Analysis Overview
SHA256
a3bacd6514b7045a1541a8d53c5846b568827fe7165e7bbc15c573dd6a7dc535
Threat Level: Shows suspicious behavior
The file 80d7e57ccbb67e471aa23adfe83e2850_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
UPX packed file
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 13:39
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 13:39
Reported
2024-06-13 13:42
Platform
win7-20240611-en
Max time kernel
118s
Max time network
122s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Update\WwanSvc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\80d7e57ccbb67e471aa23adfe83e2850_NeikiAnalytics.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\WwanSvc.exe\" /run" | C:\Users\Admin\AppData\Local\Temp\80d7e57ccbb67e471aa23adfe83e2850_NeikiAnalytics.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2984 wrote to memory of 1532 | N/A | C:\Users\Admin\AppData\Local\Temp\80d7e57ccbb67e471aa23adfe83e2850_NeikiAnalytics.exe | C:\ProgramData\Update\WwanSvc.exe |
| PID 2984 wrote to memory of 1532 | N/A | C:\Users\Admin\AppData\Local\Temp\80d7e57ccbb67e471aa23adfe83e2850_NeikiAnalytics.exe | C:\ProgramData\Update\WwanSvc.exe |
| PID 2984 wrote to memory of 1532 | N/A | C:\Users\Admin\AppData\Local\Temp\80d7e57ccbb67e471aa23adfe83e2850_NeikiAnalytics.exe | C:\ProgramData\Update\WwanSvc.exe |
| PID 2984 wrote to memory of 1532 | N/A | C:\Users\Admin\AppData\Local\Temp\80d7e57ccbb67e471aa23adfe83e2850_NeikiAnalytics.exe | C:\ProgramData\Update\WwanSvc.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\80d7e57ccbb67e471aa23adfe83e2850_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\80d7e57ccbb67e471aa23adfe83e2850_NeikiAnalytics.exe"
C:\ProgramData\Update\WwanSvc.exe
"C:\ProgramData\Update\WwanSvc.exe" /run
Network
| Country | Destination | Domain | Proto |
| CA | 158.69.115.115:443 | tcp |
Files
memory/2984-0-0x0000000000FC0000-0x0000000000FE8000-memory.dmp
memory/2984-4-0x0000000000140000-0x0000000000168000-memory.dmp
\ProgramData\Update\WwanSvc.exe
| MD5 | 3a4135954e2a8d54b4201d5551b13d36 |
| SHA1 | aa0be77e07d652226773a286b205c0e10c82219f |
| SHA256 | 09d71a186d86f946403117801466f96f847562ca3a8551709b4ba882127d112b |
| SHA512 | bf84f1c998ddbde046d24afe4e61affb9bfcabc8ef78843d472beb123f7ce98691dde9d4d43d6ac3e227b9c152bd4c7aae8a90e4f4569fdd110e5c24fb14948f |
memory/2984-7-0x0000000000FC0000-0x0000000000FE8000-memory.dmp
memory/1532-8-0x0000000001010000-0x0000000001038000-memory.dmp
memory/2984-9-0x0000000000FC0000-0x0000000000FE8000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 13:39
Reported
2024-06-13 13:42
Platform
win10v2004-20240611-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Update\WwanSvc.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\WwanSvc.exe\" /run" | C:\Users\Admin\AppData\Local\Temp\80d7e57ccbb67e471aa23adfe83e2850_NeikiAnalytics.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3912 wrote to memory of 3852 | N/A | C:\Users\Admin\AppData\Local\Temp\80d7e57ccbb67e471aa23adfe83e2850_NeikiAnalytics.exe | C:\ProgramData\Update\WwanSvc.exe |
| PID 3912 wrote to memory of 3852 | N/A | C:\Users\Admin\AppData\Local\Temp\80d7e57ccbb67e471aa23adfe83e2850_NeikiAnalytics.exe | C:\ProgramData\Update\WwanSvc.exe |
| PID 3912 wrote to memory of 3852 | N/A | C:\Users\Admin\AppData\Local\Temp\80d7e57ccbb67e471aa23adfe83e2850_NeikiAnalytics.exe | C:\ProgramData\Update\WwanSvc.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\80d7e57ccbb67e471aa23adfe83e2850_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\80d7e57ccbb67e471aa23adfe83e2850_NeikiAnalytics.exe"
C:\ProgramData\Update\WwanSvc.exe
"C:\ProgramData\Update\WwanSvc.exe" /run
Network
| Country | Destination | Domain | Proto |
| CA | 158.69.115.115:443 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 131.253.33.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.33.253.131.in-addr.arpa | udp |
| BE | 2.17.107.106:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 106.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.83.221.88.in-addr.arpa | udp |
| BE | 2.17.107.106:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.173.189.20.in-addr.arpa | udp |
Files
memory/3912-0-0x0000000000990000-0x00000000009B8000-memory.dmp
C:\ProgramData\Update\WwanSvc.exe
| MD5 | b6ad5867fd976bc78328692785b2beea |
| SHA1 | 0355e298d597a6ca1b6179cb79f858e828fd6288 |
| SHA256 | a87abc796a167b5e14021dcdc06ae0a0564ad283b0d3cff289e4082f70b4d997 |
| SHA512 | 2a8fc4855bda8c002c6770e19c73a4d937cc47cc2118460d157153148b1c5eb6625479bfccf1cd7142a96d308121de04558e0b9518f72ea400491fd05ede41d3 |
memory/3912-5-0x0000000000990000-0x00000000009B8000-memory.dmp
memory/3852-6-0x0000000000E00000-0x0000000000E28000-memory.dmp