Analysis Overview
SHA256
d3b461fe3e3de84bba74468ad63cb4d643c0d58b941a870774103fe088d97435
Threat Level: Likely malicious
The file 0660448b313d4bf769b093164ed0b0c0_NeikiAnalytics.exe was found to be: Likely malicious.
Malicious Activity Summary
Blocklisted process makes network request
Reads user/profile data of web browsers
Loads dropped DLL
Executes dropped EXE
ASPack v2.12-2.42
Deletes itself
Writes to the Master Boot Record (MBR)
Enumerates connected drives
Adds Run key to start application
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-16 17:56
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-16 17:56
Reported
2024-05-16 17:59
Platform
win7-20240508-en
Max time kernel
142s
Max time network
152s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\zvdzv.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\zvdzv.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\gqfdk\\hujiisw.dll\",AbortProc" | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\n: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\o: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\p: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\w: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\x: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\e: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\k: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\s: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\t: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\y: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\i: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\l: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\r: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\u: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\g: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\h: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\j: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\m: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\q: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\v: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\z: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\a: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\b: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PHYSICALDRIVE0 | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0660448b313d4bf769b093164ed0b0c0_NeikiAnalytics.exe | N/A |
| N/A | N/A | \??\c:\zvdzv.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0660448b313d4bf769b093164ed0b0c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0660448b313d4bf769b093164ed0b0c0_NeikiAnalytics.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 -n 2&c:\zvdzv.exe "C:\Users\Admin\AppData\Local\Temp\0660448b313d4bf769b093164ed0b0c0_NeikiAnalytics.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 2
\??\c:\zvdzv.exe
c:\zvdzv.exe "C:\Users\Admin\AppData\Local\Temp\0660448b313d4bf769b093164ed0b0c0_NeikiAnalytics.exe"
\??\c:\windows\SysWOW64\rundll32.exe
c:\windows\system32\rundll32.exe "c:\gqfdk\hujiisw.dll",AbortProc c:\zvdzv.exe
Network
| Country | Destination | Domain | Proto |
| US | 67.229.62.198:803 | tcp | |
| US | 67.229.62.198:803 | tcp | |
| US | 67.229.62.194:3201 | tcp | |
| US | 67.229.62.197:805 | tcp | |
| US | 67.229.62.197:805 | tcp | |
| US | 67.229.62.197:805 | tcp | |
| US | 67.229.62.197:805 | tcp | |
| US | 67.229.62.194:3201 | tcp | |
| US | 67.229.62.194:3201 | tcp | |
| US | 67.229.62.194:3201 | tcp |
Files
memory/1192-0-0x0000000000400000-0x0000000000428000-memory.dmp
memory/1192-2-0x0000000000400000-0x0000000000428000-memory.dmp
\??\c:\zvdzv.exe
| MD5 | 0ceca775d5e946563d43d0eb4aaaf8ca |
| SHA1 | 9c62c6e175c360485a04196902da5500def5ae59 |
| SHA256 | e9de168d12c73b4c20777b3787dc3c180b67b00898cd56430eb6fcf8366700dd |
| SHA512 | eb9ad7ebaad11d4c84149e8e0bbf4545c13b6f374fe210f054e72e704ead5cfa5eed992f196d15276da35b9393d14a19264389b9f13fbb627de2e1baec2fb825 |
memory/2576-7-0x0000000000400000-0x0000000000428000-memory.dmp
memory/1104-6-0x0000000000280000-0x00000000002A8000-memory.dmp
memory/1104-5-0x0000000000280000-0x00000000002A8000-memory.dmp
memory/2576-9-0x0000000000400000-0x0000000000428000-memory.dmp
\??\c:\gqfdk\hujiisw.dll
| MD5 | a2c2137ff7abf6be6bcae4252c394a69 |
| SHA1 | 07b402104df563f9486c2eef975fee70f65a5145 |
| SHA256 | 37ab4b7ee8f6b61c3854af4ed4676fd0d69f0260fb1296ad75e57aa08e1eeb03 |
| SHA512 | 5d05ed7c55bee8f41502acaea3d41fcf4421ad641d43f0b97b4cdc8fe584983da7712c561a53b708e88391df7929914746115700ae733155418693bcec6989a9 |
memory/2972-16-0x0000000010000000-0x0000000010036000-memory.dmp
memory/2972-17-0x0000000010000000-0x0000000010036000-memory.dmp
memory/2972-15-0x0000000010000000-0x0000000010036000-memory.dmp
memory/2972-18-0x0000000010033000-0x0000000010034000-memory.dmp
memory/2972-19-0x0000000010000000-0x0000000010036000-memory.dmp
memory/2972-21-0x0000000010000000-0x0000000010036000-memory.dmp
memory/2972-20-0x0000000010000000-0x0000000010036000-memory.dmp
memory/2972-22-0x0000000010000000-0x0000000010036000-memory.dmp
memory/2972-24-0x0000000010033000-0x0000000010034000-memory.dmp
memory/2972-27-0x0000000010000000-0x0000000010036000-memory.dmp
memory/2972-28-0x0000000010000000-0x0000000010036000-memory.dmp
memory/2972-29-0x0000000010000000-0x0000000010036000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-16 17:56
Reported
2024-05-16 17:59
Platform
win10v2004-20240508-en
Max time kernel
142s
Max time network
137s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\dztza.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\dztza.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\npagehu\\paaws.dll\",AbortProc" | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\q: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\b: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\i: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\j: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\l: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\p: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\z: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\e: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\o: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\r: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\t: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\x: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\h: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\m: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\s: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\v: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\w: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\y: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\a: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\g: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\k: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\n: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\u: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PHYSICALDRIVE0 | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0660448b313d4bf769b093164ed0b0c0_NeikiAnalytics.exe | N/A |
| N/A | N/A | \??\c:\dztza.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0660448b313d4bf769b093164ed0b0c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0660448b313d4bf769b093164ed0b0c0_NeikiAnalytics.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 -n 2&c:\dztza.exe "C:\Users\Admin\AppData\Local\Temp\0660448b313d4bf769b093164ed0b0c0_NeikiAnalytics.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 2
\??\c:\dztza.exe
c:\dztza.exe "C:\Users\Admin\AppData\Local\Temp\0660448b313d4bf769b093164ed0b0c0_NeikiAnalytics.exe"
\??\c:\windows\SysWOW64\rundll32.exe
c:\windows\system32\rundll32.exe "c:\npagehu\paaws.dll",AbortProc c:\dztza.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.162:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 67.229.62.198:803 | tcp | |
| US | 8.8.8.8:53 | 162.61.62.23.in-addr.arpa | udp |
| US | 67.229.62.194:3201 | tcp | |
| US | 67.229.62.197:805 | tcp | |
| US | 67.229.62.197:805 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 67.229.62.197:805 | tcp | |
| US | 67.229.62.194:3201 | tcp | |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 67.229.62.194:3201 | tcp | |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 67.229.62.194:3201 | tcp |
Files
memory/4896-0-0x0000000000400000-0x0000000000428000-memory.dmp
memory/4896-2-0x0000000000400000-0x0000000000428000-memory.dmp
C:\dztza.exe
| MD5 | 778a67203ec92afe7d68f44ec57511b4 |
| SHA1 | 839ffb3e28f6dc6b90ac14727f9be8895c47e4c2 |
| SHA256 | e7c414dcdfddff6780af8cf516ac199c6f1471111be00b7575444d250548145a |
| SHA512 | d97578239b1d04bf32f83365ae6bdcd56352c66a9e4fc2e7807962bf061bbb8b794858409d6d74340a032f5e24acc063622c5b868c5545dfb3c111eeb41c4110 |
memory/6012-6-0x0000000000400000-0x0000000000428000-memory.dmp
memory/6012-8-0x0000000000400000-0x0000000000428000-memory.dmp
\??\c:\npagehu\paaws.dll
| MD5 | a2c2137ff7abf6be6bcae4252c394a69 |
| SHA1 | 07b402104df563f9486c2eef975fee70f65a5145 |
| SHA256 | 37ab4b7ee8f6b61c3854af4ed4676fd0d69f0260fb1296ad75e57aa08e1eeb03 |
| SHA512 | 5d05ed7c55bee8f41502acaea3d41fcf4421ad641d43f0b97b4cdc8fe584983da7712c561a53b708e88391df7929914746115700ae733155418693bcec6989a9 |
memory/5148-11-0x0000000010000000-0x0000000010036000-memory.dmp
memory/5148-14-0x0000000010000000-0x0000000010036000-memory.dmp
memory/5148-13-0x0000000010000000-0x0000000010036000-memory.dmp
memory/5148-12-0x0000000010000000-0x0000000010036000-memory.dmp
memory/5148-15-0x0000000010000000-0x0000000010036000-memory.dmp
memory/5148-17-0x0000000010000000-0x0000000010036000-memory.dmp
memory/5148-19-0x0000000010000000-0x0000000010036000-memory.dmp
memory/5148-20-0x0000000010000000-0x0000000010036000-memory.dmp