Malware Analysis Report

2025-01-22 12:25

Sample ID 240517-fc9qtaaa72
Target aa10ff61bc93f1daecd9808f0d628a60_NeikiAnalytics.exe
SHA256 06e5e11ebb99f8a0ee839fc82b71b1651ef1bbe17500c3ff00a753741dffb22c
Tags
aspackv2 persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

06e5e11ebb99f8a0ee839fc82b71b1651ef1bbe17500c3ff00a753741dffb22c

Threat Level: Likely malicious

The file aa10ff61bc93f1daecd9808f0d628a60_NeikiAnalytics.exe was found to be: Likely malicious.

Malicious Activity Summary

aspackv2 persistence

Modifies AppInit DLL entries

ASPack v2.12-2.42

Executes dropped EXE

Drops file in Program Files directory

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-17 04:44

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-17 04:44

Reported

2024-05-17 04:47

Platform

win7-20240215-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aa10ff61bc93f1daecd9808f0d628a60_NeikiAnalytics.exe"

Signatures

Modifies AppInit DLL entries

persistence

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\PROGRA~3\Mozilla\racmzae.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\Mozilla\racmzae.exe C:\Users\Admin\AppData\Local\Temp\aa10ff61bc93f1daecd9808f0d628a60_NeikiAnalytics.exe N/A
File created C:\PROGRA~3\Mozilla\ttbtowf.dll C:\PROGRA~3\Mozilla\racmzae.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa10ff61bc93f1daecd9808f0d628a60_NeikiAnalytics.exe N/A
N/A N/A C:\PROGRA~3\Mozilla\racmzae.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2492 wrote to memory of 2548 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\racmzae.exe
PID 2492 wrote to memory of 2548 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\racmzae.exe
PID 2492 wrote to memory of 2548 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\racmzae.exe
PID 2492 wrote to memory of 2548 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\racmzae.exe

Processes

C:\Users\Admin\AppData\Local\Temp\aa10ff61bc93f1daecd9808f0d628a60_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\aa10ff61bc93f1daecd9808f0d628a60_NeikiAnalytics.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {0D388134-C4AD-4572-A164-AD0D39453D2D} S-1-5-18:NT AUTHORITY\System:Service:

C:\PROGRA~3\Mozilla\racmzae.exe

C:\PROGRA~3\Mozilla\racmzae.exe -cddhnyc

Network

N/A

Files

memory/1516-0-0x0000000000400000-0x000000000045E000-memory.dmp

memory/1516-1-0x0000000000400000-0x000000000045E000-memory.dmp

memory/1516-3-0x0000000000320000-0x000000000037B000-memory.dmp

memory/1516-2-0x0000000000400000-0x000000000045E000-memory.dmp

memory/1516-4-0x0000000000400000-0x000000000045B000-memory.dmp

memory/1516-6-0x0000000000400000-0x000000000045B000-memory.dmp

C:\PROGRA~3\Mozilla\racmzae.exe

MD5 27684962f7eff5d813af9da24f9fc99e
SHA1 ce73d3744f70a62dc4bfe84438afcb8dc5583384
SHA256 8fe759474f7bccc55ae561bdca1b698662114b40c395b2adae346bf4d38b6a12
SHA512 2a945db2d4328a3073e0a6d007bde7c8ab39d71e3ff294acd27b3330842762035dcdc4e56496d0265553e791eefdd41621b1630bc3055d022ee8066e233b6e7d

memory/2548-11-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2548-12-0x0000000000270000-0x00000000002CB000-memory.dmp

memory/2548-13-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2548-15-0x0000000000400000-0x000000000045B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-17 04:44

Reported

2024-05-17 04:45

Platform

win10v2004-20240426-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A