Malware Analysis Report

2024-10-10 12:13

Sample ID 240613-qydwda1dpa
Target 80d7e57ccbb67e471aa23adfe83e2850_NeikiAnalytics.exe
SHA256 a3bacd6514b7045a1541a8d53c5846b568827fe7165e7bbc15c573dd6a7dc535
Tags
persistence upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

a3bacd6514b7045a1541a8d53c5846b568827fe7165e7bbc15c573dd6a7dc535

Threat Level: Shows suspicious behavior

The file 80d7e57ccbb67e471aa23adfe83e2850_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence upx

UPX packed file

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 13:39

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 13:39

Reported

2024-06-13 13:42

Platform

win7-20240611-en

Max time kernel

118s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\80d7e57ccbb67e471aa23adfe83e2850_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Update\WwanSvc.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\80d7e57ccbb67e471aa23adfe83e2850_NeikiAnalytics.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\WwanSvc.exe\" /run" C:\Users\Admin\AppData\Local\Temp\80d7e57ccbb67e471aa23adfe83e2850_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\80d7e57ccbb67e471aa23adfe83e2850_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\80d7e57ccbb67e471aa23adfe83e2850_NeikiAnalytics.exe"

C:\ProgramData\Update\WwanSvc.exe

"C:\ProgramData\Update\WwanSvc.exe" /run

Network

Country Destination Domain Proto
CA 158.69.115.115:443 tcp

Files

memory/2984-0-0x0000000000FC0000-0x0000000000FE8000-memory.dmp

memory/2984-4-0x0000000000140000-0x0000000000168000-memory.dmp

\ProgramData\Update\WwanSvc.exe

MD5 3a4135954e2a8d54b4201d5551b13d36
SHA1 aa0be77e07d652226773a286b205c0e10c82219f
SHA256 09d71a186d86f946403117801466f96f847562ca3a8551709b4ba882127d112b
SHA512 bf84f1c998ddbde046d24afe4e61affb9bfcabc8ef78843d472beb123f7ce98691dde9d4d43d6ac3e227b9c152bd4c7aae8a90e4f4569fdd110e5c24fb14948f

memory/2984-7-0x0000000000FC0000-0x0000000000FE8000-memory.dmp

memory/1532-8-0x0000000001010000-0x0000000001038000-memory.dmp

memory/2984-9-0x0000000000FC0000-0x0000000000FE8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 13:39

Reported

2024-06-13 13:42

Platform

win10v2004-20240611-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\80d7e57ccbb67e471aa23adfe83e2850_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Update\WwanSvc.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\WwanSvc.exe\" /run" C:\Users\Admin\AppData\Local\Temp\80d7e57ccbb67e471aa23adfe83e2850_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\80d7e57ccbb67e471aa23adfe83e2850_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\80d7e57ccbb67e471aa23adfe83e2850_NeikiAnalytics.exe"

C:\ProgramData\Update\WwanSvc.exe

"C:\ProgramData\Update\WwanSvc.exe" /run

Network

Country Destination Domain Proto
CA 158.69.115.115:443 tcp
US 8.8.8.8:53 g.bing.com udp
US 131.253.33.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.33.253.131.in-addr.arpa udp
BE 2.17.107.106:443 www.bing.com tcp
US 8.8.8.8:53 106.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
BE 2.17.107.106:443 www.bing.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 33.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 24.173.189.20.in-addr.arpa udp

Files

memory/3912-0-0x0000000000990000-0x00000000009B8000-memory.dmp

C:\ProgramData\Update\WwanSvc.exe

MD5 b6ad5867fd976bc78328692785b2beea
SHA1 0355e298d597a6ca1b6179cb79f858e828fd6288
SHA256 a87abc796a167b5e14021dcdc06ae0a0564ad283b0d3cff289e4082f70b4d997
SHA512 2a8fc4855bda8c002c6770e19c73a4d937cc47cc2118460d157153148b1c5eb6625479bfccf1cd7142a96d308121de04558e0b9518f72ea400491fd05ede41d3

memory/3912-5-0x0000000000990000-0x00000000009B8000-memory.dmp

memory/3852-6-0x0000000000E00000-0x0000000000E28000-memory.dmp