Analysis Overview
SHA256
4db545873a7abbec5e9057c1eaf1b4786319a7bc15e535faed86fb2d7c6346da
Threat Level: Shows suspicious behavior
The file 8b712cd2c4e2dda537e43e11812cc100_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
UPX packed file
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 22:16
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 22:16
Reported
2024-06-13 22:19
Platform
win7-20240611-en
Max time kernel
121s
Max time network
126s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Update\WwanSvc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8b712cd2c4e2dda537e43e11812cc100_NeikiAnalytics.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\WwanSvc.exe\" /run" | C:\Users\Admin\AppData\Local\Temp\8b712cd2c4e2dda537e43e11812cc100_NeikiAnalytics.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2440 wrote to memory of 2584 | N/A | C:\Users\Admin\AppData\Local\Temp\8b712cd2c4e2dda537e43e11812cc100_NeikiAnalytics.exe | C:\ProgramData\Update\WwanSvc.exe |
| PID 2440 wrote to memory of 2584 | N/A | C:\Users\Admin\AppData\Local\Temp\8b712cd2c4e2dda537e43e11812cc100_NeikiAnalytics.exe | C:\ProgramData\Update\WwanSvc.exe |
| PID 2440 wrote to memory of 2584 | N/A | C:\Users\Admin\AppData\Local\Temp\8b712cd2c4e2dda537e43e11812cc100_NeikiAnalytics.exe | C:\ProgramData\Update\WwanSvc.exe |
| PID 2440 wrote to memory of 2584 | N/A | C:\Users\Admin\AppData\Local\Temp\8b712cd2c4e2dda537e43e11812cc100_NeikiAnalytics.exe | C:\ProgramData\Update\WwanSvc.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\8b712cd2c4e2dda537e43e11812cc100_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8b712cd2c4e2dda537e43e11812cc100_NeikiAnalytics.exe"
C:\ProgramData\Update\WwanSvc.exe
"C:\ProgramData\Update\WwanSvc.exe" /run
Network
| Country | Destination | Domain | Proto |
| CA | 158.69.115.115:443 | tcp |
Files
memory/2440-0-0x0000000000CD0000-0x0000000000CF8000-memory.dmp
\ProgramData\Update\WwanSvc.exe
| MD5 | f997535040fd7318afe4189618998945 |
| SHA1 | e2083477599fb39435348608d814f7d6120c73fc |
| SHA256 | 101ce3f2857e948aff84f7971d3436f27b5b60b5b851d2eaf1899fa6174f8c80 |
| SHA512 | f7be7b7f297dbc3c674ed01fe5b2efaa38e30c3979165077cac11bf9fb6f4e90cd6bdc2cba8642f3874447dd39ef596cb3cfbfd5a78de2dac1e032bb4e3dfd9d |
memory/2584-6-0x00000000011F0000-0x0000000001218000-memory.dmp
memory/2440-7-0x0000000000CD0000-0x0000000000CF8000-memory.dmp
memory/2440-8-0x0000000000130000-0x0000000000158000-memory.dmp
memory/2584-9-0x00000000011F0000-0x0000000001218000-memory.dmp
memory/2440-10-0x0000000000CD0000-0x0000000000CF8000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 22:16
Reported
2024-06-13 22:19
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
52s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Update\WwanSvc.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\WwanSvc.exe\" /run" | C:\Users\Admin\AppData\Local\Temp\8b712cd2c4e2dda537e43e11812cc100_NeikiAnalytics.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2296 wrote to memory of 4240 | N/A | C:\Users\Admin\AppData\Local\Temp\8b712cd2c4e2dda537e43e11812cc100_NeikiAnalytics.exe | C:\ProgramData\Update\WwanSvc.exe |
| PID 2296 wrote to memory of 4240 | N/A | C:\Users\Admin\AppData\Local\Temp\8b712cd2c4e2dda537e43e11812cc100_NeikiAnalytics.exe | C:\ProgramData\Update\WwanSvc.exe |
| PID 2296 wrote to memory of 4240 | N/A | C:\Users\Admin\AppData\Local\Temp\8b712cd2c4e2dda537e43e11812cc100_NeikiAnalytics.exe | C:\ProgramData\Update\WwanSvc.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\8b712cd2c4e2dda537e43e11812cc100_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8b712cd2c4e2dda537e43e11812cc100_NeikiAnalytics.exe"
C:\ProgramData\Update\WwanSvc.exe
"C:\ProgramData\Update\WwanSvc.exe" /run
Network
| Country | Destination | Domain | Proto |
| CA | 158.69.115.115:443 | tcp |
Files
memory/2296-0-0x0000000000850000-0x0000000000878000-memory.dmp
C:\ProgramData\Update\WwanSvc.exe
| MD5 | 48b6f0bf1ad883654757c0ecdd748a67 |
| SHA1 | e083fc8480c05ae8c40e100d26fd41b58ebcb860 |
| SHA256 | ec3c622fe98353c9d437f1f946c401f5737b6a99ffea7b7bc1568d50b8f8cda9 |
| SHA512 | 9a093f75a0c87ba245cc81c9525151ab01ebc28a965e0324f0fd8ab746d9467c36dcab55a2c9b99b81ae6f35786cac838a74f618917da1877ed695d150206588 |
memory/2296-4-0x0000000000850000-0x0000000000878000-memory.dmp
memory/4240-6-0x0000000000E70000-0x0000000000E98000-memory.dmp
memory/4240-7-0x0000000000E70000-0x0000000000E98000-memory.dmp