Malware Analysis Report

2025-08-10 12:15

Sample ID 240610-12khfasekg
Target 1d1fdc03f7da06e88ba7df90607b6490_NeikiAnalytics.exe
SHA256 e5e29ac2651555ee04748022ca2493400b9507476bfbfd89ab02b20619ed4c5f
Tags
upx persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

e5e29ac2651555ee04748022ca2493400b9507476bfbfd89ab02b20619ed4c5f

Threat Level: Shows suspicious behavior

The file 1d1fdc03f7da06e88ba7df90607b6490_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx persistence

UPX packed file

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-10 22:08

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 22:08

Reported

2024-06-10 22:11

Platform

win7-20240508-en

Max time kernel

118s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1d1fdc03f7da06e88ba7df90607b6490_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Update\WwanSvc.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d1fdc03f7da06e88ba7df90607b6490_NeikiAnalytics.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\WwanSvc.exe\" /run" C:\Users\Admin\AppData\Local\Temp\1d1fdc03f7da06e88ba7df90607b6490_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1d1fdc03f7da06e88ba7df90607b6490_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\1d1fdc03f7da06e88ba7df90607b6490_NeikiAnalytics.exe"

C:\ProgramData\Update\WwanSvc.exe

"C:\ProgramData\Update\WwanSvc.exe" /run

Network

Country Destination Domain Proto
CA 158.69.115.115:443 tcp

Files

memory/2220-0-0x0000000000E50000-0x0000000000E78000-memory.dmp

\ProgramData\Update\WwanSvc.exe

MD5 9074eedd2f395915ac9f7f30efb224b9
SHA1 df748cb746090eb540eac0709bed96fc75db306b
SHA256 87bdf42d7ec1869a682930b403a65a41846fc5fb1271356be06fd7243a2dc57a
SHA512 c19ce49c3ac9061f638095fd3b733a035332d4e1def951d3fc732dd5066a3df124ad7202299e4719fafbe54219820ca890cca1d0eeb41b8ca28be9ba762f6dae

memory/2220-6-0x00000000000F0000-0x0000000000118000-memory.dmp

memory/2408-7-0x0000000000820000-0x0000000000848000-memory.dmp

memory/2220-8-0x0000000000E50000-0x0000000000E78000-memory.dmp

memory/2220-9-0x00000000000F0000-0x0000000000118000-memory.dmp

memory/2408-10-0x0000000000820000-0x0000000000848000-memory.dmp

memory/2220-11-0x0000000000E50000-0x0000000000E78000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 22:08

Reported

2024-06-10 22:11

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1d1fdc03f7da06e88ba7df90607b6490_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Update\WwanSvc.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\WwanSvc.exe\" /run" C:\Users\Admin\AppData\Local\Temp\1d1fdc03f7da06e88ba7df90607b6490_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1d1fdc03f7da06e88ba7df90607b6490_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\1d1fdc03f7da06e88ba7df90607b6490_NeikiAnalytics.exe"

C:\ProgramData\Update\WwanSvc.exe

"C:\ProgramData\Update\WwanSvc.exe" /run

Network

Country Destination Domain Proto
CA 158.69.115.115:443 tcp
US 23.53.113.159:80 tcp

Files

memory/2620-0-0x0000000000E80000-0x0000000000EA8000-memory.dmp

C:\ProgramData\Update\WwanSvc.exe

MD5 f26fee28d4f2a345d2eab596c6bea04a
SHA1 05bbaa8659743f340ff2a1c37e304315debd90de
SHA256 508bcbe0760f15cbe2b7c9ac1af10f9ebd3661de6a4366aeae68bb201e2993f3
SHA512 037b0cdb20ae5a8292510391ecd0714744671066b94fbd4d6f8ddc7562f15f89196486dbf3eaa786ad8c902ca1d81aa379f0febadfec35a99a561ba419070bd8

memory/2620-5-0x0000000000E80000-0x0000000000EA8000-memory.dmp

memory/3168-6-0x00000000001C0000-0x00000000001E8000-memory.dmp