Malware Analysis Report

2024-10-10 12:46

Sample ID 240613-2jrpgaxblq
Target 8cb5270d22d3d3adff873ac037df9e20_NeikiAnalytics.exe
SHA256 315a315970fb047492fde0edbba82cd9f47be4f631d6b0b4711d8ba64b6a6047
Tags
upx persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

315a315970fb047492fde0edbba82cd9f47be4f631d6b0b4711d8ba64b6a6047

Threat Level: Shows suspicious behavior

The file 8cb5270d22d3d3adff873ac037df9e20_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx persistence

Executes dropped EXE

Loads dropped DLL

UPX packed file

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 22:37

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 22:37

Reported

2024-06-13 22:39

Platform

win7-20240508-en

Max time kernel

122s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8cb5270d22d3d3adff873ac037df9e20_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Update\WwanSvc.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8cb5270d22d3d3adff873ac037df9e20_NeikiAnalytics.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\WwanSvc.exe\" /run" C:\Users\Admin\AppData\Local\Temp\8cb5270d22d3d3adff873ac037df9e20_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8cb5270d22d3d3adff873ac037df9e20_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\8cb5270d22d3d3adff873ac037df9e20_NeikiAnalytics.exe"

C:\ProgramData\Update\WwanSvc.exe

"C:\ProgramData\Update\WwanSvc.exe" /run

Network

Country Destination Domain Proto
CA 158.69.115.115:443 tcp

Files

\ProgramData\Update\WwanSvc.exe

MD5 a075a1ee0b3a5606149430524d5fdf05
SHA1 6b0a0a613c179f5947a44d251cc5b42c85625d0c
SHA256 0c79ac0728a2970381491af4bc1284d7457e695379dd1c0014be026f9d19c267
SHA512 c04b383e965675f248cc483280a02afa4d3f29655c0992cd462765fe2d3ad180e72bf9b1fd2dc32f35c239c7ad1c8717d59df9666cdb742b76b2536c8d6fdd88

memory/2056-0-0x00000000000C0000-0x00000000000E8000-memory.dmp

memory/2056-4-0x0000000000080000-0x00000000000A8000-memory.dmp

memory/1608-7-0x0000000000D30000-0x0000000000D58000-memory.dmp

memory/2056-8-0x00000000000C0000-0x00000000000E8000-memory.dmp

memory/2056-9-0x00000000000C0000-0x00000000000E8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 22:37

Reported

2024-06-13 22:39

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8cb5270d22d3d3adff873ac037df9e20_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Update\WwanSvc.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\WwanSvc.exe\" /run" C:\Users\Admin\AppData\Local\Temp\8cb5270d22d3d3adff873ac037df9e20_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8cb5270d22d3d3adff873ac037df9e20_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\8cb5270d22d3d3adff873ac037df9e20_NeikiAnalytics.exe"

C:\ProgramData\Update\WwanSvc.exe

"C:\ProgramData\Update\WwanSvc.exe" /run

Network

Country Destination Domain Proto
CA 158.69.115.115:443 tcp

Files

C:\ProgramData\Update\WwanSvc.exe

MD5 f4fcc43ff5343787a3d1d83bfd68985c
SHA1 528346dd89a6b20049e1eddbb9a3d3377a820b99
SHA256 8c823bf125bad2fe31feb2c9027e22c3240313eb3589d09d5610efd196fb816d
SHA512 6734e66bcec0e330c31ebe98b55887d82d5fbb75e73f9d007579cca8203220f20ef6759c1602f109b3df6b016c57551984160726f1f409212b8d35c50a51807d

memory/756-5-0x00000000004A0000-0x00000000004C8000-memory.dmp

memory/4312-4-0x00000000008E0000-0x0000000000908000-memory.dmp

memory/756-6-0x00000000004A0000-0x00000000004C8000-memory.dmp