1ee668eb89632185f28405f9edc7db30abc49c96f0d93b4dc69f622eca989df5

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
10/05/2024, 19:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f16eebf4982df073947cec7046f67c0_NeikiAnalytics.exe
Size

137KB
MD5

4f16eebf4982df073947cec7046f67c0
SHA1

8fd390d5d40d623e827f68d7b72b61d2a58bb8aa
SHA256

1ee668eb89632185f28405f9edc7db30abc49c96f0d93b4dc69f622eca989df5
SHA512

9fac10c53ee677c67b07d8062d23f46d9255a710d76934cd0caa2da099e1dea77e282ea8d348b8850adb31b78213f8b6e45a0d56abb824c75e0d8b12d7bc03a1
SSDEEP

3072:AE9ByF5wP7Ht99mbaa+vKAzWvSVJSwpi6DsY:7907wTr9mea+i6WKQA

Score

8^/10

aspackv2 persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0009000000015cf6-8.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
1448	anhxrcb.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\anhxrcb.exe	4f16eebf4982df073947cec7046f67c0_NeikiAnalytics.exe
File created	C:\PROGRA~3\Mozilla\fqurfhn.dll	anhxrcb.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2232	4f16eebf4982df073947cec7046f67c0_NeikiAnalytics.exe
1448	anhxrcb.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1196 wrote to memory of 1448	1196	taskeng.exe	29
PID 1196 wrote to memory of 1448	1196	taskeng.exe	29
PID 1196 wrote to memory of 1448	1196	taskeng.exe	29
PID 1196 wrote to memory of 1448	1196	taskeng.exe	29

C:\Users\Admin\AppData\Local\Temp\4f16eebf4982df073947cec7046f67c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4f16eebf4982df073947cec7046f67c0_NeikiAnalytics.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:2232

C:\Windows\system32\taskeng.exe
taskeng.exe {9164FE63-1F26-4CF8-AA4C-3CC19F1BD4E9} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1196
- C:\PROGRA~3\Mozilla\anhxrcb.exe
  C:\PROGRA~3\Mozilla\anhxrcb.exe -wxojhrj
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of UnmapMainImage
  PID:1448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\anhxrcb.exe

Filesize
137KB

MD5
616bc3b938f05157a927cc8e539c8bda

SHA1
27318aff325bde857755f91612fd1ef040faff6e

SHA256
9523f8bc8ebda54d5971141806ed450d75d4721b4bdce3816e77a723d1615c31

SHA512
e79c69c1951d2fa88f18422fdbdaec0ea74a152ef03ba5813842eeeefb9bf6fac2d5475511901c8a2fec28745265ba6270a5dc2d8e49f6f7ba371c0eac6422f9

Download Submit
memory/1448-16-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1448-14-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1448-13-0x0000000000460000-0x00000000004BB000-memory.dmp

Filesize
364KB

Download
memory/1448-10-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1448-12-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1448-11-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2232-3-0x0000000000290000-0x00000000002EB000-memory.dmp

Filesize
364KB

Download
memory/2232-7-0x0000000000290000-0x00000000002EB000-memory.dmp

Filesize
364KB

Download
memory/2232-6-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2232-4-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2232-2-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2232-1-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2232-0-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download