ba3c722d550f9e5097957a2473d50f74ae0e647ddcffb51a289ff11d073c1fa1

Analysis

max time kernel
134s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 14:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d48945e5c0c57e0ff481cb97527a69b0_NEIKI.exe
Size

134KB
MD5

d48945e5c0c57e0ff481cb97527a69b0
SHA1

9b9a70d8ed9b7c442afccd9c5c6b759ddae75593
SHA256

ba3c722d550f9e5097957a2473d50f74ae0e647ddcffb51a289ff11d073c1fa1
SHA512

345d5c6d3051aa1508b19e41eba9c458c0c61387a3df2ee00a874ca13a18f6e9e08658da0676f66886b87d4c3d46624c5f07dfb916c3fb79ffa3525fd0c9999d
SSDEEP

1536:rF0AJELopHG9aa+9qX3apJzAKWYr0v7ioy6paK2AZqMIK7aGZh38QO:riAyLN9aa+9U2rW1ip6pr2At7NZuQO

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
208	WwanSvc.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4640-0-0x0000000000C60000-0x0000000000C88000-memory.dmp	upx
behavioral2/memory/4640-5-0x0000000000C60000-0x0000000000C88000-memory.dmp	upx
behavioral2/files/0x000e000000023b8f-4.dat	upx
behavioral2/memory/208-6-0x00000000004B0000-0x00000000004D8000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\WwanSvc.exe\" /run"	d48945e5c0c57e0ff481cb97527a69b0_NEIKI.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4640 wrote to memory of 208	4640	d48945e5c0c57e0ff481cb97527a69b0_NEIKI.exe	85
PID 4640 wrote to memory of 208	4640	d48945e5c0c57e0ff481cb97527a69b0_NEIKI.exe	85
PID 4640 wrote to memory of 208	4640	d48945e5c0c57e0ff481cb97527a69b0_NEIKI.exe	85

C:\Users\Admin\AppData\Local\Temp\d48945e5c0c57e0ff481cb97527a69b0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\d48945e5c0c57e0ff481cb97527a69b0_NEIKI.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4640
- C:\ProgramData\Update\WwanSvc.exe
  "C:\ProgramData\Update\WwanSvc.exe" /run
  2⤵
  - Executes dropped EXE
  PID:208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Update\WwanSvc.exe

Filesize
134KB

MD5
249ddb62bf3f4aca641552f0ece339a7

SHA1
8c4d243c4c49ad0bd04bcd4b3763d4dad0462cbf

SHA256
ae08b5abf181699874acf4f2c676638ec7085e250c30040c725c58deefdd1061

SHA512
96a9af0c0f521d1bfafe3302de1f4a4d5d464fd55459a47e59a42ce89ccc9bcac85cc39110a21e624671b91c3d290947fc7d2889cef67178242af53cc0db2c2a

Download Submit
memory/208-6-0x00000000004B0000-0x00000000004D8000-memory.dmp

Filesize
160KB

Download
memory/4640-0-0x0000000000C60000-0x0000000000C88000-memory.dmp

Filesize
160KB

Download
memory/4640-5-0x0000000000C60000-0x0000000000C88000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads