Malware Analysis Report

2025-03-15 05:48

Sample ID 240624-aysfrsthnm
Target 24843d8ae5c65b26c6409035b96d988757db794bb813ac34798255d15b2e4bb1_NeikiAnalytics.exe
SHA256 24843d8ae5c65b26c6409035b96d988757db794bb813ac34798255d15b2e4bb1
Tags
aspackv2 bootkit persistence spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

24843d8ae5c65b26c6409035b96d988757db794bb813ac34798255d15b2e4bb1

Threat Level: Likely malicious

The file 24843d8ae5c65b26c6409035b96d988757db794bb813ac34798255d15b2e4bb1_NeikiAnalytics.exe was found to be: Likely malicious.

Malicious Activity Summary

aspackv2 bootkit persistence spyware stealer

Blocklisted process makes network request

ASPack v2.12-2.42

Reads user/profile data of web browsers

Loads dropped DLL

Deletes itself

Executes dropped EXE

Enumerates connected drives

Writes to the Master Boot Record (MBR)

Adds Run key to start application

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-24 00:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-24 00:37

Reported

2024-06-24 00:40

Platform

win7-20240220-en

Max time kernel

142s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\24843d8ae5c65b26c6409035b96d988757db794bb813ac34798255d15b2e4bb1_NeikiAnalytics.exe"

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A \??\c:\kjtjenswd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\kjtjenswd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\uvkzg\\gkxsl.dll\",AbortProc" \??\c:\windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\o: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\v: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\z: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\b: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\i: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\k: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\a: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\l: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\w: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\x: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\g: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\m: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\n: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\p: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\q: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\r: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\s: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\t: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\e: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\h: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\j: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\u: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\y: \??\c:\windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\windows\SysWOW64\rundll32.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\24843d8ae5c65b26c6409035b96d988757db794bb813ac34798255d15b2e4bb1_NeikiAnalytics.exe N/A
N/A N/A \??\c:\kjtjenswd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2836 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\24843d8ae5c65b26c6409035b96d988757db794bb813ac34798255d15b2e4bb1_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2836 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\24843d8ae5c65b26c6409035b96d988757db794bb813ac34798255d15b2e4bb1_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2836 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\24843d8ae5c65b26c6409035b96d988757db794bb813ac34798255d15b2e4bb1_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2836 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\24843d8ae5c65b26c6409035b96d988757db794bb813ac34798255d15b2e4bb1_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2096 wrote to memory of 2904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2096 wrote to memory of 2904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2096 wrote to memory of 2904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2096 wrote to memory of 2904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2096 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\kjtjenswd.exe
PID 2096 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\kjtjenswd.exe
PID 2096 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\kjtjenswd.exe
PID 2096 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\kjtjenswd.exe
PID 2676 wrote to memory of 2420 N/A \??\c:\kjtjenswd.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2676 wrote to memory of 2420 N/A \??\c:\kjtjenswd.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2676 wrote to memory of 2420 N/A \??\c:\kjtjenswd.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2676 wrote to memory of 2420 N/A \??\c:\kjtjenswd.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2676 wrote to memory of 2420 N/A \??\c:\kjtjenswd.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2676 wrote to memory of 2420 N/A \??\c:\kjtjenswd.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2676 wrote to memory of 2420 N/A \??\c:\kjtjenswd.exe \??\c:\windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\24843d8ae5c65b26c6409035b96d988757db794bb813ac34798255d15b2e4bb1_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\24843d8ae5c65b26c6409035b96d988757db794bb813ac34798255d15b2e4bb1_NeikiAnalytics.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&c:\kjtjenswd.exe "C:\Users\Admin\AppData\Local\Temp\24843d8ae5c65b26c6409035b96d988757db794bb813ac34798255d15b2e4bb1_NeikiAnalytics.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

\??\c:\kjtjenswd.exe

c:\kjtjenswd.exe "C:\Users\Admin\AppData\Local\Temp\24843d8ae5c65b26c6409035b96d988757db794bb813ac34798255d15b2e4bb1_NeikiAnalytics.exe"

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.exe "c:\uvkzg\gkxsl.dll",AbortProc c:\kjtjenswd.exe

Network

Country Destination Domain Proto
US 67.229.62.198:803 tcp
US 67.229.62.198:803 tcp
US 67.229.62.194:3201 tcp
US 67.229.62.197:805 tcp
US 67.229.62.197:805 tcp
US 67.229.62.197:805 tcp
US 67.229.62.197:805 tcp
US 67.229.62.194:3201 tcp
US 67.229.62.194:3201 tcp
US 67.229.62.194:3201 tcp

Files

memory/2836-0-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2836-2-0x0000000000400000-0x0000000000428000-memory.dmp

\??\c:\kjtjenswd.exe

MD5 64e4724442177ead1ea6b5aeca97158e
SHA1 ae3ebcceb2824f17fa0efa1cc38a3fa6642aceb7
SHA256 510769702e434cfc3b1d7d0c671cecb21fc5a59c8d34b393b1a6fbd6fd01277f
SHA512 4bf8bb9ad02d8117f94cf83faa87f981e5cf455e4eeb959e79b8ebe76fd1262e594de553c5029c9f8aef24b3fa86b27dc99e3402c273a0130dca912fc72cb482

memory/2096-5-0x0000000000270000-0x0000000000298000-memory.dmp

memory/2676-7-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2096-6-0x0000000000270000-0x0000000000298000-memory.dmp

memory/2676-9-0x0000000000400000-0x0000000000428000-memory.dmp

\??\c:\uvkzg\gkxsl.dll

MD5 a2c2137ff7abf6be6bcae4252c394a69
SHA1 07b402104df563f9486c2eef975fee70f65a5145
SHA256 37ab4b7ee8f6b61c3854af4ed4676fd0d69f0260fb1296ad75e57aa08e1eeb03
SHA512 5d05ed7c55bee8f41502acaea3d41fcf4421ad641d43f0b97b4cdc8fe584983da7712c561a53b708e88391df7929914746115700ae733155418693bcec6989a9

memory/2420-15-0x0000000010000000-0x0000000010036000-memory.dmp

memory/2420-16-0x0000000010000000-0x0000000010036000-memory.dmp

memory/2420-17-0x0000000010000000-0x0000000010036000-memory.dmp

memory/2420-18-0x0000000010033000-0x0000000010034000-memory.dmp

memory/2420-19-0x0000000010000000-0x0000000010036000-memory.dmp

memory/2420-20-0x0000000010000000-0x0000000010036000-memory.dmp

memory/2420-21-0x0000000010000000-0x0000000010036000-memory.dmp

memory/2420-22-0x0000000010000000-0x0000000010036000-memory.dmp

memory/2420-24-0x0000000010033000-0x0000000010034000-memory.dmp

memory/2420-27-0x0000000010000000-0x0000000010036000-memory.dmp

memory/2420-28-0x0000000010000000-0x0000000010036000-memory.dmp

memory/2420-29-0x0000000010000000-0x0000000010036000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-24 00:37

Reported

2024-06-24 00:40

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\24843d8ae5c65b26c6409035b96d988757db794bb813ac34798255d15b2e4bb1_NeikiAnalytics.exe"

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A \??\c:\jfkgt.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\jfkgt.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\krjsarizo\\jkiefeqa.dll\",AbortProc" \??\c:\windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\r: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\a: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\e: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\i: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\m: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\j: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\l: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\z: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\q: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\u: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\y: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\n: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\o: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\p: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\s: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\b: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\g: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\h: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\k: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\t: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\v: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\w: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\x: \??\c:\windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\windows\SysWOW64\rundll32.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\24843d8ae5c65b26c6409035b96d988757db794bb813ac34798255d15b2e4bb1_NeikiAnalytics.exe N/A
N/A N/A \??\c:\jfkgt.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\24843d8ae5c65b26c6409035b96d988757db794bb813ac34798255d15b2e4bb1_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\24843d8ae5c65b26c6409035b96d988757db794bb813ac34798255d15b2e4bb1_NeikiAnalytics.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&c:\jfkgt.exe "C:\Users\Admin\AppData\Local\Temp\24843d8ae5c65b26c6409035b96d988757db794bb813ac34798255d15b2e4bb1_NeikiAnalytics.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

\??\c:\jfkgt.exe

c:\jfkgt.exe "C:\Users\Admin\AppData\Local\Temp\24843d8ae5c65b26c6409035b96d988757db794bb813ac34798255d15b2e4bb1_NeikiAnalytics.exe"

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.exe "c:\krjsarizo\jkiefeqa.dll",AbortProc c:\jfkgt.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 67.229.62.198:803 tcp
US 67.229.62.194:3201 tcp
US 67.229.62.197:805 tcp
US 67.229.62.197:805 tcp
US 67.229.62.197:805 tcp
US 67.229.62.194:3201 tcp
US 67.229.62.194:3201 tcp
US 67.229.62.194:3201 tcp
US 67.229.62.194:3201 tcp

Files

memory/4052-0-0x0000000000400000-0x0000000000428000-memory.dmp

memory/4052-2-0x0000000000400000-0x0000000000428000-memory.dmp

C:\jfkgt.exe

MD5 87f3b6df63b450860744eaa13e9d1e56
SHA1 1ff9c9d12e43821200363297c7d6c997fc1b3411
SHA256 52864512e02881723975bc55594c1ee2286515475f04aef5cf7f7d5a82a8cb74
SHA512 3b86a64a15fb5b078c70e2b1ad88763e1c6216b452443faa7629a87e7d34e720fa1e1f59feb478bfc1abe191dc2096f91e19a2db152349ee97061bfd4a20ee7c

memory/1576-6-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1576-8-0x0000000000400000-0x0000000000428000-memory.dmp

\??\c:\krjsarizo\jkiefeqa.dll

MD5 a2c2137ff7abf6be6bcae4252c394a69
SHA1 07b402104df563f9486c2eef975fee70f65a5145
SHA256 37ab4b7ee8f6b61c3854af4ed4676fd0d69f0260fb1296ad75e57aa08e1eeb03
SHA512 5d05ed7c55bee8f41502acaea3d41fcf4421ad641d43f0b97b4cdc8fe584983da7712c561a53b708e88391df7929914746115700ae733155418693bcec6989a9

memory/2404-11-0x0000000010000000-0x0000000010036000-memory.dmp

memory/2404-14-0x0000000010000000-0x0000000010036000-memory.dmp

memory/2404-13-0x0000000010000000-0x0000000010036000-memory.dmp

memory/2404-12-0x0000000010000000-0x0000000010036000-memory.dmp

memory/2404-15-0x0000000010000000-0x0000000010036000-memory.dmp

memory/2404-17-0x0000000010000000-0x0000000010036000-memory.dmp

memory/2404-19-0x0000000010000000-0x0000000010036000-memory.dmp