Analysis Overview
SHA256
e5e29ac2651555ee04748022ca2493400b9507476bfbfd89ab02b20619ed4c5f
Threat Level: Shows suspicious behavior
The file 1d1fdc03f7da06e88ba7df90607b6490_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
UPX packed file
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-10 22:08
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-10 22:08
Reported
2024-06-10 22:11
Platform
win7-20240508-en
Max time kernel
118s
Max time network
118s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Update\WwanSvc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1d1fdc03f7da06e88ba7df90607b6490_NeikiAnalytics.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\WwanSvc.exe\" /run" | C:\Users\Admin\AppData\Local\Temp\1d1fdc03f7da06e88ba7df90607b6490_NeikiAnalytics.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2220 wrote to memory of 2408 | N/A | C:\Users\Admin\AppData\Local\Temp\1d1fdc03f7da06e88ba7df90607b6490_NeikiAnalytics.exe | C:\ProgramData\Update\WwanSvc.exe |
| PID 2220 wrote to memory of 2408 | N/A | C:\Users\Admin\AppData\Local\Temp\1d1fdc03f7da06e88ba7df90607b6490_NeikiAnalytics.exe | C:\ProgramData\Update\WwanSvc.exe |
| PID 2220 wrote to memory of 2408 | N/A | C:\Users\Admin\AppData\Local\Temp\1d1fdc03f7da06e88ba7df90607b6490_NeikiAnalytics.exe | C:\ProgramData\Update\WwanSvc.exe |
| PID 2220 wrote to memory of 2408 | N/A | C:\Users\Admin\AppData\Local\Temp\1d1fdc03f7da06e88ba7df90607b6490_NeikiAnalytics.exe | C:\ProgramData\Update\WwanSvc.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\1d1fdc03f7da06e88ba7df90607b6490_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1d1fdc03f7da06e88ba7df90607b6490_NeikiAnalytics.exe"
C:\ProgramData\Update\WwanSvc.exe
"C:\ProgramData\Update\WwanSvc.exe" /run
Network
| Country | Destination | Domain | Proto |
| CA | 158.69.115.115:443 | tcp |
Files
memory/2220-0-0x0000000000E50000-0x0000000000E78000-memory.dmp
\ProgramData\Update\WwanSvc.exe
| MD5 | 9074eedd2f395915ac9f7f30efb224b9 |
| SHA1 | df748cb746090eb540eac0709bed96fc75db306b |
| SHA256 | 87bdf42d7ec1869a682930b403a65a41846fc5fb1271356be06fd7243a2dc57a |
| SHA512 | c19ce49c3ac9061f638095fd3b733a035332d4e1def951d3fc732dd5066a3df124ad7202299e4719fafbe54219820ca890cca1d0eeb41b8ca28be9ba762f6dae |
memory/2220-6-0x00000000000F0000-0x0000000000118000-memory.dmp
memory/2408-7-0x0000000000820000-0x0000000000848000-memory.dmp
memory/2220-8-0x0000000000E50000-0x0000000000E78000-memory.dmp
memory/2220-9-0x00000000000F0000-0x0000000000118000-memory.dmp
memory/2408-10-0x0000000000820000-0x0000000000848000-memory.dmp
memory/2220-11-0x0000000000E50000-0x0000000000E78000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-10 22:08
Reported
2024-06-10 22:11
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Update\WwanSvc.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\WwanSvc.exe\" /run" | C:\Users\Admin\AppData\Local\Temp\1d1fdc03f7da06e88ba7df90607b6490_NeikiAnalytics.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2620 wrote to memory of 3168 | N/A | C:\Users\Admin\AppData\Local\Temp\1d1fdc03f7da06e88ba7df90607b6490_NeikiAnalytics.exe | C:\ProgramData\Update\WwanSvc.exe |
| PID 2620 wrote to memory of 3168 | N/A | C:\Users\Admin\AppData\Local\Temp\1d1fdc03f7da06e88ba7df90607b6490_NeikiAnalytics.exe | C:\ProgramData\Update\WwanSvc.exe |
| PID 2620 wrote to memory of 3168 | N/A | C:\Users\Admin\AppData\Local\Temp\1d1fdc03f7da06e88ba7df90607b6490_NeikiAnalytics.exe | C:\ProgramData\Update\WwanSvc.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\1d1fdc03f7da06e88ba7df90607b6490_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1d1fdc03f7da06e88ba7df90607b6490_NeikiAnalytics.exe"
C:\ProgramData\Update\WwanSvc.exe
"C:\ProgramData\Update\WwanSvc.exe" /run
Network
| Country | Destination | Domain | Proto |
| CA | 158.69.115.115:443 | tcp | |
| US | 23.53.113.159:80 | tcp |
Files
memory/2620-0-0x0000000000E80000-0x0000000000EA8000-memory.dmp
C:\ProgramData\Update\WwanSvc.exe
| MD5 | f26fee28d4f2a345d2eab596c6bea04a |
| SHA1 | 05bbaa8659743f340ff2a1c37e304315debd90de |
| SHA256 | 508bcbe0760f15cbe2b7c9ac1af10f9ebd3661de6a4366aeae68bb201e2993f3 |
| SHA512 | 037b0cdb20ae5a8292510391ecd0714744671066b94fbd4d6f8ddc7562f15f89196486dbf3eaa786ad8c902ca1d81aa379f0febadfec35a99a561ba419070bd8 |
memory/2620-5-0x0000000000E80000-0x0000000000EA8000-memory.dmp
memory/3168-6-0x00000000001C0000-0x00000000001E8000-memory.dmp