Malware Analysis Report

2025-03-15 05:45

Sample ID 240509-yzy7pscd2v
Target e8ce46bd794e3c7e0655f8f73ffffc60_NeikiAnalytics
SHA256 fb51e709fc0c4f1fc71138d4ca502a539ca9085878c1f3f9b1f638064049a2bc
Tags
aspackv2 persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

fb51e709fc0c4f1fc71138d4ca502a539ca9085878c1f3f9b1f638064049a2bc

Threat Level: Likely malicious

The file e8ce46bd794e3c7e0655f8f73ffffc60_NeikiAnalytics was found to be: Likely malicious.

Malicious Activity Summary

aspackv2 persistence

Modifies AppInit DLL entries

Executes dropped EXE

ASPack v2.12-2.42

Drops file in Program Files directory

Program crash

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 20:14

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 20:14

Reported

2024-05-09 20:16

Platform

win7-20240221-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e8ce46bd794e3c7e0655f8f73ffffc60_NeikiAnalytics.exe"

Signatures

Modifies AppInit DLL entries

persistence

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\PROGRA~3\Mozilla\dbilzqh.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\Mozilla\zxoabnc.dll C:\PROGRA~3\Mozilla\dbilzqh.exe N/A
File created C:\PROGRA~3\Mozilla\dbilzqh.exe C:\Users\Admin\AppData\Local\Temp\e8ce46bd794e3c7e0655f8f73ffffc60_NeikiAnalytics.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e8ce46bd794e3c7e0655f8f73ffffc60_NeikiAnalytics.exe N/A
N/A N/A C:\PROGRA~3\Mozilla\dbilzqh.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2756 wrote to memory of 2140 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\dbilzqh.exe
PID 2756 wrote to memory of 2140 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\dbilzqh.exe
PID 2756 wrote to memory of 2140 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\dbilzqh.exe
PID 2756 wrote to memory of 2140 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\dbilzqh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e8ce46bd794e3c7e0655f8f73ffffc60_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\e8ce46bd794e3c7e0655f8f73ffffc60_NeikiAnalytics.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {964F5C60-9C9F-4CD4-9B5B-0337396C44B7} S-1-5-18:NT AUTHORITY\System:Service:

C:\PROGRA~3\Mozilla\dbilzqh.exe

C:\PROGRA~3\Mozilla\dbilzqh.exe -kwinamg

Network

N/A

Files

memory/1924-1-0x0000000000400000-0x000000000045E000-memory.dmp

memory/1924-0-0x0000000000400000-0x000000000045E000-memory.dmp

memory/1924-4-0x0000000000400000-0x000000000045B000-memory.dmp

memory/1924-3-0x0000000001C40000-0x0000000001C9B000-memory.dmp

memory/1924-2-0x0000000000400000-0x000000000045E000-memory.dmp

memory/1924-6-0x0000000000400000-0x000000000045B000-memory.dmp

C:\PROGRA~3\Mozilla\dbilzqh.exe

MD5 901ef1f4ed9352114a40c6184c306fb6
SHA1 b31baedda73503bcaf6ac3ffb6d26e46c994e59b
SHA256 ec6eddcd1d14b8e59311d3524006b1de3f18a8ae5af9be2b145cf4336d852721
SHA512 831ef05811af376063e6fd32de893c2144e18367eb8f801f6d67759a402722c2530d7825f6e32a34bd2ae598ccb3edba98f19b78e68da1f00f8e8a32974fd4e6

memory/2140-9-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2140-11-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2140-10-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2140-12-0x0000000000850000-0x00000000008AB000-memory.dmp

memory/2140-13-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2140-15-0x0000000000400000-0x000000000045B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 20:14

Reported

2024-05-09 20:16

Platform

win10v2004-20240508-en

Max time kernel

93s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e8ce46bd794e3c7e0655f8f73ffffc60_NeikiAnalytics.exe"

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\PROGRA~3\Mozilla\iodncyc.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\Mozilla\iodncyc.exe C:\Users\Admin\AppData\Local\Temp\e8ce46bd794e3c7e0655f8f73ffffc60_NeikiAnalytics.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\PROGRA~3\Mozilla\iodncyc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e8ce46bd794e3c7e0655f8f73ffffc60_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\e8ce46bd794e3c7e0655f8f73ffffc60_NeikiAnalytics.exe"

C:\PROGRA~3\Mozilla\iodncyc.exe

C:\PROGRA~3\Mozilla\iodncyc.exe -szcyzql

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4348 -ip 4348

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 448

Network

Country Destination Domain Proto
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/1700-0-0x0000000000400000-0x000000000045E000-memory.dmp

memory/1700-1-0x0000000000400000-0x000000000045E000-memory.dmp

memory/1700-2-0x0000000000400000-0x000000000045E000-memory.dmp

memory/1700-4-0x0000000000400000-0x000000000045B000-memory.dmp

memory/1700-3-0x0000000000610000-0x000000000066B000-memory.dmp

C:\ProgramData\Mozilla\iodncyc.exe

MD5 b56cd23d797376956e28f6b1977b19f9
SHA1 5ee1ac7418ac7876f499dbbdb777ccfef743e341
SHA256 d310605bcb2deff6813c26912e5ebdb738fc3deafe26fae76ef81de4dc3f767c
SHA512 98e35704399af90acaa6f9c0fb5e90fc83490b71943b31bead3a37538ec16b268f6b6f396a8e207275d2e73ba8c4378c1fad3b82da85113dde44271a2f5e610f

memory/4348-8-0x0000000000400000-0x000000000045E000-memory.dmp

memory/4348-9-0x0000000000400000-0x000000000045E000-memory.dmp

memory/4348-10-0x0000000000400000-0x000000000045E000-memory.dmp

memory/1700-12-0x0000000000400000-0x000000000045B000-memory.dmp