Analysis Overview
SHA256
99d70bd519fd63196ff7f1687513b2229e2ced9c2b71fee83362b2e8ec9210e1
Threat Level: Likely malicious
The file d18c14e521f61cfee9e4f39a7a779c00_NEIKI was found to be: Likely malicious.
Malicious Activity Summary
Modifies AppInit DLL entries
Executes dropped EXE
ASPack v2.12-2.42
Drops file in Program Files directory
Unsigned PE
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-09 02:37
Signatures
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-09 02:37
Reported
2024-05-09 02:39
Platform
win7-20240508-en
Max time kernel
119s
Max time network
119s
Command Line
Signatures
Modifies AppInit DLL entries
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\PROGRA~3\Mozilla\banehvg.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\PROGRA~3\Mozilla\banehvg.exe | C:\Users\Admin\AppData\Local\Temp\d18c14e521f61cfee9e4f39a7a779c00_NEIKI.exe | N/A |
| File created | C:\PROGRA~3\Mozilla\xwmsnym.dll | C:\PROGRA~3\Mozilla\banehvg.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d18c14e521f61cfee9e4f39a7a779c00_NEIKI.exe | N/A |
| N/A | N/A | C:\PROGRA~3\Mozilla\banehvg.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2064 wrote to memory of 2124 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\banehvg.exe |
| PID 2064 wrote to memory of 2124 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\banehvg.exe |
| PID 2064 wrote to memory of 2124 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\banehvg.exe |
| PID 2064 wrote to memory of 2124 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\banehvg.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\d18c14e521f61cfee9e4f39a7a779c00_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\d18c14e521f61cfee9e4f39a7a779c00_NEIKI.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {4022E54A-26B9-4B74-916D-1287A77FD44F} S-1-5-18:NT AUTHORITY\System:Service:
C:\PROGRA~3\Mozilla\banehvg.exe
C:\PROGRA~3\Mozilla\banehvg.exe -tlnruii
Network
Files
memory/2368-1-0x0000000000400000-0x000000000045E000-memory.dmp
memory/2368-0-0x0000000000400000-0x000000000045E000-memory.dmp
memory/2368-4-0x0000000000400000-0x000000000045B000-memory.dmp
memory/2368-3-0x0000000001B80000-0x0000000001BDB000-memory.dmp
memory/2368-2-0x0000000000400000-0x000000000045E000-memory.dmp
memory/2368-6-0x0000000000400000-0x000000000045B000-memory.dmp
C:\PROGRA~3\Mozilla\banehvg.exe
| MD5 | 82bffc026c3bb741726f1064337f9d7d |
| SHA1 | 691e2d974524448130432302d12b7f81f08eb2c2 |
| SHA256 | e1d2d5211d9bc85886ac24accb721068345d6a2579cc4e5e98397316d43da89d |
| SHA512 | 848eb55020fb92115b601206e35400df9e6c08819ddb1dfd6ca1abf4672ed18907aac70b70b55164ccd11660cc5f722a37f9593025adb946be0f515b6ea1a084 |
memory/2124-9-0x0000000000400000-0x000000000045E000-memory.dmp
memory/2124-11-0x0000000000400000-0x000000000045E000-memory.dmp
memory/2124-10-0x0000000000400000-0x000000000045E000-memory.dmp
memory/2124-12-0x0000000000460000-0x00000000004BB000-memory.dmp
memory/2124-13-0x0000000000400000-0x000000000045B000-memory.dmp
memory/2124-15-0x0000000000400000-0x000000000045B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-09 02:37
Reported
2024-05-09 02:40
Platform
win10v2004-20240226-en
Max time kernel
141s
Max time network
167s
Command Line
Signatures
Modifies AppInit DLL entries
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\PROGRA~3\Mozilla\crdkdxb.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\PROGRA~3\Mozilla\crdkdxb.exe | C:\Users\Admin\AppData\Local\Temp\d18c14e521f61cfee9e4f39a7a779c00_NEIKI.exe | N/A |
| File created | C:\PROGRA~3\Mozilla\xczzoaa.dll | C:\PROGRA~3\Mozilla\crdkdxb.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\d18c14e521f61cfee9e4f39a7a779c00_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\d18c14e521f61cfee9e4f39a7a779c00_NEIKI.exe"
C:\PROGRA~3\Mozilla\crdkdxb.exe
C:\PROGRA~3\Mozilla\crdkdxb.exe -ofessij
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4172 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 216.58.201.106:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 216.239.32.29:80 | pki.goog | tcp |
| US | 8.8.8.8:53 | 106.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.32.239.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.201.50.20.in-addr.arpa | udp |
Files
memory/760-0-0x0000000000400000-0x000000000045E000-memory.dmp
memory/760-2-0x0000000000400000-0x000000000045E000-memory.dmp
memory/760-1-0x0000000000400000-0x000000000045E000-memory.dmp
memory/760-3-0x00000000021F0000-0x000000000224B000-memory.dmp
memory/760-4-0x0000000000400000-0x000000000045B000-memory.dmp
C:\ProgramData\Mozilla\crdkdxb.exe
| MD5 | 0361e1aa69d1a80806b33cccb2a5b2df |
| SHA1 | 97e554bca9be75b68faa55abb2f00f00e38b54b3 |
| SHA256 | a3c7ec1c4a2ecc76575a78269b057c3a11f3835bcdfd1ee2f62aa969f5f93e1f |
| SHA512 | c33129c6f8bb7545503a63d2183a45242d95e4e1a6a1368930707513da6cb9cf5c94006de2e5cfef7046ddfa236530588b1e6c87b7ab7064d704f210ea3dc929 |
memory/760-11-0x00000000021F0000-0x000000000224B000-memory.dmp
memory/760-10-0x0000000000400000-0x000000000045B000-memory.dmp
memory/4768-13-0x0000000000400000-0x000000000045E000-memory.dmp
memory/4768-14-0x0000000000400000-0x000000000045E000-memory.dmp
memory/4768-12-0x0000000000400000-0x000000000045E000-memory.dmp
memory/4768-15-0x0000000000400000-0x000000000045E000-memory.dmp
memory/4768-18-0x0000000000400000-0x000000000045B000-memory.dmp