Malware Analysis Report

2025-08-10 12:15

Sample ID 240610-1tm9cssgmq
Target 1cd1f3d2ccfb9c8e1d5bb04d6bb58540_NeikiAnalytics.exe
SHA256 9f45c012cf8151eface50ecfacf8a33f03fd27b954a8f825111a81f9b77dc9fe
Tags
persistence upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

9f45c012cf8151eface50ecfacf8a33f03fd27b954a8f825111a81f9b77dc9fe

Threat Level: Shows suspicious behavior

The file 1cd1f3d2ccfb9c8e1d5bb04d6bb58540_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence upx

Executes dropped EXE

Loads dropped DLL

UPX packed file

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-10 21:56

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 21:56

Reported

2024-06-10 21:59

Platform

win7-20240508-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1cd1f3d2ccfb9c8e1d5bb04d6bb58540_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Update\WwanSvc.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cd1f3d2ccfb9c8e1d5bb04d6bb58540_NeikiAnalytics.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\WwanSvc.exe\" /run" C:\Users\Admin\AppData\Local\Temp\1cd1f3d2ccfb9c8e1d5bb04d6bb58540_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1cd1f3d2ccfb9c8e1d5bb04d6bb58540_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\1cd1f3d2ccfb9c8e1d5bb04d6bb58540_NeikiAnalytics.exe"

C:\ProgramData\Update\WwanSvc.exe

"C:\ProgramData\Update\WwanSvc.exe" /run

Network

Country Destination Domain Proto
CA 158.69.115.115:443 tcp

Files

memory/2204-1-0x0000000001180000-0x00000000011A8000-memory.dmp

\ProgramData\Update\WwanSvc.exe

MD5 0f5601b02f50741fe57135764cf9b56f
SHA1 9e1e183a0e4bf6af97fd9aee6838e0587d4fb61d
SHA256 d5b1ad12dc490cf9e1e27e79fa73fcb1fefe281fc3a1fac454836930a5813e6e
SHA512 da75e1d07f0ec3780a97822e2660c8bf97c4247f79e74dcec409a7188a1929079989298db7be074b27ecc898914811bbe1cf34913e28adda94b6b8573ca43525

memory/2204-4-0x0000000000190000-0x00000000001B8000-memory.dmp

memory/2180-7-0x0000000000190000-0x00000000001B8000-memory.dmp

memory/2204-8-0x0000000000190000-0x00000000001B8000-memory.dmp

memory/2180-9-0x0000000000190000-0x00000000001B8000-memory.dmp

memory/2204-10-0x0000000001180000-0x00000000011A8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 21:56

Reported

2024-06-10 21:59

Platform

win10v2004-20240426-en

Max time kernel

140s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1cd1f3d2ccfb9c8e1d5bb04d6bb58540_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Update\WwanSvc.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\WwanSvc.exe\" /run" C:\Users\Admin\AppData\Local\Temp\1cd1f3d2ccfb9c8e1d5bb04d6bb58540_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1cd1f3d2ccfb9c8e1d5bb04d6bb58540_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\1cd1f3d2ccfb9c8e1d5bb04d6bb58540_NeikiAnalytics.exe"

C:\ProgramData\Update\WwanSvc.exe

"C:\ProgramData\Update\WwanSvc.exe" /run

Network

Country Destination Domain Proto
CA 158.69.115.115:443 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/1948-0-0x0000000000100000-0x0000000000128000-memory.dmp

memory/1948-3-0x0000000000100000-0x0000000000128000-memory.dmp

C:\ProgramData\Update\WwanSvc.exe

MD5 0ef0340df83fbab828fed4398f014344
SHA1 838dcf69afe4a16f3b9a9f55f8573c3df66104f5
SHA256 56a370805c696b2da5a313e1267bd7727b0220f246fe35fd8a2cbcfc03edff4a
SHA512 c55da70c79b93a9262cde7d0a1e665baeb4eee8c4c293e833a99ce0c5e604bc4b12bb8a183306583730341be20fe210a83e7f564bd88e9a466a7af64d178f732

memory/784-5-0x0000000000730000-0x0000000000758000-memory.dmp

memory/784-7-0x0000000000730000-0x0000000000758000-memory.dmp