Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03-06-2024 19:07
Behavioral task
behavioral1
Sample
e4fbb1c6e6e05149af0c2ea6e5c76dd0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e4fbb1c6e6e05149af0c2ea6e5c76dd0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
e4fbb1c6e6e05149af0c2ea6e5c76dd0_NeikiAnalytics.exe
-
Size
134KB
-
MD5
e4fbb1c6e6e05149af0c2ea6e5c76dd0
-
SHA1
5c02fde56e3eab41cc8c9693695b35363f9cb674
-
SHA256
29c7e0b1f606719ec1b0c04e489f0f4fe75556447fa3dbbd4936ce994867c0df
-
SHA512
5805f02ad37ea0eb90980157e8803e21e2b7a7abe396c96014be7f7b7d51141393248d2bdcda30d74ef29283fc51707b2734d7cf637e26cd6a9792924dbd33f2
-
SSDEEP
1536:rF0AJELopHG9aa+9qX3apJzAKWYr0v7ioy6paK2AZqMIK7aGZh38QA:riAyLN9aa+9U2rW1ip6pr2At7NZuQA
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2484 WwanSvc.exe -
Loads dropped DLL 1 IoCs
pid Process 2660 e4fbb1c6e6e05149af0c2ea6e5c76dd0_NeikiAnalytics.exe -
resource yara_rule behavioral1/memory/2660-0-0x0000000001140000-0x0000000001168000-memory.dmp upx behavioral1/files/0x0033000000014b18-2.dat upx behavioral1/memory/2484-6-0x00000000011E0000-0x0000000001208000-memory.dmp upx behavioral1/memory/2660-7-0x0000000001140000-0x0000000001168000-memory.dmp upx behavioral1/memory/2484-9-0x00000000011E0000-0x0000000001208000-memory.dmp upx behavioral1/memory/2660-10-0x0000000001140000-0x0000000001168000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\WwanSvc.exe\" /run" e4fbb1c6e6e05149af0c2ea6e5c76dd0_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2660 wrote to memory of 2484 2660 e4fbb1c6e6e05149af0c2ea6e5c76dd0_NeikiAnalytics.exe 28 PID 2660 wrote to memory of 2484 2660 e4fbb1c6e6e05149af0c2ea6e5c76dd0_NeikiAnalytics.exe 28 PID 2660 wrote to memory of 2484 2660 e4fbb1c6e6e05149af0c2ea6e5c76dd0_NeikiAnalytics.exe 28 PID 2660 wrote to memory of 2484 2660 e4fbb1c6e6e05149af0c2ea6e5c76dd0_NeikiAnalytics.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\e4fbb1c6e6e05149af0c2ea6e5c76dd0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\e4fbb1c6e6e05149af0c2ea6e5c76dd0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\ProgramData\Update\WwanSvc.exe"C:\ProgramData\Update\WwanSvc.exe" /run2⤵
- Executes dropped EXE
PID:2484
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
134KB
MD5f70a4a64ab81d5535d6597bf86458e83
SHA191ae39d2815ee55936327872e14b1ef1969cb022
SHA256b0d183ac006ddb16cc96ae9bda0f32efbca095c77ed463c6cb79b06f3f382630
SHA512df2cbc859d02ab619e25af74a3b5f45ea4923239b2fa0c138f0afde8ffef6bf8a70b91bb197fcac8b48d80d64f1a0154d38af2cdb623ea9b3dad4daf7b2042f4