Malware Analysis Report

2024-11-15 05:40

Sample ID 240613-kjr7ka1erd
Target 6d7f80da07db9db7f036850d9aa299c0_NeikiAnalytics.exe
SHA256 4ddd3e57628a4d52d944dc494d54fa3542b755eb42eb12ee000bbe454fdea446
Tags
persistence upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

4ddd3e57628a4d52d944dc494d54fa3542b755eb42eb12ee000bbe454fdea446

Threat Level: Shows suspicious behavior

The file 6d7f80da07db9db7f036850d9aa299c0_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence upx

Executes dropped EXE

UPX packed file

Loads dropped DLL

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 08:38

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 08:38

Reported

2024-06-13 08:40

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6d7f80da07db9db7f036850d9aa299c0_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Update\WwanSvc.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\WwanSvc.exe\" /run" C:\Users\Admin\AppData\Local\Temp\6d7f80da07db9db7f036850d9aa299c0_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6d7f80da07db9db7f036850d9aa299c0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\6d7f80da07db9db7f036850d9aa299c0_NeikiAnalytics.exe"

C:\ProgramData\Update\WwanSvc.exe

"C:\ProgramData\Update\WwanSvc.exe" /run

Network

Country Destination Domain Proto
CA 158.69.115.115:443 tcp

Files

memory/1288-1-0x0000000000540000-0x0000000000568000-memory.dmp

memory/1288-5-0x0000000000540000-0x0000000000568000-memory.dmp

memory/1576-6-0x0000000000EF0000-0x0000000000F18000-memory.dmp

C:\ProgramData\Update\WwanSvc.exe

MD5 b5c32285c4d32b418f5eac8d90bf847a
SHA1 33f6fd1b94adfffcfd95034eb9dd5bb95ab23b58
SHA256 1af80bb9c555c67a16d308b28a7b53fe6c5eaf9fb484ba51b8c3498275e1ca5d
SHA512 79f83ffaa21b2ca7b8cf02039da6fa13a8d2359fec1f4bbb35625054de25204290ee0acd092d6af576e7e947ab0b2d562b4e4e150f6d1630f9322600879a9e1d

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 08:38

Reported

2024-06-13 08:40

Platform

win7-20240419-en

Max time kernel

121s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6d7f80da07db9db7f036850d9aa299c0_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Update\WwanSvc.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6d7f80da07db9db7f036850d9aa299c0_NeikiAnalytics.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\WwanSvc.exe\" /run" C:\Users\Admin\AppData\Local\Temp\6d7f80da07db9db7f036850d9aa299c0_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6d7f80da07db9db7f036850d9aa299c0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\6d7f80da07db9db7f036850d9aa299c0_NeikiAnalytics.exe"

C:\ProgramData\Update\WwanSvc.exe

"C:\ProgramData\Update\WwanSvc.exe" /run

Network

Country Destination Domain Proto
CA 158.69.115.115:443 tcp

Files

memory/840-0-0x0000000000380000-0x00000000003A8000-memory.dmp

\ProgramData\Update\WwanSvc.exe

MD5 7a72908d513cee49048ba29f585694d1
SHA1 922291e342cb69ead1c179cbc66d515a260ea203
SHA256 e1f90419a96c9384f841f1c647b678f3cd5396866c5a703279d6ea58648bd474
SHA512 26427286c507ecee8e9a326d7294a52380703e99d71488b435dd317e40b88cef571a29474282e426ac990c2c8a270c723ec749358dbaa11397c4495a5bb84766

memory/840-6-0x00000000000F0000-0x0000000000118000-memory.dmp

memory/2060-7-0x0000000000A10000-0x0000000000A38000-memory.dmp

memory/840-8-0x0000000000380000-0x00000000003A8000-memory.dmp

memory/840-9-0x00000000000F0000-0x0000000000118000-memory.dmp

memory/2060-10-0x0000000000A10000-0x0000000000A38000-memory.dmp

memory/840-11-0x0000000000380000-0x00000000003A8000-memory.dmp