315a315970fb047492fde0edbba82cd9f47be4f631d6b0b4711d8ba64b6a6047

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
13/06/2024, 22:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8cb5270d22d3d3adff873ac037df9e20_NeikiAnalytics.exe
Size

134KB
MD5

8cb5270d22d3d3adff873ac037df9e20
SHA1

f70375da5ff0d4a806b9bd1a144f494cd3cca7cd
SHA256

315a315970fb047492fde0edbba82cd9f47be4f631d6b0b4711d8ba64b6a6047
SHA512

16b01055e60a59bb947888d0e885cc1786ab7bbe6c2bb991968192595f7f41278a0d71d0d9a09f19cb75069bb54e893e65d8866a8ed431c27aecb90661da2c9a
SSDEEP

1536:rF0AJELopHG9aa+9qX3apJzAKWYr0v7ioy6paK2AZqMIK7aGZh38Qt:riAyLN9aa+9U2rW1ip6pr2At7NZuQt

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1608	WwanSvc.exe

Loads dropped DLL 1 IoCs

pid	Process
2056	8cb5270d22d3d3adff873ac037df9e20_NeikiAnalytics.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x003100000001611e-2.dat	upx
behavioral1/memory/2056-0-0x00000000000C0000-0x00000000000E8000-memory.dmp	upx
behavioral1/memory/2056-4-0x0000000000080000-0x00000000000A8000-memory.dmp	upx
behavioral1/memory/1608-7-0x0000000000D30000-0x0000000000D58000-memory.dmp	upx
behavioral1/memory/2056-8-0x00000000000C0000-0x00000000000E8000-memory.dmp	upx
behavioral1/memory/2056-9-0x00000000000C0000-0x00000000000E8000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\WwanSvc.exe\" /run"	8cb5270d22d3d3adff873ac037df9e20_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 1608	2056	8cb5270d22d3d3adff873ac037df9e20_NeikiAnalytics.exe	28
PID 2056 wrote to memory of 1608	2056	8cb5270d22d3d3adff873ac037df9e20_NeikiAnalytics.exe	28
PID 2056 wrote to memory of 1608	2056	8cb5270d22d3d3adff873ac037df9e20_NeikiAnalytics.exe	28
PID 2056 wrote to memory of 1608	2056	8cb5270d22d3d3adff873ac037df9e20_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\8cb5270d22d3d3adff873ac037df9e20_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8cb5270d22d3d3adff873ac037df9e20_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2056
- C:\ProgramData\Update\WwanSvc.exe
  "C:\ProgramData\Update\WwanSvc.exe" /run
  2⤵
  - Executes dropped EXE
  PID:1608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\ProgramData\Update\WwanSvc.exe

Filesize
134KB

MD5
a075a1ee0b3a5606149430524d5fdf05

SHA1
6b0a0a613c179f5947a44d251cc5b42c85625d0c

SHA256
0c79ac0728a2970381491af4bc1284d7457e695379dd1c0014be026f9d19c267

SHA512
c04b383e965675f248cc483280a02afa4d3f29655c0992cd462765fe2d3ad180e72bf9b1fd2dc32f35c239c7ad1c8717d59df9666cdb742b76b2536c8d6fdd88

Download Submit
memory/1608-7-0x0000000000D30000-0x0000000000D58000-memory.dmp

Filesize
160KB

Download
memory/2056-0-0x00000000000C0000-0x00000000000E8000-memory.dmp

Filesize
160KB

Download
memory/2056-4-0x0000000000080000-0x00000000000A8000-memory.dmp

Filesize
160KB

Download
memory/2056-8-0x00000000000C0000-0x00000000000E8000-memory.dmp

Filesize
160KB

Download
memory/2056-9-0x00000000000C0000-0x00000000000E8000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads