Malware Analysis Report

2025-03-15 05:45

Sample ID 240510-1ldpysec59
Target 0eea2d2b5d1d4a6c2ac50b60c670fe30_NeikiAnalytics
SHA256 ba2e48436b5a1aa712c312f0410caa0898cd764b4f120cc81ad620e7d12e5708
Tags
aspackv2 bootkit persistence spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

ba2e48436b5a1aa712c312f0410caa0898cd764b4f120cc81ad620e7d12e5708

Threat Level: Likely malicious

The file 0eea2d2b5d1d4a6c2ac50b60c670fe30_NeikiAnalytics was found to be: Likely malicious.

Malicious Activity Summary

aspackv2 bootkit persistence spyware stealer

Blocklisted process makes network request

Executes dropped EXE

ASPack v2.12-2.42

Deletes itself

Reads user/profile data of web browsers

Loads dropped DLL

Adds Run key to start application

Writes to the Master Boot Record (MBR)

Enumerates connected drives

Unsigned PE

Runs ping.exe

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-10 21:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-10 21:43

Reported

2024-05-10 21:46

Platform

win7-20240508-en

Max time kernel

142s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0eea2d2b5d1d4a6c2ac50b60c670fe30_NeikiAnalytics.exe"

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A \??\c:\ktrsr.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\ktrsr.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\wegvw\\fbybe.dll\",AbortProc" \??\c:\windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\x: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\q: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\t: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\b: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\h: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\i: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\k: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\m: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\n: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\y: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\a: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\j: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\l: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\r: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\s: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\v: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\z: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\e: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\g: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\o: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\p: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\u: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\w: \??\c:\windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\windows\SysWOW64\rundll32.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0eea2d2b5d1d4a6c2ac50b60c670fe30_NeikiAnalytics.exe N/A
N/A N/A \??\c:\ktrsr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1668 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\0eea2d2b5d1d4a6c2ac50b60c670fe30_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1668 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\0eea2d2b5d1d4a6c2ac50b60c670fe30_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1668 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\0eea2d2b5d1d4a6c2ac50b60c670fe30_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1668 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\0eea2d2b5d1d4a6c2ac50b60c670fe30_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2236 wrote to memory of 2916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2236 wrote to memory of 2916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2236 wrote to memory of 2916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2236 wrote to memory of 2916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2236 wrote to memory of 2596 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\ktrsr.exe
PID 2236 wrote to memory of 2596 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\ktrsr.exe
PID 2236 wrote to memory of 2596 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\ktrsr.exe
PID 2236 wrote to memory of 2596 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\ktrsr.exe
PID 2596 wrote to memory of 2680 N/A \??\c:\ktrsr.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2596 wrote to memory of 2680 N/A \??\c:\ktrsr.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2596 wrote to memory of 2680 N/A \??\c:\ktrsr.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2596 wrote to memory of 2680 N/A \??\c:\ktrsr.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2596 wrote to memory of 2680 N/A \??\c:\ktrsr.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2596 wrote to memory of 2680 N/A \??\c:\ktrsr.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2596 wrote to memory of 2680 N/A \??\c:\ktrsr.exe \??\c:\windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0eea2d2b5d1d4a6c2ac50b60c670fe30_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\0eea2d2b5d1d4a6c2ac50b60c670fe30_NeikiAnalytics.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&c:\ktrsr.exe "C:\Users\Admin\AppData\Local\Temp\0eea2d2b5d1d4a6c2ac50b60c670fe30_NeikiAnalytics.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

\??\c:\ktrsr.exe

c:\ktrsr.exe "C:\Users\Admin\AppData\Local\Temp\0eea2d2b5d1d4a6c2ac50b60c670fe30_NeikiAnalytics.exe"

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.exe "c:\wegvw\fbybe.dll",AbortProc c:\ktrsr.exe

Network

Country Destination Domain Proto
US 67.229.62.198:803 tcp
US 67.229.62.198:803 tcp
US 67.229.62.194:3201 tcp
US 67.229.62.197:805 tcp
US 67.229.62.197:805 tcp
US 67.229.62.197:805 tcp
US 67.229.62.197:805 tcp
US 67.229.62.194:3201 tcp
US 67.229.62.194:3201 tcp
US 67.229.62.194:3201 tcp

Files

memory/1668-0-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1668-2-0x0000000000400000-0x0000000000428000-memory.dmp

\??\c:\ktrsr.exe

MD5 30cda65d90b4887d2f4045fa842dca5a
SHA1 2b2fb01a8b82ee3bd703d4941cf05ad100ad60d4
SHA256 3e049c6046f16cae2b8f58d34f023fa6ad7d71884768ffba2fdf77b80d00f740
SHA512 b0a790968552e8366610c600a51648824659e1abfbcb2bb0ea41fc382fce916900154dee45a6ae83a6b85b0eb73589e711b90e7e6413dd959ac12864be80c7f7

memory/2236-5-0x0000000000130000-0x0000000000158000-memory.dmp

memory/2596-7-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2236-6-0x0000000000130000-0x0000000000158000-memory.dmp

memory/2596-9-0x0000000000400000-0x0000000000428000-memory.dmp

\??\c:\wegvw\fbybe.dll

MD5 a2c2137ff7abf6be6bcae4252c394a69
SHA1 07b402104df563f9486c2eef975fee70f65a5145
SHA256 37ab4b7ee8f6b61c3854af4ed4676fd0d69f0260fb1296ad75e57aa08e1eeb03
SHA512 5d05ed7c55bee8f41502acaea3d41fcf4421ad641d43f0b97b4cdc8fe584983da7712c561a53b708e88391df7929914746115700ae733155418693bcec6989a9

memory/2680-16-0x0000000010000000-0x0000000010036000-memory.dmp

memory/2680-15-0x0000000010000000-0x0000000010036000-memory.dmp

memory/2680-14-0x0000000010000000-0x0000000010036000-memory.dmp

memory/2680-18-0x0000000010000000-0x0000000010036000-memory.dmp

memory/2680-19-0x0000000010000000-0x0000000010036000-memory.dmp

memory/2680-21-0x0000000010000000-0x0000000010036000-memory.dmp

memory/2680-22-0x0000000010033000-0x0000000010034000-memory.dmp

memory/2680-20-0x0000000010000000-0x0000000010036000-memory.dmp

memory/2680-23-0x0000000010000000-0x0000000010036000-memory.dmp

memory/2680-27-0x0000000010000000-0x0000000010036000-memory.dmp

memory/2680-28-0x0000000010000000-0x0000000010036000-memory.dmp

memory/2680-29-0x0000000010000000-0x0000000010036000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-10 21:43

Reported

2024-05-10 21:46

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0eea2d2b5d1d4a6c2ac50b60c670fe30_NeikiAnalytics.exe"

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A \??\c:\gtioejy.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\gtioejy.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\kdsrdutjc\\zritt.dll\",AbortProc" \??\c:\windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\s: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\x: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\l: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\n: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\j: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\o: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\t: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\w: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\z: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\b: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\e: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\k: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\m: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\q: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\r: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\u: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\v: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\g: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\h: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\y: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\p: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\a: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\i: \??\c:\windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\windows\SysWOW64\rundll32.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0eea2d2b5d1d4a6c2ac50b60c670fe30_NeikiAnalytics.exe N/A
N/A N/A \??\c:\gtioejy.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0eea2d2b5d1d4a6c2ac50b60c670fe30_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\0eea2d2b5d1d4a6c2ac50b60c670fe30_NeikiAnalytics.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&c:\gtioejy.exe "C:\Users\Admin\AppData\Local\Temp\0eea2d2b5d1d4a6c2ac50b60c670fe30_NeikiAnalytics.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

\??\c:\gtioejy.exe

c:\gtioejy.exe "C:\Users\Admin\AppData\Local\Temp\0eea2d2b5d1d4a6c2ac50b60c670fe30_NeikiAnalytics.exe"

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.exe "c:\kdsrdutjc\zritt.dll",AbortProc c:\gtioejy.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
BE 88.221.83.185:443 www.bing.com tcp
US 8.8.8.8:53 185.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 67.229.62.198:803 tcp
US 67.229.62.194:3201 tcp
US 67.229.62.197:805 tcp
US 67.229.62.197:805 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 24.121.18.2.in-addr.arpa udp
US 67.229.62.197:805 tcp
US 67.229.62.194:3201 tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 67.229.62.194:3201 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 67.229.62.194:3201 tcp
US 8.8.8.8:53 211.143.182.52.in-addr.arpa udp

Files

memory/2364-0-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2364-2-0x0000000000400000-0x0000000000428000-memory.dmp

C:\gtioejy.exe

MD5 208034a9064ed41bf474a005ec6f7b4b
SHA1 d6e8e152cf552f6910a883ed8952f98e362851a3
SHA256 429e33a9c2878cdb90c8a2237bfc3ecfe13d6d0b6f8af39233528ebd353ef9ee
SHA512 33ed52c5d717d6ec341f430ea42fbd3720dfb3e84e965af511a61d676c0b81550446121ec2a23804763e3117a9949d65d4f882d32930b0c3cb30248e5666c7b9

memory/2980-6-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2980-8-0x0000000000400000-0x0000000000428000-memory.dmp

\??\c:\kdsrdutjc\zritt.dll

MD5 a2c2137ff7abf6be6bcae4252c394a69
SHA1 07b402104df563f9486c2eef975fee70f65a5145
SHA256 37ab4b7ee8f6b61c3854af4ed4676fd0d69f0260fb1296ad75e57aa08e1eeb03
SHA512 5d05ed7c55bee8f41502acaea3d41fcf4421ad641d43f0b97b4cdc8fe584983da7712c561a53b708e88391df7929914746115700ae733155418693bcec6989a9

memory/4792-11-0x0000000010000000-0x0000000010036000-memory.dmp

memory/4792-13-0x0000000010000000-0x0000000010036000-memory.dmp

memory/4792-12-0x0000000010000000-0x0000000010036000-memory.dmp

memory/4792-14-0x0000000010000000-0x0000000010036000-memory.dmp

memory/4792-15-0x0000000010000000-0x0000000010036000-memory.dmp

memory/4792-17-0x0000000010000000-0x0000000010036000-memory.dmp

memory/4792-19-0x0000000010000000-0x0000000010036000-memory.dmp