Malware Analysis Report

2025-01-22 12:25

Sample ID 240517-mb1j3sdc91
Target e8f62fdaa7a24e22d8efcb8e203fd800_NeikiAnalytics.exe
SHA256 27543f478751da8c7e71269dc467588a3ce5a16c02a34b054fe30a15a0c09903
Tags
aspackv2 persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

27543f478751da8c7e71269dc467588a3ce5a16c02a34b054fe30a15a0c09903

Threat Level: Likely malicious

The file e8f62fdaa7a24e22d8efcb8e203fd800_NeikiAnalytics.exe was found to be: Likely malicious.

Malicious Activity Summary

aspackv2 persistence

Modifies AppInit DLL entries

ASPack v2.12-2.42

Executes dropped EXE

Drops file in Program Files directory

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-17 10:18

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-17 10:18

Reported

2024-05-17 10:20

Platform

win7-20240221-en

Max time kernel

119s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e8f62fdaa7a24e22d8efcb8e203fd800_NeikiAnalytics.exe"

Signatures

Modifies AppInit DLL entries

persistence

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\PROGRA~3\Mozilla\tbckyxk.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\Mozilla\tbckyxk.exe C:\Users\Admin\AppData\Local\Temp\e8f62fdaa7a24e22d8efcb8e203fd800_NeikiAnalytics.exe N/A
File created C:\PROGRA~3\Mozilla\newtrln.dll C:\PROGRA~3\Mozilla\tbckyxk.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e8f62fdaa7a24e22d8efcb8e203fd800_NeikiAnalytics.exe N/A
N/A N/A C:\PROGRA~3\Mozilla\tbckyxk.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2904 wrote to memory of 2852 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\tbckyxk.exe
PID 2904 wrote to memory of 2852 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\tbckyxk.exe
PID 2904 wrote to memory of 2852 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\tbckyxk.exe
PID 2904 wrote to memory of 2852 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\tbckyxk.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e8f62fdaa7a24e22d8efcb8e203fd800_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\e8f62fdaa7a24e22d8efcb8e203fd800_NeikiAnalytics.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {F97D0608-6890-478F-AF5E-61C6284DD4BF} S-1-5-18:NT AUTHORITY\System:Service:

C:\PROGRA~3\Mozilla\tbckyxk.exe

C:\PROGRA~3\Mozilla\tbckyxk.exe -gqpcbye

Network

N/A

Files

memory/1772-1-0x0000000000400000-0x000000000045E000-memory.dmp

memory/1772-2-0x0000000000400000-0x000000000045E000-memory.dmp

memory/1772-4-0x0000000000400000-0x000000000045B000-memory.dmp

memory/1772-3-0x0000000000320000-0x000000000037B000-memory.dmp

memory/1772-0-0x0000000000400000-0x000000000045E000-memory.dmp

memory/1772-6-0x0000000000400000-0x000000000045B000-memory.dmp

C:\PROGRA~3\Mozilla\tbckyxk.exe

MD5 ea90f5d75bd8add4b6ad954be3aa488a
SHA1 979096c87fee11f3ba41de7efce65e01d8d7bb6f
SHA256 e37d79952138ce5e0081fe91d5e6b15b3a8f31a2f0d63ae8e24c480938f2cc5f
SHA512 4bcdcf60a9f6ec0f00699de34ab4d7bfe037b28edb0b5ce47c1b62d1152e4385ab526607cce3c15fded3efbdc63816e0fe90309c9228df2baae044533d88db81

memory/2852-9-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2852-10-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2852-13-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2852-12-0x0000000000460000-0x00000000004BB000-memory.dmp

memory/2852-11-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2852-15-0x0000000000400000-0x000000000045B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-17 10:18

Reported

2024-05-17 10:20

Platform

win10v2004-20240508-en

Max time kernel

139s

Max time network

109s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e8f62fdaa7a24e22d8efcb8e203fd800_NeikiAnalytics.exe"

Signatures

Modifies AppInit DLL entries

persistence

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\PROGRA~3\Mozilla\ykjyebb.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\Mozilla\ykjyebb.exe C:\Users\Admin\AppData\Local\Temp\e8f62fdaa7a24e22d8efcb8e203fd800_NeikiAnalytics.exe N/A
File created C:\PROGRA~3\Mozilla\pjitnjk.dll C:\PROGRA~3\Mozilla\ykjyebb.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e8f62fdaa7a24e22d8efcb8e203fd800_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\e8f62fdaa7a24e22d8efcb8e203fd800_NeikiAnalytics.exe"

C:\PROGRA~3\Mozilla\ykjyebb.exe

C:\PROGRA~3\Mozilla\ykjyebb.exe -aryugnm

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.122:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 90.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
NL 23.62.61.122:443 www.bing.com tcp
US 8.8.8.8:53 122.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/4128-0-0x0000000000400000-0x000000000045E000-memory.dmp

memory/4128-2-0x0000000000400000-0x000000000045E000-memory.dmp

memory/4128-1-0x0000000000400000-0x000000000045E000-memory.dmp

memory/4128-4-0x0000000000400000-0x000000000045B000-memory.dmp

memory/4128-3-0x0000000000600000-0x000000000065B000-memory.dmp

C:\ProgramData\Mozilla\ykjyebb.exe

MD5 53063bc1fa6b7df1ba41dfa18ff44099
SHA1 fe42f597d7cd23ddc61c2ab9b8ec7d7240091ee1
SHA256 a6e51dee14df6888ad7bd94958ec661a6e72ac793dc986609fb415d3f2f39f85
SHA512 44bed35b922ff51f9e0bc3982b077836d660eb64b2a8ee8f39b9e62e786985d20120ddfafd6f0719f9517c1f3f6e839c6bdbc1125e51576abde5e9b10d9cc38b

memory/4128-10-0x0000000000400000-0x000000000045B000-memory.dmp

memory/4480-12-0x0000000000400000-0x000000000045E000-memory.dmp

memory/4480-9-0x0000000000400000-0x000000000045E000-memory.dmp

memory/4480-11-0x0000000000400000-0x000000000045E000-memory.dmp

memory/4480-14-0x0000000000400000-0x000000000045E000-memory.dmp

memory/4480-13-0x0000000000400000-0x000000000045E000-memory.dmp

memory/4480-17-0x0000000000400000-0x000000000045B000-memory.dmp