Analysis
-
max time kernel
122s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
13/06/2024, 22:37
Behavioral task
behavioral1
Sample
8cb5270d22d3d3adff873ac037df9e20_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
8cb5270d22d3d3adff873ac037df9e20_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
8cb5270d22d3d3adff873ac037df9e20_NeikiAnalytics.exe
-
Size
134KB
-
MD5
8cb5270d22d3d3adff873ac037df9e20
-
SHA1
f70375da5ff0d4a806b9bd1a144f494cd3cca7cd
-
SHA256
315a315970fb047492fde0edbba82cd9f47be4f631d6b0b4711d8ba64b6a6047
-
SHA512
16b01055e60a59bb947888d0e885cc1786ab7bbe6c2bb991968192595f7f41278a0d71d0d9a09f19cb75069bb54e893e65d8866a8ed431c27aecb90661da2c9a
-
SSDEEP
1536:rF0AJELopHG9aa+9qX3apJzAKWYr0v7ioy6paK2AZqMIK7aGZh38Qt:riAyLN9aa+9U2rW1ip6pr2At7NZuQt
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1608 WwanSvc.exe -
Loads dropped DLL 1 IoCs
pid Process 2056 8cb5270d22d3d3adff873ac037df9e20_NeikiAnalytics.exe -
resource yara_rule behavioral1/files/0x003100000001611e-2.dat upx behavioral1/memory/2056-0-0x00000000000C0000-0x00000000000E8000-memory.dmp upx behavioral1/memory/2056-4-0x0000000000080000-0x00000000000A8000-memory.dmp upx behavioral1/memory/1608-7-0x0000000000D30000-0x0000000000D58000-memory.dmp upx behavioral1/memory/2056-8-0x00000000000C0000-0x00000000000E8000-memory.dmp upx behavioral1/memory/2056-9-0x00000000000C0000-0x00000000000E8000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\WwanSvc.exe\" /run" 8cb5270d22d3d3adff873ac037df9e20_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2056 wrote to memory of 1608 2056 8cb5270d22d3d3adff873ac037df9e20_NeikiAnalytics.exe 28 PID 2056 wrote to memory of 1608 2056 8cb5270d22d3d3adff873ac037df9e20_NeikiAnalytics.exe 28 PID 2056 wrote to memory of 1608 2056 8cb5270d22d3d3adff873ac037df9e20_NeikiAnalytics.exe 28 PID 2056 wrote to memory of 1608 2056 8cb5270d22d3d3adff873ac037df9e20_NeikiAnalytics.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\8cb5270d22d3d3adff873ac037df9e20_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\8cb5270d22d3d3adff873ac037df9e20_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\ProgramData\Update\WwanSvc.exe"C:\ProgramData\Update\WwanSvc.exe" /run2⤵
- Executes dropped EXE
PID:1608
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
134KB
MD5a075a1ee0b3a5606149430524d5fdf05
SHA16b0a0a613c179f5947a44d251cc5b42c85625d0c
SHA2560c79ac0728a2970381491af4bc1284d7457e695379dd1c0014be026f9d19c267
SHA512c04b383e965675f248cc483280a02afa4d3f29655c0992cd462765fe2d3ad180e72bf9b1fd2dc32f35c239c7ad1c8717d59df9666cdb742b76b2536c8d6fdd88