Malware Analysis Report

2024-10-10 12:46

Sample ID 240613-2g4w1stake
Target 8c8b46576fa8bb16fb0547631c492490_NeikiAnalytics.exe
SHA256 5e301dd4f28cc050f5374895a819774926bbf510d6f757d98d15752b009cee30
Tags
upx persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

5e301dd4f28cc050f5374895a819774926bbf510d6f757d98d15752b009cee30

Threat Level: Shows suspicious behavior

The file 8c8b46576fa8bb16fb0547631c492490_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx persistence

Executes dropped EXE

Loads dropped DLL

UPX packed file

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 22:34

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 22:34

Reported

2024-06-13 22:36

Platform

win7-20240508-en

Max time kernel

117s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8c8b46576fa8bb16fb0547631c492490_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Update\WwanSvc.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c8b46576fa8bb16fb0547631c492490_NeikiAnalytics.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\WwanSvc.exe\" /run" C:\Users\Admin\AppData\Local\Temp\8c8b46576fa8bb16fb0547631c492490_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8c8b46576fa8bb16fb0547631c492490_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\8c8b46576fa8bb16fb0547631c492490_NeikiAnalytics.exe"

C:\ProgramData\Update\WwanSvc.exe

"C:\ProgramData\Update\WwanSvc.exe" /run

Network

Country Destination Domain Proto
CA 158.69.115.115:443 tcp

Files

memory/1436-0-0x0000000000160000-0x0000000000188000-memory.dmp

memory/1436-4-0x0000000000080000-0x00000000000A8000-memory.dmp

C:\ProgramData\Update\WwanSvc.exe

MD5 b955a8ae62499f21db9b6aa541db9b6c
SHA1 ee4b96e2f74dc9cda6e3c894034f84833662394c
SHA256 32d3ed500ce2f36092d4528a5f25dda0b2f98ead21e21c199e63bf1e27eae5a7
SHA512 1f35228a9dd8959d7e22ff137865320a66539358c40fbcc9e70e3744a3675d775a2b6501d1a975cbc1813b83d694899ff6608420080b9508988c63d1a13652b8

memory/1436-7-0x0000000000160000-0x0000000000188000-memory.dmp

memory/2036-8-0x00000000008F0000-0x0000000000918000-memory.dmp

memory/1436-9-0x0000000000160000-0x0000000000188000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 22:34

Reported

2024-06-13 22:36

Platform

win10v2004-20240226-en

Max time kernel

152s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8c8b46576fa8bb16fb0547631c492490_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Update\WwanSvc.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\WwanSvc.exe\" /run" C:\Users\Admin\AppData\Local\Temp\8c8b46576fa8bb16fb0547631c492490_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8c8b46576fa8bb16fb0547631c492490_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\8c8b46576fa8bb16fb0547631c492490_NeikiAnalytics.exe"

C:\ProgramData\Update\WwanSvc.exe

"C:\ProgramData\Update\WwanSvc.exe" /run

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3768 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
CA 158.69.115.115:443 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 13.107.253.67:443 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 32.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 88.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 211.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.200.10:443 chromewebstore.googleapis.com tcp

Files

memory/4284-0-0x0000000000080000-0x00000000000A8000-memory.dmp

C:\ProgramData\Update\WwanSvc.exe

MD5 19170bdb48279636f7ec235badd738dc
SHA1 cdfc5ae9cee8624b7861f212c4719dd28d6435f6
SHA256 24410cb13985dad137806956ceb70f8eebe9e376de83e308438f09345b5c58bb
SHA512 a103a7216dbf00c41d28021d0d79c2300531e891aad448f46e9f2dab3e21ae3072027cdc2dd18cb532f59332a69d3a9e4269bcd0346e023545629a0412777000

memory/3028-4-0x0000000000200000-0x0000000000228000-memory.dmp

memory/4284-6-0x0000000000080000-0x00000000000A8000-memory.dmp

memory/3028-7-0x0000000000200000-0x0000000000228000-memory.dmp