Overview

overview

9

Static

static

7

887f39c734...cs.exe

windows7-x64

9

887f39c734...cs.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    149s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/05/2024, 16:21 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    887f39c73457ce6a96b3c9c9b2c9d230_NeikiAnalytics.exe

  • Size

    173KB

  • MD5

    887f39c73457ce6a96b3c9c9b2c9d230

  • SHA1

    c060b9e71f9c5864e098408f859e142691dfa3d3

  • SHA256

    aa33d00bbc4f9ef8169f9e14c2140ba73e77b5b23f2ff1f41382037daaa49778

  • SHA512

    65afce9282d57d743b521f993771cf6c7601baa998967cb2fbeedb2499d8f666e60965df15c25fe98d3973e34218823f66fd4b2fbcb49af5f9fe6e3e83ab43cc

  • SSDEEP

    3072:+nyiQSo1EZGtKgZGtK/PgtU1wAIuZAIu+:JiQSo1EZGtKgZGtK/CAIuZAIu+

Score
9/10
ransomwareupx

Malware Config

Signatures

  • Renames multiple (4662) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\887f39c73457ce6a96b3c9c9b2c9d230_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\887f39c73457ce6a96b3c9c9b2c9d230_NeikiAnalytics.exe"
    1⤵
    • Drops file in Program Files directory
    PID:2948

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    73.31.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.31.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    0.205.248.87.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    0.205.248.87.in-addr.arpa
    IN PTR
    Response
    0.205.248.87.in-addr.arpa
    IN PTR
    https-87-248-205-0lgwllnwnet
  • flag-us
    DNS
    55.36.223.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    55.36.223.20.in-addr.arpa
    IN PTR
    Response
  • flag-be
    GET
    https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
    Remote address:
    2.17.107.131:443
    Request
    GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
    host: www.bing.com
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-type: image/png
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}&ndcParam=QWthbWFp
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    content-length: 1107
    date: Thu, 09 May 2024 16:21:19 GMT
    alt-svc: h3=":443"; ma=93600
    x-cdn-traceid: 0.7f6b1102.1715271679.8b04c2
  • flag-us
    DNS
    131.107.17.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    131.107.17.2.in-addr.arpa
    IN PTR
    Response
    131.107.17.2.in-addr.arpa
    IN PTR
    a2-17-107-131deploystaticakamaitechnologiescom
  • flag-us
    DNS
    50.23.12.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    50.23.12.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    24.121.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    24.121.18.2.in-addr.arpa
    IN PTR
    Response
    24.121.18.2.in-addr.arpa
    IN PTR
    a2-18-121-24deploystaticakamaitechnologiescom
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    13.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.227.111.52.in-addr.arpa
    IN PTR
    Response
  • 2.17.107.131:443
    https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
    tls, http2
    1.4kB
     6.3kB
     16
    11

    HTTP Request

    GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

    HTTP Response

    200
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    73.31.126.40.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    73.31.126.40.in-addr.arpa

  • 8.8.8.8:53
    0.205.248.87.in-addr.arpa
    dns
    71 B
     116 B
     1
    1

    DNS Request

    0.205.248.87.in-addr.arpa

  • 8.8.8.8:53
    55.36.223.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    55.36.223.20.in-addr.arpa

  • 8.8.8.8:53
    131.107.17.2.in-addr.arpa
    dns
    71 B
     135 B
     1
    1

    DNS Request

    131.107.17.2.in-addr.arpa

  • 8.8.8.8:53
    50.23.12.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    50.23.12.20.in-addr.arpa

  • 8.8.8.8:53
    171.39.242.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    171.39.242.20.in-addr.arpa

  • 8.8.8.8:53
    24.121.18.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    24.121.18.2.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    13.227.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    13.227.111.52.in-addr.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini.tmp
    Filesize

    173KB

    MD5

    b0dc1530231df9b157d3e968c94bfa14

    SHA1

    324e937e8bf6d8a5c0d4c5bfbbd728a6222a2c85

    SHA256

    57e36d47b413976329e472f9938a795d33eabb91a46ec9e23f61c69887848aa0

    SHA512

    e42af229467457c1359310f2d97f0681ed9953488d51c319ca5c3daaa34c712253aae266770125eedb052d8930e5cc2f2077c5846a71f61e5b194fc050a86b80

    Download Submit

  • C:\Program Files\7-Zip\7-zip.dll.tmp
    Filesize

    272KB

    MD5

    a09d23f79d5dc1471074f574b2f76a4a

    SHA1

    f261999d51c329ba917e9f25dcbec9a76bdbec63

    SHA256

    3673f798ea1bf67bc200fe64ebff29fc567c077bd4274a9c234454b860b4d0d4

    SHA512

    f6e8f983d4064c279616880491051de051b0e885a48ebff4c07ee24a6de2c4cd2e724df4d95f560c60ddafad5865fe614fb4d12a1ef639fd7da06479b6fe0245

    Download Submit

  • memory/2948-0-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2948-1732-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.