b4b34264d0836a48f650baeb718aa06f91302a95313152a9bce6e0f1d2a6beed

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08/05/2024, 19:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f473f08c5cf58ddd38da0b6f873bfc0_NEIKI.exe
Size

247KB
MD5

2f473f08c5cf58ddd38da0b6f873bfc0
SHA1

0f4fbcf1e2012a9bb8fdd1264744345c15f2f154
SHA256

b4b34264d0836a48f650baeb718aa06f91302a95313152a9bce6e0f1d2a6beed
SHA512

d5e5a96ee8518c980225b06bd63581bad50b9d6b3542d87b46efae1070c1803e872f332ee95a065e45460c5d470f229a138bf46e2ee228a435f5d55ecec41b56
SSDEEP

3072:6e7WpHIyRF9ESWu0SWuDmSXrwcysSSw9mHpKZNGCLOwstyhZFChcssc56FUrgxvI:RqlIyFESWu0SWuTSh9UpK7ShcHUaZ0

Score

9^/10

ransomware

Malware Config

Signatures

Renames multiple (284) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 2 IoCs

pid	Process
2948	_cinst.exe
2996	Zombie.exe

Loads dropped DLL 3 IoCs

pid	Process
1540	2f473f08c5cf58ddd38da0b6f873bfc0_NEIKI.exe
1540	2f473f08c5cf58ddd38da0b6f873bfc0_NEIKI.exe
1540	2f473f08c5cf58ddd38da0b6f873bfc0_NEIKI.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Zombie.exe	2f473f08c5cf58ddd38da0b6f873bfc0_NEIKI.exe
File created	C:\Windows\SysWOW64\Zombie.exe	2f473f08c5cf58ddd38da0b6f873bfc0_NEIKI.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\1047x576black.png.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DissolveNoise.png.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_select-highlight.png.tmp	Zombie.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\MSTTSCommon.dll.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationRight_SelectionSubpicture.png.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_leftarrow.png.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-next-static.png.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_glass_Thumbnail.bmp.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\fr.pak.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsesp.xml.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\InkWatson.exe.mui.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\huemainsubpicture2.png.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonInset_Alpha2.png.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\15x15dot.png.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InkObj.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\tabskb.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\White_Chocolate.jpg.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_videoinset.png.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\Lang\it.txt.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\TipBand.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipschs.xml.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msadcfr.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToScenesBackground_PAL.wmv.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_VideoInset.png.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_LOOP_BG_PAL.wmv.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InkObj.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrlatinlm.dat.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_SelectionSubpictureA.png.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-highlight.png.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\ParentMenuButtonIcon.png.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\tabskb.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\tipresx.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationUp_ButtonGraphic.png.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationUp_SelectionSubpicture.png.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\Lang\nb.txt.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\Lang\ja.txt.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\InkObj.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\kor-kor.xml.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\DvdTransform.fx.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\1047x576black.png.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\da.pak.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\Lang\va.txt.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\TitleButtonIcon.png.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_wer.dll.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_SelectionSubpicture.png.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationLeft_ButtonGraphic.png.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationUp_ButtonGraphic.png.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\tipresx.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationLeft_ButtonGraphic.png.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\external_extensions.json.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Filters\offfiltx.dll.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\fi.pak.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\msdasqlr.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\fieldswitch.ax.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\vintage.png.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationUp_ButtonGraphic.png.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\gu.pak.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\ado\msado15.dll.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\IPSEventLogMsg.dll.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\rtscom.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-next-static.png.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ja-jp-sym.xml.tmp	Zombie.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1540 wrote to memory of 2948	1540	2f473f08c5cf58ddd38da0b6f873bfc0_NEIKI.exe	28
PID 1540 wrote to memory of 2948	1540	2f473f08c5cf58ddd38da0b6f873bfc0_NEIKI.exe	28
PID 1540 wrote to memory of 2948	1540	2f473f08c5cf58ddd38da0b6f873bfc0_NEIKI.exe	28
PID 1540 wrote to memory of 2948	1540	2f473f08c5cf58ddd38da0b6f873bfc0_NEIKI.exe	28
PID 1540 wrote to memory of 2996	1540	2f473f08c5cf58ddd38da0b6f873bfc0_NEIKI.exe	30
PID 1540 wrote to memory of 2996	1540	2f473f08c5cf58ddd38da0b6f873bfc0_NEIKI.exe	30
PID 1540 wrote to memory of 2996	1540	2f473f08c5cf58ddd38da0b6f873bfc0_NEIKI.exe	30
PID 1540 wrote to memory of 2996	1540	2f473f08c5cf58ddd38da0b6f873bfc0_NEIKI.exe	30

C:\Users\Admin\AppData\Local\Temp\2f473f08c5cf58ddd38da0b6f873bfc0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\2f473f08c5cf58ddd38da0b6f873bfc0_NEIKI.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1540
- C:\Users\Admin\AppData\Local\Temp\_cinst.exe
  "_cinst.exe"
  2⤵
  - Executes dropped EXE
  PID:2948
- C:\Windows\SysWOW64\Zombie.exe
  "C:\Windows\system32\Zombie.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2996

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini.tmp

Filesize
105KB

MD5
8abbdcdb0d9c180964f9499d36ba96e2

SHA1
1a200da42476deb0273b9fe300c83f7c756735d5

SHA256
ea93a7799fb4a64b83ad354834964d7e5c2d2f860bcf67af8f4d11d7600cf697

SHA512
d5b7174a93b715c5cbdcf5b5de00d989da9dd81770acc3de706ac1c883a89403a37338ab7974f748e11f0b179276a472edec815e520e2ea60b13458c8b64c049

Download Submit
\Users\Admin\AppData\Local\Temp\_cinst.exe

Filesize
143KB

MD5
2fdb371d45181dff59577110ba1064e2

SHA1
42a5833cb0ac90e38d734d1327bb3f7c7a6aa453

SHA256
80d7ec8ce3913d81ea5d4f304b8609e56f0e49778c52af9279e742ea54f4a155

SHA512
52982041ba9ca552b90b79b251501ec6c33c5251d09ca9969a1b179af2ec17aca6eb81db6e588e12751bcea04208e1da8d5a754a979dd98ceb3f50780aadea20

Download Submit
\Windows\SysWOW64\Zombie.exe

Filesize
104KB

MD5
3cd001c929674ac992bd180f9ebf49ae

SHA1
c921f08d5eb02e27fcc04be5a9abab434bff14e7

SHA256
cd9598f195cd63c3f24d3457fa0f400cdeae1a140312972e5975e4d3ab65783d

SHA512
81eb0d8d7ffa0985ec50d95832c3ba4a6a858e3f2ca947e4c1c8c6189a1489ad55b01e409245b0dc1623b0ca88707ca06dbdbfc000a85c70c8aff37e351ba4a0

Download Submit
memory/2948-19-0x000007FEF5D33000-0x000007FEF5D34000-memory.dmp

Filesize
4KB

Download
memory/2948-20-0x00000000000A0000-0x00000000000C8000-memory.dmp

Filesize
160KB

Download