Malware Analysis Report

2025-01-22 12:25

Sample ID 240517-njrsksfd4w
Target ea849e62ada93c7767054f58fcbca120_NeikiAnalytics.exe
SHA256 1c248cd310faf27c13883256841a0e9690016cf3918c543d06dc64a685dd5e97
Tags
aspackv2 bootkit persistence spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

1c248cd310faf27c13883256841a0e9690016cf3918c543d06dc64a685dd5e97

Threat Level: Likely malicious

The file ea849e62ada93c7767054f58fcbca120_NeikiAnalytics.exe was found to be: Likely malicious.

Malicious Activity Summary

aspackv2 bootkit persistence spyware stealer

Blocklisted process makes network request

Reads user/profile data of web browsers

Loads dropped DLL

ASPack v2.12-2.42

Executes dropped EXE

Deletes itself

Adds Run key to start application

Writes to the Master Boot Record (MBR)

Enumerates connected drives

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-17 11:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-17 11:25

Reported

2024-05-17 11:28

Platform

win7-20240221-en

Max time kernel

142s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ea849e62ada93c7767054f58fcbca120_NeikiAnalytics.exe"

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A \??\c:\naksqpeo.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\naksqpeo.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\nmpbjk\\rxkix.dll\",AbortProc" \??\c:\windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\k: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\l: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\r: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\t: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\w: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\x: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\b: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\e: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\q: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\s: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\y: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\z: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\a: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\i: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\j: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\o: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\m: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\n: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\p: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\u: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\v: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\g: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\h: \??\c:\windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\windows\SysWOW64\rundll32.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea849e62ada93c7767054f58fcbca120_NeikiAnalytics.exe N/A
N/A N/A \??\c:\naksqpeo.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2988 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\ea849e62ada93c7767054f58fcbca120_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2988 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\ea849e62ada93c7767054f58fcbca120_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2988 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\ea849e62ada93c7767054f58fcbca120_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2988 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\ea849e62ada93c7767054f58fcbca120_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 868 wrote to memory of 2972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 868 wrote to memory of 2972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 868 wrote to memory of 2972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 868 wrote to memory of 2972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 868 wrote to memory of 2484 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\naksqpeo.exe
PID 868 wrote to memory of 2484 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\naksqpeo.exe
PID 868 wrote to memory of 2484 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\naksqpeo.exe
PID 868 wrote to memory of 2484 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\naksqpeo.exe
PID 2484 wrote to memory of 2584 N/A \??\c:\naksqpeo.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2484 wrote to memory of 2584 N/A \??\c:\naksqpeo.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2484 wrote to memory of 2584 N/A \??\c:\naksqpeo.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2484 wrote to memory of 2584 N/A \??\c:\naksqpeo.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2484 wrote to memory of 2584 N/A \??\c:\naksqpeo.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2484 wrote to memory of 2584 N/A \??\c:\naksqpeo.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2484 wrote to memory of 2584 N/A \??\c:\naksqpeo.exe \??\c:\windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ea849e62ada93c7767054f58fcbca120_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\ea849e62ada93c7767054f58fcbca120_NeikiAnalytics.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&c:\naksqpeo.exe "C:\Users\Admin\AppData\Local\Temp\ea849e62ada93c7767054f58fcbca120_NeikiAnalytics.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

\??\c:\naksqpeo.exe

c:\naksqpeo.exe "C:\Users\Admin\AppData\Local\Temp\ea849e62ada93c7767054f58fcbca120_NeikiAnalytics.exe"

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.exe "c:\nmpbjk\rxkix.dll",AbortProc c:\naksqpeo.exe

Network

Country Destination Domain Proto
US 67.229.62.198:803 tcp
US 67.229.62.198:803 tcp
US 67.229.62.194:3201 tcp
US 67.229.62.197:805 tcp
US 67.229.62.197:805 tcp
US 67.229.62.197:805 tcp
US 67.229.62.197:805 tcp
US 67.229.62.194:3201 tcp
US 67.229.62.194:3201 tcp
US 67.229.62.194:3201 tcp

Files

memory/2988-0-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2988-2-0x0000000000400000-0x0000000000428000-memory.dmp

\??\c:\naksqpeo.exe

MD5 bb6a74d0e907e139cf68f0bc7b75fa04
SHA1 b87942c702215cfc48414345d705708fbf6847f1
SHA256 7db2cd4de78c3a97042a8c461640e255ff33f1dddaa0cb7ff91586a57cd946ed
SHA512 26e6e12ae7ce306d6d0ed2f336bf0643d997a1a286503640318c7a242beefa7615dbda76a6e1fc9e58fb7332a4b718028c15753221ef1e88dd49d765ba54f7b8

memory/2484-6-0x0000000000400000-0x0000000000428000-memory.dmp

memory/868-5-0x0000000000120000-0x0000000000148000-memory.dmp

memory/2484-8-0x0000000000400000-0x0000000000428000-memory.dmp

\??\c:\nmpbjk\rxkix.dll

MD5 a2c2137ff7abf6be6bcae4252c394a69
SHA1 07b402104df563f9486c2eef975fee70f65a5145
SHA256 37ab4b7ee8f6b61c3854af4ed4676fd0d69f0260fb1296ad75e57aa08e1eeb03
SHA512 5d05ed7c55bee8f41502acaea3d41fcf4421ad641d43f0b97b4cdc8fe584983da7712c561a53b708e88391df7929914746115700ae733155418693bcec6989a9

memory/2584-14-0x0000000010000000-0x0000000010036000-memory.dmp

memory/2584-15-0x0000000010000000-0x0000000010036000-memory.dmp

memory/2584-16-0x0000000010000000-0x0000000010036000-memory.dmp

memory/2584-17-0x0000000010000000-0x0000000010036000-memory.dmp

memory/2584-19-0x0000000010000000-0x0000000010036000-memory.dmp

memory/2584-18-0x0000000010000000-0x0000000010036000-memory.dmp

memory/2584-20-0x0000000010033000-0x0000000010034000-memory.dmp

memory/2584-21-0x0000000010000000-0x0000000010036000-memory.dmp

memory/2584-25-0x0000000010000000-0x0000000010036000-memory.dmp

memory/2584-26-0x0000000010000000-0x0000000010036000-memory.dmp

memory/2584-27-0x0000000010000000-0x0000000010036000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-17 11:25

Reported

2024-05-17 11:28

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ea849e62ada93c7767054f58fcbca120_NeikiAnalytics.exe"

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A \??\c:\kypja.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\kypja.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\zuuxl\\fyahcre.dll\",AbortProc" \??\c:\windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\g: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\h: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\k: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\n: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\o: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\t: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\b: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\e: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\x: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\z: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\u: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\w: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\i: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\s: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\v: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\l: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\p: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\m: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\q: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\r: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\y: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\a: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\j: \??\c:\windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\windows\SysWOW64\rundll32.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea849e62ada93c7767054f58fcbca120_NeikiAnalytics.exe N/A
N/A N/A \??\c:\kypja.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ea849e62ada93c7767054f58fcbca120_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\ea849e62ada93c7767054f58fcbca120_NeikiAnalytics.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&c:\kypja.exe "C:\Users\Admin\AppData\Local\Temp\ea849e62ada93c7767054f58fcbca120_NeikiAnalytics.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

\??\c:\kypja.exe

c:\kypja.exe "C:\Users\Admin\AppData\Local\Temp\ea849e62ada93c7767054f58fcbca120_NeikiAnalytics.exe"

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.exe "c:\zuuxl\fyahcre.dll",AbortProc c:\kypja.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 67.229.62.198:803 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 67.229.62.194:3201 tcp
US 67.229.62.197:805 tcp
US 67.229.62.197:805 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
US 67.229.62.197:805 tcp
US 67.229.62.194:3201 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 67.229.62.194:3201 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 67.229.62.194:3201 tcp

Files

memory/4224-0-0x0000000000400000-0x0000000000428000-memory.dmp

memory/4224-2-0x0000000000400000-0x0000000000428000-memory.dmp

C:\kypja.exe

MD5 b6593a24ec37d3a2c9d8d09f38974dc4
SHA1 216d28ba11743b51e6b930c6624c04efbd299d19
SHA256 c6b3249ac0e45bc856704e0430c652a9e19cb28966830af87d46a74a21d2a6c8
SHA512 2aed056828b25e5775f648fbc00919069ebce14c9a1707dc9545bf823a9f2aed00bd688e7cee908bd3d99dc3261ccfd390e45cc52bea63c4101f9b742a72b0cb

memory/2064-6-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2064-8-0x0000000000400000-0x0000000000428000-memory.dmp

\??\c:\zuuxl\fyahcre.dll

MD5 a2c2137ff7abf6be6bcae4252c394a69
SHA1 07b402104df563f9486c2eef975fee70f65a5145
SHA256 37ab4b7ee8f6b61c3854af4ed4676fd0d69f0260fb1296ad75e57aa08e1eeb03
SHA512 5d05ed7c55bee8f41502acaea3d41fcf4421ad641d43f0b97b4cdc8fe584983da7712c561a53b708e88391df7929914746115700ae733155418693bcec6989a9

memory/784-11-0x0000000010000000-0x0000000010036000-memory.dmp

memory/784-14-0x0000000010000000-0x0000000010036000-memory.dmp

memory/784-13-0x0000000010000000-0x0000000010036000-memory.dmp

memory/784-12-0x0000000010000000-0x0000000010036000-memory.dmp

memory/784-15-0x0000000010000000-0x0000000010036000-memory.dmp

memory/784-17-0x0000000010000000-0x0000000010036000-memory.dmp

memory/784-19-0x0000000010000000-0x0000000010036000-memory.dmp