Malware Analysis Report

2025-01-22 12:24

Sample ID 240516-wh8npsgg75
Target 0660448b313d4bf769b093164ed0b0c0_NeikiAnalytics.exe
SHA256 d3b461fe3e3de84bba74468ad63cb4d643c0d58b941a870774103fe088d97435
Tags
aspackv2 bootkit persistence spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

d3b461fe3e3de84bba74468ad63cb4d643c0d58b941a870774103fe088d97435

Threat Level: Likely malicious

The file 0660448b313d4bf769b093164ed0b0c0_NeikiAnalytics.exe was found to be: Likely malicious.

Malicious Activity Summary

aspackv2 bootkit persistence spyware stealer

Blocklisted process makes network request

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

ASPack v2.12-2.42

Deletes itself

Writes to the Master Boot Record (MBR)

Enumerates connected drives

Adds Run key to start application

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 17:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 17:56

Reported

2024-05-16 17:59

Platform

win7-20240508-en

Max time kernel

142s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0660448b313d4bf769b093164ed0b0c0_NeikiAnalytics.exe"

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A \??\c:\zvdzv.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\zvdzv.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\gqfdk\\hujiisw.dll\",AbortProc" \??\c:\windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\n: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\o: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\p: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\w: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\x: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\e: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\k: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\s: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\t: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\y: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\i: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\l: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\r: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\u: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\g: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\h: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\j: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\m: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\q: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\v: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\z: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\a: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\b: \??\c:\windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\windows\SysWOW64\rundll32.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0660448b313d4bf769b093164ed0b0c0_NeikiAnalytics.exe N/A
N/A N/A \??\c:\zvdzv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1192 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\0660448b313d4bf769b093164ed0b0c0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1192 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\0660448b313d4bf769b093164ed0b0c0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1192 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\0660448b313d4bf769b093164ed0b0c0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1192 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\0660448b313d4bf769b093164ed0b0c0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1104 wrote to memory of 2880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1104 wrote to memory of 2880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1104 wrote to memory of 2880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1104 wrote to memory of 2880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1104 wrote to memory of 2576 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\zvdzv.exe
PID 1104 wrote to memory of 2576 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\zvdzv.exe
PID 1104 wrote to memory of 2576 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\zvdzv.exe
PID 1104 wrote to memory of 2576 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\zvdzv.exe
PID 2576 wrote to memory of 2972 N/A \??\c:\zvdzv.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2576 wrote to memory of 2972 N/A \??\c:\zvdzv.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2576 wrote to memory of 2972 N/A \??\c:\zvdzv.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2576 wrote to memory of 2972 N/A \??\c:\zvdzv.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2576 wrote to memory of 2972 N/A \??\c:\zvdzv.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2576 wrote to memory of 2972 N/A \??\c:\zvdzv.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2576 wrote to memory of 2972 N/A \??\c:\zvdzv.exe \??\c:\windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0660448b313d4bf769b093164ed0b0c0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\0660448b313d4bf769b093164ed0b0c0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&c:\zvdzv.exe "C:\Users\Admin\AppData\Local\Temp\0660448b313d4bf769b093164ed0b0c0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

\??\c:\zvdzv.exe

c:\zvdzv.exe "C:\Users\Admin\AppData\Local\Temp\0660448b313d4bf769b093164ed0b0c0_NeikiAnalytics.exe"

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.exe "c:\gqfdk\hujiisw.dll",AbortProc c:\zvdzv.exe

Network

Country Destination Domain Proto
US 67.229.62.198:803 tcp
US 67.229.62.198:803 tcp
US 67.229.62.194:3201 tcp
US 67.229.62.197:805 tcp
US 67.229.62.197:805 tcp
US 67.229.62.197:805 tcp
US 67.229.62.197:805 tcp
US 67.229.62.194:3201 tcp
US 67.229.62.194:3201 tcp
US 67.229.62.194:3201 tcp

Files

memory/1192-0-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1192-2-0x0000000000400000-0x0000000000428000-memory.dmp

\??\c:\zvdzv.exe

MD5 0ceca775d5e946563d43d0eb4aaaf8ca
SHA1 9c62c6e175c360485a04196902da5500def5ae59
SHA256 e9de168d12c73b4c20777b3787dc3c180b67b00898cd56430eb6fcf8366700dd
SHA512 eb9ad7ebaad11d4c84149e8e0bbf4545c13b6f374fe210f054e72e704ead5cfa5eed992f196d15276da35b9393d14a19264389b9f13fbb627de2e1baec2fb825

memory/2576-7-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1104-6-0x0000000000280000-0x00000000002A8000-memory.dmp

memory/1104-5-0x0000000000280000-0x00000000002A8000-memory.dmp

memory/2576-9-0x0000000000400000-0x0000000000428000-memory.dmp

\??\c:\gqfdk\hujiisw.dll

MD5 a2c2137ff7abf6be6bcae4252c394a69
SHA1 07b402104df563f9486c2eef975fee70f65a5145
SHA256 37ab4b7ee8f6b61c3854af4ed4676fd0d69f0260fb1296ad75e57aa08e1eeb03
SHA512 5d05ed7c55bee8f41502acaea3d41fcf4421ad641d43f0b97b4cdc8fe584983da7712c561a53b708e88391df7929914746115700ae733155418693bcec6989a9

memory/2972-16-0x0000000010000000-0x0000000010036000-memory.dmp

memory/2972-17-0x0000000010000000-0x0000000010036000-memory.dmp

memory/2972-15-0x0000000010000000-0x0000000010036000-memory.dmp

memory/2972-18-0x0000000010033000-0x0000000010034000-memory.dmp

memory/2972-19-0x0000000010000000-0x0000000010036000-memory.dmp

memory/2972-21-0x0000000010000000-0x0000000010036000-memory.dmp

memory/2972-20-0x0000000010000000-0x0000000010036000-memory.dmp

memory/2972-22-0x0000000010000000-0x0000000010036000-memory.dmp

memory/2972-24-0x0000000010033000-0x0000000010034000-memory.dmp

memory/2972-27-0x0000000010000000-0x0000000010036000-memory.dmp

memory/2972-28-0x0000000010000000-0x0000000010036000-memory.dmp

memory/2972-29-0x0000000010000000-0x0000000010036000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 17:56

Reported

2024-05-16 17:59

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0660448b313d4bf769b093164ed0b0c0_NeikiAnalytics.exe"

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A \??\c:\dztza.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\dztza.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\npagehu\\paaws.dll\",AbortProc" \??\c:\windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\q: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\b: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\i: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\j: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\l: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\p: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\z: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\e: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\o: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\r: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\t: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\x: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\h: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\m: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\s: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\v: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\w: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\y: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\a: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\g: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\k: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\n: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\u: \??\c:\windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\windows\SysWOW64\rundll32.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0660448b313d4bf769b093164ed0b0c0_NeikiAnalytics.exe N/A
N/A N/A \??\c:\dztza.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0660448b313d4bf769b093164ed0b0c0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\0660448b313d4bf769b093164ed0b0c0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&c:\dztza.exe "C:\Users\Admin\AppData\Local\Temp\0660448b313d4bf769b093164ed0b0c0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

\??\c:\dztza.exe

c:\dztza.exe "C:\Users\Admin\AppData\Local\Temp\0660448b313d4bf769b093164ed0b0c0_NeikiAnalytics.exe"

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.exe "c:\npagehu\paaws.dll",AbortProc c:\dztza.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.162:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 67.229.62.198:803 tcp
US 8.8.8.8:53 162.61.62.23.in-addr.arpa udp
US 67.229.62.194:3201 tcp
US 67.229.62.197:805 tcp
US 67.229.62.197:805 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 67.229.62.197:805 tcp
US 67.229.62.194:3201 tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 67.229.62.194:3201 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 67.229.62.194:3201 tcp

Files

memory/4896-0-0x0000000000400000-0x0000000000428000-memory.dmp

memory/4896-2-0x0000000000400000-0x0000000000428000-memory.dmp

C:\dztza.exe

MD5 778a67203ec92afe7d68f44ec57511b4
SHA1 839ffb3e28f6dc6b90ac14727f9be8895c47e4c2
SHA256 e7c414dcdfddff6780af8cf516ac199c6f1471111be00b7575444d250548145a
SHA512 d97578239b1d04bf32f83365ae6bdcd56352c66a9e4fc2e7807962bf061bbb8b794858409d6d74340a032f5e24acc063622c5b868c5545dfb3c111eeb41c4110

memory/6012-6-0x0000000000400000-0x0000000000428000-memory.dmp

memory/6012-8-0x0000000000400000-0x0000000000428000-memory.dmp

\??\c:\npagehu\paaws.dll

MD5 a2c2137ff7abf6be6bcae4252c394a69
SHA1 07b402104df563f9486c2eef975fee70f65a5145
SHA256 37ab4b7ee8f6b61c3854af4ed4676fd0d69f0260fb1296ad75e57aa08e1eeb03
SHA512 5d05ed7c55bee8f41502acaea3d41fcf4421ad641d43f0b97b4cdc8fe584983da7712c561a53b708e88391df7929914746115700ae733155418693bcec6989a9

memory/5148-11-0x0000000010000000-0x0000000010036000-memory.dmp

memory/5148-14-0x0000000010000000-0x0000000010036000-memory.dmp

memory/5148-13-0x0000000010000000-0x0000000010036000-memory.dmp

memory/5148-12-0x0000000010000000-0x0000000010036000-memory.dmp

memory/5148-15-0x0000000010000000-0x0000000010036000-memory.dmp

memory/5148-17-0x0000000010000000-0x0000000010036000-memory.dmp

memory/5148-19-0x0000000010000000-0x0000000010036000-memory.dmp

memory/5148-20-0x0000000010000000-0x0000000010036000-memory.dmp