Analysis Overview
SHA256
5e301dd4f28cc050f5374895a819774926bbf510d6f757d98d15752b009cee30
Threat Level: Shows suspicious behavior
The file 8c8b46576fa8bb16fb0547631c492490_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
UPX packed file
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 22:34
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 22:34
Reported
2024-06-13 22:36
Platform
win7-20240508-en
Max time kernel
117s
Max time network
122s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Update\WwanSvc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8c8b46576fa8bb16fb0547631c492490_NeikiAnalytics.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\WwanSvc.exe\" /run" | C:\Users\Admin\AppData\Local\Temp\8c8b46576fa8bb16fb0547631c492490_NeikiAnalytics.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1436 wrote to memory of 2036 | N/A | C:\Users\Admin\AppData\Local\Temp\8c8b46576fa8bb16fb0547631c492490_NeikiAnalytics.exe | C:\ProgramData\Update\WwanSvc.exe |
| PID 1436 wrote to memory of 2036 | N/A | C:\Users\Admin\AppData\Local\Temp\8c8b46576fa8bb16fb0547631c492490_NeikiAnalytics.exe | C:\ProgramData\Update\WwanSvc.exe |
| PID 1436 wrote to memory of 2036 | N/A | C:\Users\Admin\AppData\Local\Temp\8c8b46576fa8bb16fb0547631c492490_NeikiAnalytics.exe | C:\ProgramData\Update\WwanSvc.exe |
| PID 1436 wrote to memory of 2036 | N/A | C:\Users\Admin\AppData\Local\Temp\8c8b46576fa8bb16fb0547631c492490_NeikiAnalytics.exe | C:\ProgramData\Update\WwanSvc.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\8c8b46576fa8bb16fb0547631c492490_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8c8b46576fa8bb16fb0547631c492490_NeikiAnalytics.exe"
C:\ProgramData\Update\WwanSvc.exe
"C:\ProgramData\Update\WwanSvc.exe" /run
Network
| Country | Destination | Domain | Proto |
| CA | 158.69.115.115:443 | tcp |
Files
memory/1436-0-0x0000000000160000-0x0000000000188000-memory.dmp
memory/1436-4-0x0000000000080000-0x00000000000A8000-memory.dmp
C:\ProgramData\Update\WwanSvc.exe
| MD5 | b955a8ae62499f21db9b6aa541db9b6c |
| SHA1 | ee4b96e2f74dc9cda6e3c894034f84833662394c |
| SHA256 | 32d3ed500ce2f36092d4528a5f25dda0b2f98ead21e21c199e63bf1e27eae5a7 |
| SHA512 | 1f35228a9dd8959d7e22ff137865320a66539358c40fbcc9e70e3744a3675d775a2b6501d1a975cbc1813b83d694899ff6608420080b9508988c63d1a13652b8 |
memory/1436-7-0x0000000000160000-0x0000000000188000-memory.dmp
memory/2036-8-0x00000000008F0000-0x0000000000918000-memory.dmp
memory/1436-9-0x0000000000160000-0x0000000000188000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 22:34
Reported
2024-06-13 22:36
Platform
win10v2004-20240226-en
Max time kernel
152s
Max time network
161s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Update\WwanSvc.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\WwanSvc.exe\" /run" | C:\Users\Admin\AppData\Local\Temp\8c8b46576fa8bb16fb0547631c492490_NeikiAnalytics.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4284 wrote to memory of 3028 | N/A | C:\Users\Admin\AppData\Local\Temp\8c8b46576fa8bb16fb0547631c492490_NeikiAnalytics.exe | C:\ProgramData\Update\WwanSvc.exe |
| PID 4284 wrote to memory of 3028 | N/A | C:\Users\Admin\AppData\Local\Temp\8c8b46576fa8bb16fb0547631c492490_NeikiAnalytics.exe | C:\ProgramData\Update\WwanSvc.exe |
| PID 4284 wrote to memory of 3028 | N/A | C:\Users\Admin\AppData\Local\Temp\8c8b46576fa8bb16fb0547631c492490_NeikiAnalytics.exe | C:\ProgramData\Update\WwanSvc.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\8c8b46576fa8bb16fb0547631c492490_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8c8b46576fa8bb16fb0547631c492490_NeikiAnalytics.exe"
C:\ProgramData\Update\WwanSvc.exe
"C:\ProgramData\Update\WwanSvc.exe" /run
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3768 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| CA | 158.69.115.115:443 | tcp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 13.107.253.67:443 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.143.182.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 142.250.200.10:443 | chromewebstore.googleapis.com | tcp |
Files
memory/4284-0-0x0000000000080000-0x00000000000A8000-memory.dmp
C:\ProgramData\Update\WwanSvc.exe
| MD5 | 19170bdb48279636f7ec235badd738dc |
| SHA1 | cdfc5ae9cee8624b7861f212c4719dd28d6435f6 |
| SHA256 | 24410cb13985dad137806956ceb70f8eebe9e376de83e308438f09345b5c58bb |
| SHA512 | a103a7216dbf00c41d28021d0d79c2300531e891aad448f46e9f2dab3e21ae3072027cdc2dd18cb532f59332a69d3a9e4269bcd0346e023545629a0412777000 |
memory/3028-4-0x0000000000200000-0x0000000000228000-memory.dmp
memory/4284-6-0x0000000000080000-0x00000000000A8000-memory.dmp
memory/3028-7-0x0000000000200000-0x0000000000228000-memory.dmp