Malware Analysis Report

2025-03-14 23:47

Sample ID 240603-fyl7mscg7t
Target 9cbe221255642f5816eeda45b07437c0_NeikiAnalytics.exe
SHA256 c7aa047b990003ba2ac4e8586027dd886ca9b1e6ca62fab9a06d2988118face2
Tags
upx persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

c7aa047b990003ba2ac4e8586027dd886ca9b1e6ca62fab9a06d2988118face2

Threat Level: Shows suspicious behavior

The file 9cbe221255642f5816eeda45b07437c0_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx persistence

Executes dropped EXE

Loads dropped DLL

UPX packed file

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 05:16

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 05:16

Reported

2024-06-03 05:19

Platform

win7-20231129-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9cbe221255642f5816eeda45b07437c0_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Update\WwanSvc.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cbe221255642f5816eeda45b07437c0_NeikiAnalytics.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\WwanSvc.exe\" /run" C:\Users\Admin\AppData\Local\Temp\9cbe221255642f5816eeda45b07437c0_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9cbe221255642f5816eeda45b07437c0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9cbe221255642f5816eeda45b07437c0_NeikiAnalytics.exe"

C:\ProgramData\Update\WwanSvc.exe

"C:\ProgramData\Update\WwanSvc.exe" /run

Network

Country Destination Domain Proto
CA 158.69.115.115:443 tcp

Files

memory/2364-1-0x0000000000340000-0x0000000000368000-memory.dmp

\ProgramData\Update\WwanSvc.exe

MD5 120751f3eca3b6eefd06c1a6389f1faa
SHA1 bb39bf36cbb32fd16b3a19fb10516f7406be7322
SHA256 5212a3d885b6137c1b12f892d44c707f84488712ad87bdc48c9258bdedbf3fbe
SHA512 7f376cf1ee6bcaf362fafc051b75e32b4e5463a170bafaa89276dae1f4ce7ec814137d78eb2ee41a64ef3a1ccc1bfd499090d686b424113221d46fc4298d950f

memory/2364-4-0x00000000000F0000-0x0000000000118000-memory.dmp

memory/2328-7-0x0000000001200000-0x0000000001228000-memory.dmp

memory/2364-8-0x0000000000340000-0x0000000000368000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 05:16

Reported

2024-06-03 05:19

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9cbe221255642f5816eeda45b07437c0_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Update\WwanSvc.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\WwanSvc.exe\" /run" C:\Users\Admin\AppData\Local\Temp\9cbe221255642f5816eeda45b07437c0_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9cbe221255642f5816eeda45b07437c0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9cbe221255642f5816eeda45b07437c0_NeikiAnalytics.exe"

C:\ProgramData\Update\WwanSvc.exe

"C:\ProgramData\Update\WwanSvc.exe" /run

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1392 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
CA 158.69.115.115:443 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
GB 172.217.169.74:443 tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 233.17.178.52.in-addr.arpa udp

Files

memory/3456-0-0x0000000000D20000-0x0000000000D48000-memory.dmp

C:\ProgramData\Update\WwanSvc.exe

MD5 122a490c194b8390ff604d6c3d69a053
SHA1 17072441a0c7377ec49ee0f4ead7dcfdd8e1ad10
SHA256 3129be332ebabd7d5cb282e92d341d85432be41b909411c317ceb4f304a5c3af
SHA512 99dcc2c6c044a20491cec5a058b80e204d12dc601b1bfcc20c7f6507fb591063d1a74fbbdb867cb711c79f263fbecd7988a4290c0f7373b2c2bdf1dbc09e72fa

memory/1168-4-0x0000000000D90000-0x0000000000DB8000-memory.dmp

memory/3456-6-0x0000000000D20000-0x0000000000D48000-memory.dmp

memory/1168-7-0x0000000000D90000-0x0000000000DB8000-memory.dmp