Malware Analysis Report

2025-01-22 12:23

Sample ID 240517-wcyasabb3z
Target 10b2c054dd859e8ed5fd61664232b9d0_NeikiAnalytics.exe
SHA256 7bc28b389cb094c7f83174c060844e49ea04df09bd751d45b0b47e08ff3d9d2e
Tags
aspackv2 bootkit persistence spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

7bc28b389cb094c7f83174c060844e49ea04df09bd751d45b0b47e08ff3d9d2e

Threat Level: Likely malicious

The file 10b2c054dd859e8ed5fd61664232b9d0_NeikiAnalytics.exe was found to be: Likely malicious.

Malicious Activity Summary

aspackv2 bootkit persistence spyware stealer

Blocklisted process makes network request

ASPack v2.12-2.42

Executes dropped EXE

Loads dropped DLL

Deletes itself

Reads user/profile data of web browsers

Adds Run key to start application

Writes to the Master Boot Record (MBR)

Enumerates connected drives

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-17 17:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-17 17:47

Reported

2024-05-17 17:49

Platform

win7-20240419-en

Max time kernel

142s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\10b2c054dd859e8ed5fd61664232b9d0_NeikiAnalytics.exe"

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A \??\c:\ghlcpad.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\ghlcpad.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\lnyqhgc\\kaedu.dll\",GetWindowClass" \??\c:\windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\z: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\j: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\l: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\o: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\p: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\r: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\s: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\x: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\a: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\b: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\e: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\n: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\q: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\t: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\u: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\v: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\g: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\h: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\k: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\y: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\i: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\m: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\w: \??\c:\windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\windows\SysWOW64\rundll32.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\10b2c054dd859e8ed5fd61664232b9d0_NeikiAnalytics.exe N/A
N/A N/A \??\c:\ghlcpad.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2028 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\10b2c054dd859e8ed5fd61664232b9d0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2028 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\10b2c054dd859e8ed5fd61664232b9d0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2028 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\10b2c054dd859e8ed5fd61664232b9d0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2028 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\10b2c054dd859e8ed5fd61664232b9d0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1228 wrote to memory of 3032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1228 wrote to memory of 3032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1228 wrote to memory of 3032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1228 wrote to memory of 3032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1228 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\ghlcpad.exe
PID 1228 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\ghlcpad.exe
PID 1228 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\ghlcpad.exe
PID 1228 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\ghlcpad.exe
PID 2740 wrote to memory of 2620 N/A \??\c:\ghlcpad.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2740 wrote to memory of 2620 N/A \??\c:\ghlcpad.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2740 wrote to memory of 2620 N/A \??\c:\ghlcpad.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2740 wrote to memory of 2620 N/A \??\c:\ghlcpad.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2740 wrote to memory of 2620 N/A \??\c:\ghlcpad.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2740 wrote to memory of 2620 N/A \??\c:\ghlcpad.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2740 wrote to memory of 2620 N/A \??\c:\ghlcpad.exe \??\c:\windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\10b2c054dd859e8ed5fd61664232b9d0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\10b2c054dd859e8ed5fd61664232b9d0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&c:\ghlcpad.exe "C:\Users\Admin\AppData\Local\Temp\10b2c054dd859e8ed5fd61664232b9d0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

\??\c:\ghlcpad.exe

c:\ghlcpad.exe "C:\Users\Admin\AppData\Local\Temp\10b2c054dd859e8ed5fd61664232b9d0_NeikiAnalytics.exe"

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.exe "c:\lnyqhgc\kaedu.dll",GetWindowClass c:\ghlcpad.exe

Network

Country Destination Domain Proto
US 67.229.232.230:803 tcp
US 67.229.232.230:803 tcp
US 67.229.232.226:3204 tcp
US 67.229.232.229:805 tcp
US 67.229.232.229:805 tcp
US 67.229.232.229:805 tcp
US 67.229.232.229:805 tcp
US 67.229.232.226:3204 tcp
US 67.229.232.226:3204 tcp
US 67.229.232.226:3204 tcp

Files

\??\c:\ghlcpad.exe

MD5 538ed4ace71f9d8b59f69d44cb9d3b04
SHA1 e37157f4cdab4aee11c94b25972e3b41a5c99a88
SHA256 63f9709226e4db363fe7a7fc0b18b2fe6c68f3f25267a919e4b1f29a68583097
SHA512 9b2ba85e2a1b0c7f9edf9624990707f3985d2ae580fbf7ac0d6b15ff37c1ba55d91d921520dcafdb86234e13a7b275692eb03453be5b5a78fd09680d9f88359e

\??\c:\lnyqhgc\kaedu.dll

MD5 3f82de3a24b560d4d5135bf4074bdd9b
SHA1 7b6c9ef2d53c58bba7d6114794b9240d0fe7b208
SHA256 be0756d8916bff40899d62deb0f084211490910e2d5d6ff77cd7c73bdc26bd3c
SHA512 fea15cc2ab56be6fd7a65c0a1d356db5595bbde69cabdf92347b865f76c1acdaaab5962b9cb21b7d88b9d72ee79c4d93f11fa88f3998bdc761e272961bc21ae8

memory/2620-9-0x0000000010000000-0x0000000010036000-memory.dmp

memory/2620-10-0x0000000010000000-0x0000000010036000-memory.dmp

memory/2620-11-0x0000000010000000-0x0000000010036000-memory.dmp

memory/2620-13-0x0000000010000000-0x0000000010036000-memory.dmp

memory/2620-12-0x0000000010000000-0x0000000010036000-memory.dmp

memory/2620-14-0x0000000010033000-0x0000000010034000-memory.dmp

memory/2620-15-0x0000000010000000-0x0000000010036000-memory.dmp

memory/2620-19-0x0000000010000000-0x0000000010036000-memory.dmp

memory/2620-20-0x0000000010000000-0x0000000010036000-memory.dmp

memory/2620-21-0x0000000010000000-0x0000000010036000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-17 17:47

Reported

2024-05-17 17:49

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\10b2c054dd859e8ed5fd61664232b9d0_NeikiAnalytics.exe"

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A \??\c:\javhxrvhc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\javhxrvhc.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\modhn\\jesqfivz.dll\",GetWindowClass" \??\c:\windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\k: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\m: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\r: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\u: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\x: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\y: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\h: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\i: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\s: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\w: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\p: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\q: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\t: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\v: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\z: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\g: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\o: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\e: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\j: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\l: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\n: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\a: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\b: \??\c:\windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\windows\SysWOW64\rundll32.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\10b2c054dd859e8ed5fd61664232b9d0_NeikiAnalytics.exe N/A
N/A N/A \??\c:\javhxrvhc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\10b2c054dd859e8ed5fd61664232b9d0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\10b2c054dd859e8ed5fd61664232b9d0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&c:\javhxrvhc.exe "C:\Users\Admin\AppData\Local\Temp\10b2c054dd859e8ed5fd61664232b9d0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

\??\c:\javhxrvhc.exe

c:\javhxrvhc.exe "C:\Users\Admin\AppData\Local\Temp\10b2c054dd859e8ed5fd61664232b9d0_NeikiAnalytics.exe"

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.exe "c:\modhn\jesqfivz.dll",GetWindowClass c:\javhxrvhc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 187.77.117.104.in-addr.arpa udp
BE 2.17.196.129:443 www.bing.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 129.196.17.2.in-addr.arpa udp
US 67.229.232.230:803 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 67.229.232.226:3204 tcp
US 67.229.232.229:805 tcp
US 67.229.232.229:805 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 67.229.232.229:805 tcp
US 67.229.232.226:3204 tcp
US 67.229.232.226:3204 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 67.229.232.226:3204 tcp

Files

\??\c:\javhxrvhc.exe

MD5 406c9aecc16e3968b66612811ff98588
SHA1 2be1766534d54617afe70bbd16e21a9af626390d
SHA256 5da6b7187993f3f1c5396d27599aa472f31ddbf6ca266ed90304bd99d01c6809
SHA512 0c85dcedc36108b4073a94eb29158704591800c4a7178f12bd68d26dd8d77960ad9c3c47893a587a7337668d43c9415cf2f2c34a2d6d6b3d042416e39682d6e6

\??\c:\modhn\jesqfivz.dll

MD5 3f82de3a24b560d4d5135bf4074bdd9b
SHA1 7b6c9ef2d53c58bba7d6114794b9240d0fe7b208
SHA256 be0756d8916bff40899d62deb0f084211490910e2d5d6ff77cd7c73bdc26bd3c
SHA512 fea15cc2ab56be6fd7a65c0a1d356db5595bbde69cabdf92347b865f76c1acdaaab5962b9cb21b7d88b9d72ee79c4d93f11fa88f3998bdc761e272961bc21ae8

memory/1580-7-0x0000000010000000-0x0000000010036000-memory.dmp

memory/1580-8-0x0000000010000000-0x0000000010036000-memory.dmp

memory/1580-10-0x0000000010000000-0x0000000010036000-memory.dmp

memory/1580-9-0x0000000010000000-0x0000000010036000-memory.dmp

memory/1580-11-0x0000000010000000-0x0000000010036000-memory.dmp

memory/1580-13-0x0000000010000000-0x0000000010036000-memory.dmp

memory/1580-15-0x0000000010000000-0x0000000010036000-memory.dmp