Analysis Overview
SHA256
4ddd3e57628a4d52d944dc494d54fa3542b755eb42eb12ee000bbe454fdea446
Threat Level: Shows suspicious behavior
The file 6d7f80da07db9db7f036850d9aa299c0_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
UPX packed file
Loads dropped DLL
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 08:38
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 08:38
Reported
2024-06-13 08:40
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Update\WwanSvc.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\WwanSvc.exe\" /run" | C:\Users\Admin\AppData\Local\Temp\6d7f80da07db9db7f036850d9aa299c0_NeikiAnalytics.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1288 wrote to memory of 1576 | N/A | C:\Users\Admin\AppData\Local\Temp\6d7f80da07db9db7f036850d9aa299c0_NeikiAnalytics.exe | C:\ProgramData\Update\WwanSvc.exe |
| PID 1288 wrote to memory of 1576 | N/A | C:\Users\Admin\AppData\Local\Temp\6d7f80da07db9db7f036850d9aa299c0_NeikiAnalytics.exe | C:\ProgramData\Update\WwanSvc.exe |
| PID 1288 wrote to memory of 1576 | N/A | C:\Users\Admin\AppData\Local\Temp\6d7f80da07db9db7f036850d9aa299c0_NeikiAnalytics.exe | C:\ProgramData\Update\WwanSvc.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\6d7f80da07db9db7f036850d9aa299c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6d7f80da07db9db7f036850d9aa299c0_NeikiAnalytics.exe"
C:\ProgramData\Update\WwanSvc.exe
"C:\ProgramData\Update\WwanSvc.exe" /run
Network
| Country | Destination | Domain | Proto |
| CA | 158.69.115.115:443 | tcp |
Files
memory/1288-1-0x0000000000540000-0x0000000000568000-memory.dmp
memory/1288-5-0x0000000000540000-0x0000000000568000-memory.dmp
memory/1576-6-0x0000000000EF0000-0x0000000000F18000-memory.dmp
C:\ProgramData\Update\WwanSvc.exe
| MD5 | b5c32285c4d32b418f5eac8d90bf847a |
| SHA1 | 33f6fd1b94adfffcfd95034eb9dd5bb95ab23b58 |
| SHA256 | 1af80bb9c555c67a16d308b28a7b53fe6c5eaf9fb484ba51b8c3498275e1ca5d |
| SHA512 | 79f83ffaa21b2ca7b8cf02039da6fa13a8d2359fec1f4bbb35625054de25204290ee0acd092d6af576e7e947ab0b2d562b4e4e150f6d1630f9322600879a9e1d |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 08:38
Reported
2024-06-13 08:40
Platform
win7-20240419-en
Max time kernel
121s
Max time network
121s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Update\WwanSvc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6d7f80da07db9db7f036850d9aa299c0_NeikiAnalytics.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\WwanSvc.exe\" /run" | C:\Users\Admin\AppData\Local\Temp\6d7f80da07db9db7f036850d9aa299c0_NeikiAnalytics.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 840 wrote to memory of 2060 | N/A | C:\Users\Admin\AppData\Local\Temp\6d7f80da07db9db7f036850d9aa299c0_NeikiAnalytics.exe | C:\ProgramData\Update\WwanSvc.exe |
| PID 840 wrote to memory of 2060 | N/A | C:\Users\Admin\AppData\Local\Temp\6d7f80da07db9db7f036850d9aa299c0_NeikiAnalytics.exe | C:\ProgramData\Update\WwanSvc.exe |
| PID 840 wrote to memory of 2060 | N/A | C:\Users\Admin\AppData\Local\Temp\6d7f80da07db9db7f036850d9aa299c0_NeikiAnalytics.exe | C:\ProgramData\Update\WwanSvc.exe |
| PID 840 wrote to memory of 2060 | N/A | C:\Users\Admin\AppData\Local\Temp\6d7f80da07db9db7f036850d9aa299c0_NeikiAnalytics.exe | C:\ProgramData\Update\WwanSvc.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\6d7f80da07db9db7f036850d9aa299c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6d7f80da07db9db7f036850d9aa299c0_NeikiAnalytics.exe"
C:\ProgramData\Update\WwanSvc.exe
"C:\ProgramData\Update\WwanSvc.exe" /run
Network
| Country | Destination | Domain | Proto |
| CA | 158.69.115.115:443 | tcp |
Files
memory/840-0-0x0000000000380000-0x00000000003A8000-memory.dmp
\ProgramData\Update\WwanSvc.exe
| MD5 | 7a72908d513cee49048ba29f585694d1 |
| SHA1 | 922291e342cb69ead1c179cbc66d515a260ea203 |
| SHA256 | e1f90419a96c9384f841f1c647b678f3cd5396866c5a703279d6ea58648bd474 |
| SHA512 | 26427286c507ecee8e9a326d7294a52380703e99d71488b435dd317e40b88cef571a29474282e426ac990c2c8a270c723ec749358dbaa11397c4495a5bb84766 |
memory/840-6-0x00000000000F0000-0x0000000000118000-memory.dmp
memory/2060-7-0x0000000000A10000-0x0000000000A38000-memory.dmp
memory/840-8-0x0000000000380000-0x00000000003A8000-memory.dmp
memory/840-9-0x00000000000F0000-0x0000000000118000-memory.dmp
memory/2060-10-0x0000000000A10000-0x0000000000A38000-memory.dmp
memory/840-11-0x0000000000380000-0x00000000003A8000-memory.dmp