Analysis Overview
SHA256
146a190b5140a11a41657634591b108512958c22b3019bdea75867a877b1af03
Threat Level: Shows suspicious behavior
The file 4b47dd9a78fb2810a0befad0cb5ae4e0_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
UPX packed file
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-12 23:02
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-12 23:02
Reported
2024-06-12 23:05
Platform
win7-20240508-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Update\WwanSvc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4b47dd9a78fb2810a0befad0cb5ae4e0_NeikiAnalytics.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\WwanSvc.exe\" /run" | C:\Users\Admin\AppData\Local\Temp\4b47dd9a78fb2810a0befad0cb5ae4e0_NeikiAnalytics.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1868 wrote to memory of 2012 | N/A | C:\Users\Admin\AppData\Local\Temp\4b47dd9a78fb2810a0befad0cb5ae4e0_NeikiAnalytics.exe | C:\ProgramData\Update\WwanSvc.exe |
| PID 1868 wrote to memory of 2012 | N/A | C:\Users\Admin\AppData\Local\Temp\4b47dd9a78fb2810a0befad0cb5ae4e0_NeikiAnalytics.exe | C:\ProgramData\Update\WwanSvc.exe |
| PID 1868 wrote to memory of 2012 | N/A | C:\Users\Admin\AppData\Local\Temp\4b47dd9a78fb2810a0befad0cb5ae4e0_NeikiAnalytics.exe | C:\ProgramData\Update\WwanSvc.exe |
| PID 1868 wrote to memory of 2012 | N/A | C:\Users\Admin\AppData\Local\Temp\4b47dd9a78fb2810a0befad0cb5ae4e0_NeikiAnalytics.exe | C:\ProgramData\Update\WwanSvc.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\4b47dd9a78fb2810a0befad0cb5ae4e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4b47dd9a78fb2810a0befad0cb5ae4e0_NeikiAnalytics.exe"
C:\ProgramData\Update\WwanSvc.exe
"C:\ProgramData\Update\WwanSvc.exe" /run
Network
| Country | Destination | Domain | Proto |
| CA | 158.69.115.115:443 | tcp |
Files
memory/1868-0-0x0000000000080000-0x00000000000A8000-memory.dmp
\ProgramData\Update\WwanSvc.exe
| MD5 | 58542c38c32f1d5202baa8ec056b5408 |
| SHA1 | 92e5110b1e4ffff2beda12cb3d48a2f70ae91653 |
| SHA256 | 9587f009c2ea85ddb24e26978dbb5d784906101fe6f82e23a7048e0e78330647 |
| SHA512 | cc9a0d962630e6de3b91f9b25185b49c6b66fb22e31aeacab9313b5c8dae386243b5f6b5a3b8798a56dc6987b50fa72c5f65ca27456390bcb60e3c4b0061a130 |
memory/2012-7-0x0000000000810000-0x0000000000838000-memory.dmp
memory/1868-6-0x00000000001C0000-0x00000000001E8000-memory.dmp
memory/1868-8-0x0000000000080000-0x00000000000A8000-memory.dmp
memory/1868-9-0x00000000001C0000-0x00000000001E8000-memory.dmp
memory/1868-10-0x0000000000080000-0x00000000000A8000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-12 23:02
Reported
2024-06-12 23:05
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
149s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Update\WwanSvc.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\WwanSvc.exe\" /run" | C:\Users\Admin\AppData\Local\Temp\4b47dd9a78fb2810a0befad0cb5ae4e0_NeikiAnalytics.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1436 wrote to memory of 3432 | N/A | C:\Users\Admin\AppData\Local\Temp\4b47dd9a78fb2810a0befad0cb5ae4e0_NeikiAnalytics.exe | C:\ProgramData\Update\WwanSvc.exe |
| PID 1436 wrote to memory of 3432 | N/A | C:\Users\Admin\AppData\Local\Temp\4b47dd9a78fb2810a0befad0cb5ae4e0_NeikiAnalytics.exe | C:\ProgramData\Update\WwanSvc.exe |
| PID 1436 wrote to memory of 3432 | N/A | C:\Users\Admin\AppData\Local\Temp\4b47dd9a78fb2810a0befad0cb5ae4e0_NeikiAnalytics.exe | C:\ProgramData\Update\WwanSvc.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\4b47dd9a78fb2810a0befad0cb5ae4e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4b47dd9a78fb2810a0befad0cb5ae4e0_NeikiAnalytics.exe"
C:\ProgramData\Update\WwanSvc.exe
"C:\ProgramData\Update\WwanSvc.exe" /run
Network
| Country | Destination | Domain | Proto |
| CA | 158.69.115.115:443 | tcp | |
| US | 23.53.113.159:80 | tcp |
Files
memory/1436-0-0x00000000005C0000-0x00000000005E8000-memory.dmp
C:\ProgramData\Update\WwanSvc.exe
| MD5 | 05d69310dacf1a898e318e599e5e32dc |
| SHA1 | b9f0fe8ee960056a1617a2e0451007c055cb3f56 |
| SHA256 | d68e33140c3de5107dec71edfab0997809b0cb66deb0b43fe7efb97f2991caaf |
| SHA512 | fbcd040d957e1b15c5e935097c951a4bedf5577ce42caf943393186db586a2667f6219f061177e3d9c0ab892cec8019a56b2aa4b83a663a306c401be31109206 |
memory/1436-4-0x00000000005C0000-0x00000000005E8000-memory.dmp
memory/3432-6-0x0000000000170000-0x0000000000198000-memory.dmp