Malware Analysis Report

2024-10-10 12:49

Sample ID 240613-17av7awejq
Target 8b712cd2c4e2dda537e43e11812cc100_NeikiAnalytics.exe
SHA256 4db545873a7abbec5e9057c1eaf1b4786319a7bc15e535faed86fb2d7c6346da
Tags
upx persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

4db545873a7abbec5e9057c1eaf1b4786319a7bc15e535faed86fb2d7c6346da

Threat Level: Shows suspicious behavior

The file 8b712cd2c4e2dda537e43e11812cc100_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx persistence

Loads dropped DLL

UPX packed file

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 22:16

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 22:16

Reported

2024-06-13 22:19

Platform

win7-20240611-en

Max time kernel

121s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8b712cd2c4e2dda537e43e11812cc100_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Update\WwanSvc.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b712cd2c4e2dda537e43e11812cc100_NeikiAnalytics.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\WwanSvc.exe\" /run" C:\Users\Admin\AppData\Local\Temp\8b712cd2c4e2dda537e43e11812cc100_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8b712cd2c4e2dda537e43e11812cc100_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\8b712cd2c4e2dda537e43e11812cc100_NeikiAnalytics.exe"

C:\ProgramData\Update\WwanSvc.exe

"C:\ProgramData\Update\WwanSvc.exe" /run

Network

Country Destination Domain Proto
CA 158.69.115.115:443 tcp

Files

memory/2440-0-0x0000000000CD0000-0x0000000000CF8000-memory.dmp

\ProgramData\Update\WwanSvc.exe

MD5 f997535040fd7318afe4189618998945
SHA1 e2083477599fb39435348608d814f7d6120c73fc
SHA256 101ce3f2857e948aff84f7971d3436f27b5b60b5b851d2eaf1899fa6174f8c80
SHA512 f7be7b7f297dbc3c674ed01fe5b2efaa38e30c3979165077cac11bf9fb6f4e90cd6bdc2cba8642f3874447dd39ef596cb3cfbfd5a78de2dac1e032bb4e3dfd9d

memory/2584-6-0x00000000011F0000-0x0000000001218000-memory.dmp

memory/2440-7-0x0000000000CD0000-0x0000000000CF8000-memory.dmp

memory/2440-8-0x0000000000130000-0x0000000000158000-memory.dmp

memory/2584-9-0x00000000011F0000-0x0000000001218000-memory.dmp

memory/2440-10-0x0000000000CD0000-0x0000000000CF8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 22:16

Reported

2024-06-13 22:19

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

52s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8b712cd2c4e2dda537e43e11812cc100_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Update\WwanSvc.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\WwanSvc.exe\" /run" C:\Users\Admin\AppData\Local\Temp\8b712cd2c4e2dda537e43e11812cc100_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8b712cd2c4e2dda537e43e11812cc100_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\8b712cd2c4e2dda537e43e11812cc100_NeikiAnalytics.exe"

C:\ProgramData\Update\WwanSvc.exe

"C:\ProgramData\Update\WwanSvc.exe" /run

Network

Country Destination Domain Proto
CA 158.69.115.115:443 tcp

Files

memory/2296-0-0x0000000000850000-0x0000000000878000-memory.dmp

C:\ProgramData\Update\WwanSvc.exe

MD5 48b6f0bf1ad883654757c0ecdd748a67
SHA1 e083fc8480c05ae8c40e100d26fd41b58ebcb860
SHA256 ec3c622fe98353c9d437f1f946c401f5737b6a99ffea7b7bc1568d50b8f8cda9
SHA512 9a093f75a0c87ba245cc81c9525151ab01ebc28a965e0324f0fd8ab746d9467c36dcab55a2c9b99b81ae6f35786cac838a74f618917da1877ed695d150206588

memory/2296-4-0x0000000000850000-0x0000000000878000-memory.dmp

memory/4240-6-0x0000000000E70000-0x0000000000E98000-memory.dmp

memory/4240-7-0x0000000000E70000-0x0000000000E98000-memory.dmp