 wrote to memory of 2124 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\banehvg.exe
PID 2064 wrote to memory of 2124 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\banehvg.exe
PID 2064 wrote to memory of 2124 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\banehvg.exe
PID 2064 wrote to memory of 2124 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\banehvg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d18c14e521f61cfee9e4f39a7a779c00_NEIKI.exe

"C:\Users\Admin\AppData\Local\Temp\d18c14e521f61cfee9e4f39a7a779c00_NEIKI.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {4022E54A-26B9-4B74-916D-1287A77FD44F} S-1-5-18:NT AUTHORITY\System:Service:

C:\PROGRA~3\Mozilla\banehvg.exe

C:\PROGRA~3\Mozilla\banehvg.exe -tlnruii

Network

N/A

Files

memory/2368-1-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2368-0-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2368-4-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2368-3-0x0000000001B80000-0x0000000001BDB000-memory.dmp

memory/2368-2-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2368-6-0x0000000000400000-0x000000000045B000-memory.dmp

C:\PROGRA~3\Mozilla\banehvg.exe

MD5 82bffc026c3bb741726f1064337f9d7d
SHA1 691e2d974524448130432302d12b7f81f08eb2c2
SHA256 e1d2d5211d9bc85886ac24accb721068345d6a2579cc4e5e98397316d43da89d
SHA512 848eb55020fb92115b601206e35400df9e6c08819ddb1dfd6ca1abf4672ed18907aac70b70b55164ccd11660cc5f722a37f9593025adb946be0f515b6ea1a084

memory/2124-9-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2124-11-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2124-10-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2124-12-0x0000000000460000-0x00000000004BB000-memory.dmp

memory/2124-13-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2124-15-0x0000000000400000-0x000000000045B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 02:37

Reported

2024-05-09 02:40

Platform

win10v2004-20240226-en

Max time kernel

141s

Max time network

167s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d18c14e521f61cfee9e4f39a7a779c00_NEIKI.exe"

Signatures

Modifies AppInit DLL entries

persistence

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\PROGRA~3\Mozilla\crdkdxb.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\Mozilla\crdkdxb.exe C:\Users\Admin\AppData\Local\Temp\d18c14e521f61cfee9e4f39a7a779c00_NEIKI.exe N/A
File created C:\PROGRA~3\Mozilla\xczzoaa.dll C:\PROGRA~3\Mozilla\crdkdxb.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d18c14e521f61cfee9e4f39a7a779c00_NEIKI.exe

"C:\Users\Admin\AppData\Local\Temp\d18c14e521f61cfee9e4f39a7a779c00_NEIKI.exe"

C:\PROGRA~3\Mozilla\crdkdxb.exe

C:\PROGRA~3\Mozilla\crdkdxb.exe -ofessij

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4172 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 216.58.201.106:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 106.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 29.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 24.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 195.201.50.20.in-addr.arpa udp

Files

memory/760-0-0x0000000000400000-0x000000000045E000-memory.dmp

memory/760-2-0x0000000000400000-0x000000000045E000-memory.dmp

memory/760-1-0x0000000000400000-0x000000000045E000-memory.dmp

memory/760-3-0x00000000021F0000-0x000000000224B000-memory.dmp

memory/760-4-0x0000000000400000-0x000000000045B000-memory.dmp

C:\ProgramData\Mozilla\crdkdxb.exe

MD5 0361e1aa69d1a80806b33cccb2a5b2df
SHA1 97e554bca9be75b68faa55abb2f00f00e38b54b3
SHA256 a3c7ec1c4a2ecc76575a78269b057c3a11f3835bcdfd1ee2f62aa969f5f93e1f
SHA512 c33129c6f8bb7545503a63d2183a45242d95e4e1a6a1368930707513da6cb9cf5c94006de2e5cfef7046ddfa236530588b1e6c87b7ab7064d704f210ea3dc929

memory/760-11-0x00000000021F0000-0x000000000224B000-memory.dmp

memory/760-10-0x0000000000400000-0x000000000045B000-memory.dmp

memory/4768-13-0x0000000000400000-0x000000000045E000-memory.dmp

memory/4768-14-0x0000000000400000-0x000000000045E000-memory.dmp

memory/4768-12-0x0000000000400000-0x000000000045E000-memory.dmp

memory/4768-15-0x0000000000400000-0x000000000045E000-memory.dmp

memory/4768-18-0x0000000000400000-0x000000000045B000-memory.dmp