Analysis Overview
SHA256
fb51e709fc0c4f1fc71138d4ca502a539ca9085878c1f3f9b1f638064049a2bc
Threat Level: Likely malicious
The file e8ce46bd794e3c7e0655f8f73ffffc60_NeikiAnalytics was found to be: Likely malicious.
Malicious Activity Summary
Modifies AppInit DLL entries
Executes dropped EXE
ASPack v2.12-2.42
Drops file in Program Files directory
Program crash
Unsigned PE
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-09 20:14
Signatures
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-09 20:14
Reported
2024-05-09 20:16
Platform
win7-20240221-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Modifies AppInit DLL entries
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\PROGRA~3\Mozilla\dbilzqh.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\PROGRA~3\Mozilla\zxoabnc.dll | C:\PROGRA~3\Mozilla\dbilzqh.exe | N/A |
| File created | C:\PROGRA~3\Mozilla\dbilzqh.exe | C:\Users\Admin\AppData\Local\Temp\e8ce46bd794e3c7e0655f8f73ffffc60_NeikiAnalytics.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e8ce46bd794e3c7e0655f8f73ffffc60_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\PROGRA~3\Mozilla\dbilzqh.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2756 wrote to memory of 2140 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\dbilzqh.exe |
| PID 2756 wrote to memory of 2140 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\dbilzqh.exe |
| PID 2756 wrote to memory of 2140 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\dbilzqh.exe |
| PID 2756 wrote to memory of 2140 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\dbilzqh.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\e8ce46bd794e3c7e0655f8f73ffffc60_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\e8ce46bd794e3c7e0655f8f73ffffc60_NeikiAnalytics.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {964F5C60-9C9F-4CD4-9B5B-0337396C44B7} S-1-5-18:NT AUTHORITY\System:Service:
C:\PROGRA~3\Mozilla\dbilzqh.exe
C:\PROGRA~3\Mozilla\dbilzqh.exe -kwinamg
Network
Files
memory/1924-1-0x0000000000400000-0x000000000045E000-memory.dmp
memory/1924-0-0x0000000000400000-0x000000000045E000-memory.dmp
memory/1924-4-0x0000000000400000-0x000000000045B000-memory.dmp
memory/1924-3-0x0000000001C40000-0x0000000001C9B000-memory.dmp
memory/1924-2-0x0000000000400000-0x000000000045E000-memory.dmp
memory/1924-6-0x0000000000400000-0x000000000045B000-memory.dmp
C:\PROGRA~3\Mozilla\dbilzqh.exe
| MD5 | 901ef1f4ed9352114a40c6184c306fb6 |
| SHA1 | b31baedda73503bcaf6ac3ffb6d26e46c994e59b |
| SHA256 | ec6eddcd1d14b8e59311d3524006b1de3f18a8ae5af9be2b145cf4336d852721 |
| SHA512 | 831ef05811af376063e6fd32de893c2144e18367eb8f801f6d67759a402722c2530d7825f6e32a34bd2ae598ccb3edba98f19b78e68da1f00f8e8a32974fd4e6 |
memory/2140-9-0x0000000000400000-0x000000000045E000-memory.dmp
memory/2140-11-0x0000000000400000-0x000000000045E000-memory.dmp
memory/2140-10-0x0000000000400000-0x000000000045E000-memory.dmp
memory/2140-12-0x0000000000850000-0x00000000008AB000-memory.dmp
memory/2140-13-0x0000000000400000-0x000000000045B000-memory.dmp
memory/2140-15-0x0000000000400000-0x000000000045B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-09 20:14
Reported
2024-05-09 20:16
Platform
win10v2004-20240508-en
Max time kernel
93s
Max time network
95s
Command Line
Signatures
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\PROGRA~3\Mozilla\iodncyc.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\PROGRA~3\Mozilla\iodncyc.exe | C:\Users\Admin\AppData\Local\Temp\e8ce46bd794e3c7e0655f8f73ffffc60_NeikiAnalytics.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\PROGRA~3\Mozilla\iodncyc.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\e8ce46bd794e3c7e0655f8f73ffffc60_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\e8ce46bd794e3c7e0655f8f73ffffc60_NeikiAnalytics.exe"
C:\PROGRA~3\Mozilla\iodncyc.exe
C:\PROGRA~3\Mozilla\iodncyc.exe -szcyzql
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4348 -ip 4348
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 448
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/1700-0-0x0000000000400000-0x000000000045E000-memory.dmp
memory/1700-1-0x0000000000400000-0x000000000045E000-memory.dmp
memory/1700-2-0x0000000000400000-0x000000000045E000-memory.dmp
memory/1700-4-0x0000000000400000-0x000000000045B000-memory.dmp
memory/1700-3-0x0000000000610000-0x000000000066B000-memory.dmp
C:\ProgramData\Mozilla\iodncyc.exe
| MD5 | b56cd23d797376956e28f6b1977b19f9 |
| SHA1 | 5ee1ac7418ac7876f499dbbdb777ccfef743e341 |
| SHA256 | d310605bcb2deff6813c26912e5ebdb738fc3deafe26fae76ef81de4dc3f767c |
| SHA512 | 98e35704399af90acaa6f9c0fb5e90fc83490b71943b31bead3a37538ec16b268f6b6f396a8e207275d2e73ba8c4378c1fad3b82da85113dde44271a2f5e610f |
memory/4348-8-0x0000000000400000-0x000000000045E000-memory.dmp
memory/4348-9-0x0000000000400000-0x000000000045E000-memory.dmp
memory/4348-10-0x0000000000400000-0x000000000045E000-memory.dmp
memory/1700-12-0x0000000000400000-0x000000000045B000-memory.dmp