Analysis Overview
SHA256
c7aa047b990003ba2ac4e8586027dd886ca9b1e6ca62fab9a06d2988118face2
Threat Level: Shows suspicious behavior
The file 9cbe221255642f5816eeda45b07437c0_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
UPX packed file
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 05:16
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 05:16
Reported
2024-06-03 05:19
Platform
win7-20231129-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Update\WwanSvc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9cbe221255642f5816eeda45b07437c0_NeikiAnalytics.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\WwanSvc.exe\" /run" | C:\Users\Admin\AppData\Local\Temp\9cbe221255642f5816eeda45b07437c0_NeikiAnalytics.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2364 wrote to memory of 2328 | N/A | C:\Users\Admin\AppData\Local\Temp\9cbe221255642f5816eeda45b07437c0_NeikiAnalytics.exe | C:\ProgramData\Update\WwanSvc.exe |
| PID 2364 wrote to memory of 2328 | N/A | C:\Users\Admin\AppData\Local\Temp\9cbe221255642f5816eeda45b07437c0_NeikiAnalytics.exe | C:\ProgramData\Update\WwanSvc.exe |
| PID 2364 wrote to memory of 2328 | N/A | C:\Users\Admin\AppData\Local\Temp\9cbe221255642f5816eeda45b07437c0_NeikiAnalytics.exe | C:\ProgramData\Update\WwanSvc.exe |
| PID 2364 wrote to memory of 2328 | N/A | C:\Users\Admin\AppData\Local\Temp\9cbe221255642f5816eeda45b07437c0_NeikiAnalytics.exe | C:\ProgramData\Update\WwanSvc.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\9cbe221255642f5816eeda45b07437c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9cbe221255642f5816eeda45b07437c0_NeikiAnalytics.exe"
C:\ProgramData\Update\WwanSvc.exe
"C:\ProgramData\Update\WwanSvc.exe" /run
Network
| Country | Destination | Domain | Proto |
| CA | 158.69.115.115:443 | tcp |
Files
memory/2364-1-0x0000000000340000-0x0000000000368000-memory.dmp
\ProgramData\Update\WwanSvc.exe
| MD5 | 120751f3eca3b6eefd06c1a6389f1faa |
| SHA1 | bb39bf36cbb32fd16b3a19fb10516f7406be7322 |
| SHA256 | 5212a3d885b6137c1b12f892d44c707f84488712ad87bdc48c9258bdedbf3fbe |
| SHA512 | 7f376cf1ee6bcaf362fafc051b75e32b4e5463a170bafaa89276dae1f4ce7ec814137d78eb2ee41a64ef3a1ccc1bfd499090d686b424113221d46fc4298d950f |
memory/2364-4-0x00000000000F0000-0x0000000000118000-memory.dmp
memory/2328-7-0x0000000001200000-0x0000000001228000-memory.dmp
memory/2364-8-0x0000000000340000-0x0000000000368000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 05:16
Reported
2024-06-03 05:19
Platform
win10v2004-20240226-en
Max time kernel
142s
Max time network
157s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Update\WwanSvc.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\WwanSvc.exe\" /run" | C:\Users\Admin\AppData\Local\Temp\9cbe221255642f5816eeda45b07437c0_NeikiAnalytics.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3456 wrote to memory of 1168 | N/A | C:\Users\Admin\AppData\Local\Temp\9cbe221255642f5816eeda45b07437c0_NeikiAnalytics.exe | C:\ProgramData\Update\WwanSvc.exe |
| PID 3456 wrote to memory of 1168 | N/A | C:\Users\Admin\AppData\Local\Temp\9cbe221255642f5816eeda45b07437c0_NeikiAnalytics.exe | C:\ProgramData\Update\WwanSvc.exe |
| PID 3456 wrote to memory of 1168 | N/A | C:\Users\Admin\AppData\Local\Temp\9cbe221255642f5816eeda45b07437c0_NeikiAnalytics.exe | C:\ProgramData\Update\WwanSvc.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\9cbe221255642f5816eeda45b07437c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9cbe221255642f5816eeda45b07437c0_NeikiAnalytics.exe"
C:\ProgramData\Update\WwanSvc.exe
"C:\ProgramData\Update\WwanSvc.exe" /run
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1392 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| CA | 158.69.115.115:443 | tcp | |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| GB | 172.217.169.74:443 | tcp | |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.17.178.52.in-addr.arpa | udp |
Files
memory/3456-0-0x0000000000D20000-0x0000000000D48000-memory.dmp
C:\ProgramData\Update\WwanSvc.exe
| MD5 | 122a490c194b8390ff604d6c3d69a053 |
| SHA1 | 17072441a0c7377ec49ee0f4ead7dcfdd8e1ad10 |
| SHA256 | 3129be332ebabd7d5cb282e92d341d85432be41b909411c317ceb4f304a5c3af |
| SHA512 | 99dcc2c6c044a20491cec5a058b80e204d12dc601b1bfcc20c7f6507fb591063d1a74fbbdb867cb711c79f263fbecd7988a4290c0f7373b2c2bdf1dbc09e72fa |
memory/1168-4-0x0000000000D90000-0x0000000000DB8000-memory.dmp
memory/3456-6-0x0000000000D20000-0x0000000000D48000-memory.dmp
memory/1168-7-0x0000000000D90000-0x0000000000DB8000-memory.dmp