Analysis Overview
SHA256
315a315970fb047492fde0edbba82cd9f47be4f631d6b0b4711d8ba64b6a6047
Threat Level: Shows suspicious behavior
The file 8cb5270d22d3d3adff873ac037df9e20_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
UPX packed file
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 22:37
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 22:37
Reported
2024-06-13 22:39
Platform
win7-20240508-en
Max time kernel
122s
Max time network
124s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Update\WwanSvc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8cb5270d22d3d3adff873ac037df9e20_NeikiAnalytics.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\WwanSvc.exe\" /run" | C:\Users\Admin\AppData\Local\Temp\8cb5270d22d3d3adff873ac037df9e20_NeikiAnalytics.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2056 wrote to memory of 1608 | N/A | C:\Users\Admin\AppData\Local\Temp\8cb5270d22d3d3adff873ac037df9e20_NeikiAnalytics.exe | C:\ProgramData\Update\WwanSvc.exe |
| PID 2056 wrote to memory of 1608 | N/A | C:\Users\Admin\AppData\Local\Temp\8cb5270d22d3d3adff873ac037df9e20_NeikiAnalytics.exe | C:\ProgramData\Update\WwanSvc.exe |
| PID 2056 wrote to memory of 1608 | N/A | C:\Users\Admin\AppData\Local\Temp\8cb5270d22d3d3adff873ac037df9e20_NeikiAnalytics.exe | C:\ProgramData\Update\WwanSvc.exe |
| PID 2056 wrote to memory of 1608 | N/A | C:\Users\Admin\AppData\Local\Temp\8cb5270d22d3d3adff873ac037df9e20_NeikiAnalytics.exe | C:\ProgramData\Update\WwanSvc.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\8cb5270d22d3d3adff873ac037df9e20_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8cb5270d22d3d3adff873ac037df9e20_NeikiAnalytics.exe"
C:\ProgramData\Update\WwanSvc.exe
"C:\ProgramData\Update\WwanSvc.exe" /run
Network
| Country | Destination | Domain | Proto |
| CA | 158.69.115.115:443 | tcp |
Files
\ProgramData\Update\WwanSvc.exe
| MD5 | a075a1ee0b3a5606149430524d5fdf05 |
| SHA1 | 6b0a0a613c179f5947a44d251cc5b42c85625d0c |
| SHA256 | 0c79ac0728a2970381491af4bc1284d7457e695379dd1c0014be026f9d19c267 |
| SHA512 | c04b383e965675f248cc483280a02afa4d3f29655c0992cd462765fe2d3ad180e72bf9b1fd2dc32f35c239c7ad1c8717d59df9666cdb742b76b2536c8d6fdd88 |
memory/2056-0-0x00000000000C0000-0x00000000000E8000-memory.dmp
memory/2056-4-0x0000000000080000-0x00000000000A8000-memory.dmp
memory/1608-7-0x0000000000D30000-0x0000000000D58000-memory.dmp
memory/2056-8-0x00000000000C0000-0x00000000000E8000-memory.dmp
memory/2056-9-0x00000000000C0000-0x00000000000E8000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 22:37
Reported
2024-06-13 22:39
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
153s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Update\WwanSvc.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\WwanSvc.exe\" /run" | C:\Users\Admin\AppData\Local\Temp\8cb5270d22d3d3adff873ac037df9e20_NeikiAnalytics.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4312 wrote to memory of 756 | N/A | C:\Users\Admin\AppData\Local\Temp\8cb5270d22d3d3adff873ac037df9e20_NeikiAnalytics.exe | C:\ProgramData\Update\WwanSvc.exe |
| PID 4312 wrote to memory of 756 | N/A | C:\Users\Admin\AppData\Local\Temp\8cb5270d22d3d3adff873ac037df9e20_NeikiAnalytics.exe | C:\ProgramData\Update\WwanSvc.exe |
| PID 4312 wrote to memory of 756 | N/A | C:\Users\Admin\AppData\Local\Temp\8cb5270d22d3d3adff873ac037df9e20_NeikiAnalytics.exe | C:\ProgramData\Update\WwanSvc.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\8cb5270d22d3d3adff873ac037df9e20_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8cb5270d22d3d3adff873ac037df9e20_NeikiAnalytics.exe"
C:\ProgramData\Update\WwanSvc.exe
"C:\ProgramData\Update\WwanSvc.exe" /run
Network
| Country | Destination | Domain | Proto |
| CA | 158.69.115.115:443 | tcp |
Files
C:\ProgramData\Update\WwanSvc.exe
| MD5 | f4fcc43ff5343787a3d1d83bfd68985c |
| SHA1 | 528346dd89a6b20049e1eddbb9a3d3377a820b99 |
| SHA256 | 8c823bf125bad2fe31feb2c9027e22c3240313eb3589d09d5610efd196fb816d |
| SHA512 | 6734e66bcec0e330c31ebe98b55887d82d5fbb75e73f9d007579cca8203220f20ef6759c1602f109b3df6b016c57551984160726f1f409212b8d35c50a51807d |
memory/756-5-0x00000000004A0000-0x00000000004C8000-memory.dmp
memory/4312-4-0x00000000008E0000-0x0000000000908000-memory.dmp
memory/756-6-0x00000000004A0000-0x00000000004C8000-memory.dmp