Malware Analysis Report

2025-04-14 03:34

Sample ID 240612-21fzasxhkq
Target 4b47dd9a78fb2810a0befad0cb5ae4e0_NeikiAnalytics.exe
SHA256 146a190b5140a11a41657634591b108512958c22b3019bdea75867a877b1af03
Tags
upx persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

146a190b5140a11a41657634591b108512958c22b3019bdea75867a877b1af03

Threat Level: Shows suspicious behavior

The file 4b47dd9a78fb2810a0befad0cb5ae4e0_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx persistence

UPX packed file

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 23:02

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 23:02

Reported

2024-06-12 23:05

Platform

win7-20240508-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4b47dd9a78fb2810a0befad0cb5ae4e0_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Update\WwanSvc.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4b47dd9a78fb2810a0befad0cb5ae4e0_NeikiAnalytics.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\WwanSvc.exe\" /run" C:\Users\Admin\AppData\Local\Temp\4b47dd9a78fb2810a0befad0cb5ae4e0_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4b47dd9a78fb2810a0befad0cb5ae4e0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\4b47dd9a78fb2810a0befad0cb5ae4e0_NeikiAnalytics.exe"

C:\ProgramData\Update\WwanSvc.exe

"C:\ProgramData\Update\WwanSvc.exe" /run

Network

Country Destination Domain Proto
CA 158.69.115.115:443 tcp

Files

memory/1868-0-0x0000000000080000-0x00000000000A8000-memory.dmp

\ProgramData\Update\WwanSvc.exe

MD5 58542c38c32f1d5202baa8ec056b5408
SHA1 92e5110b1e4ffff2beda12cb3d48a2f70ae91653
SHA256 9587f009c2ea85ddb24e26978dbb5d784906101fe6f82e23a7048e0e78330647
SHA512 cc9a0d962630e6de3b91f9b25185b49c6b66fb22e31aeacab9313b5c8dae386243b5f6b5a3b8798a56dc6987b50fa72c5f65ca27456390bcb60e3c4b0061a130

memory/2012-7-0x0000000000810000-0x0000000000838000-memory.dmp

memory/1868-6-0x00000000001C0000-0x00000000001E8000-memory.dmp

memory/1868-8-0x0000000000080000-0x00000000000A8000-memory.dmp

memory/1868-9-0x00000000001C0000-0x00000000001E8000-memory.dmp

memory/1868-10-0x0000000000080000-0x00000000000A8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 23:02

Reported

2024-06-12 23:05

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4b47dd9a78fb2810a0befad0cb5ae4e0_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Update\WwanSvc.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\WwanSvc.exe\" /run" C:\Users\Admin\AppData\Local\Temp\4b47dd9a78fb2810a0befad0cb5ae4e0_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4b47dd9a78fb2810a0befad0cb5ae4e0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\4b47dd9a78fb2810a0befad0cb5ae4e0_NeikiAnalytics.exe"

C:\ProgramData\Update\WwanSvc.exe

"C:\ProgramData\Update\WwanSvc.exe" /run

Network

Country Destination Domain Proto
CA 158.69.115.115:443 tcp
US 23.53.113.159:80 tcp

Files

memory/1436-0-0x00000000005C0000-0x00000000005E8000-memory.dmp

C:\ProgramData\Update\WwanSvc.exe

MD5 05d69310dacf1a898e318e599e5e32dc
SHA1 b9f0fe8ee960056a1617a2e0451007c055cb3f56
SHA256 d68e33140c3de5107dec71edfab0997809b0cb66deb0b43fe7efb97f2991caaf
SHA512 fbcd040d957e1b15c5e935097c951a4bedf5577ce42caf943393186db586a2667f6219f061177e3d9c0ab892cec8019a56b2aa4b83a663a306c401be31109206

memory/1436-4-0x00000000005C0000-0x00000000005E8000-memory.dmp

memory/3432-6-0x0000000000170000-0x0000000000198000-memory.dmp