Analysis Overview
SHA256
06e5e11ebb99f8a0ee839fc82b71b1651ef1bbe17500c3ff00a753741dffb22c
Threat Level: Likely malicious
The file aa10ff61bc93f1daecd9808f0d628a60_NeikiAnalytics.exe was found to be: Likely malicious.
Malicious Activity Summary
Modifies AppInit DLL entries
ASPack v2.12-2.42
Executes dropped EXE
Drops file in Program Files directory
Unsigned PE
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-17 04:44
Signatures
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-17 04:44
Reported
2024-05-17 04:47
Platform
win7-20240215-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Modifies AppInit DLL entries
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\PROGRA~3\Mozilla\racmzae.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\PROGRA~3\Mozilla\racmzae.exe | C:\Users\Admin\AppData\Local\Temp\aa10ff61bc93f1daecd9808f0d628a60_NeikiAnalytics.exe | N/A |
| File created | C:\PROGRA~3\Mozilla\ttbtowf.dll | C:\PROGRA~3\Mozilla\racmzae.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aa10ff61bc93f1daecd9808f0d628a60_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\PROGRA~3\Mozilla\racmzae.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2492 wrote to memory of 2548 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\racmzae.exe |
| PID 2492 wrote to memory of 2548 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\racmzae.exe |
| PID 2492 wrote to memory of 2548 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\racmzae.exe |
| PID 2492 wrote to memory of 2548 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\racmzae.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\aa10ff61bc93f1daecd9808f0d628a60_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\aa10ff61bc93f1daecd9808f0d628a60_NeikiAnalytics.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {0D388134-C4AD-4572-A164-AD0D39453D2D} S-1-5-18:NT AUTHORITY\System:Service:
C:\PROGRA~3\Mozilla\racmzae.exe
C:\PROGRA~3\Mozilla\racmzae.exe -cddhnyc
Network
Files
memory/1516-0-0x0000000000400000-0x000000000045E000-memory.dmp
memory/1516-1-0x0000000000400000-0x000000000045E000-memory.dmp
memory/1516-3-0x0000000000320000-0x000000000037B000-memory.dmp
memory/1516-2-0x0000000000400000-0x000000000045E000-memory.dmp
memory/1516-4-0x0000000000400000-0x000000000045B000-memory.dmp
memory/1516-6-0x0000000000400000-0x000000000045B000-memory.dmp
C:\PROGRA~3\Mozilla\racmzae.exe
| MD5 | 27684962f7eff5d813af9da24f9fc99e |
| SHA1 | ce73d3744f70a62dc4bfe84438afcb8dc5583384 |
| SHA256 | 8fe759474f7bccc55ae561bdca1b698662114b40c395b2adae346bf4d38b6a12 |
| SHA512 | 2a945db2d4328a3073e0a6d007bde7c8ab39d71e3ff294acd27b3330842762035dcdc4e56496d0265553e791eefdd41621b1630bc3055d022ee8066e233b6e7d |
memory/2548-11-0x0000000000400000-0x000000000045E000-memory.dmp
memory/2548-12-0x0000000000270000-0x00000000002CB000-memory.dmp
memory/2548-13-0x0000000000400000-0x000000000045B000-memory.dmp
memory/2548-15-0x0000000000400000-0x000000000045B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-17 04:44
Reported
2024-05-17 04:45
Platform
win10v2004-20240426-en