2c7fb5dfb9846b7da82d9bbab74ce56d77e739576be42490b0d9d99bffcc1a86

Analysis

max time kernel
150s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 05:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

82e79b09a6cecca253a51635238fb3b0_NeikiAnalytics.exe
Size

92KB
MD5

82e79b09a6cecca253a51635238fb3b0
SHA1

a85ce551f01f3cbf9e7bcbb5ab11ffc2af14b424
SHA256

2c7fb5dfb9846b7da82d9bbab74ce56d77e739576be42490b0d9d99bffcc1a86
SHA512

2b6faccf8716496ca059bb7fba749fb744a96f1f64ffa55bec5fa5eabf8f4b9b6b8f8e98f3bcc853b452ad06efdf757ee5d657484c997654097f9d98a065dc7a
SSDEEP

1536:W7ZDpApYbWjCDOwr0ARZF6NFVogjQlRv/Lq:6DWpeDOBwUhQ7XO

Score

9^/10

ransomware

Malware Config

Signatures

Renames multiple (5117) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 2 IoCs

pid	Process
2428	_checksum.exe
1592	Zombie.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Zombie.exe	82e79b09a6cecca253a51635238fb3b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Zombie.exe	82e79b09a6cecca253a51635238fb3b0_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Windows.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jre-1.8\bin\decora_sse.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.powerpointmui.msi.16.en-us.xml.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-ppd.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ms\msipc.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.Xml.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.CodeDom.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\vcruntime140_1.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientARMRefer_eula.txt.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.DataIntegration.FuzzyMatchingCommon.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\PresentationUI.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\lv.pak.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\include\jdwpTransport.h.tmp	Zombie.exe
File created	C:\Program Files\Java\jre-1.8\bin\pack200.exe.tmp	Zombie.exe
File created	C:\Program Files\Java\jre8\lib\deployment.config.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Forms.Primitives.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11cryptotoken.md.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-80.png.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL012.XML.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\PresentationFramework.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jp2ssv.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\sunec.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jre-1.8\lib\hijrah-config-umalqura.properties.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-pl.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial2-pl.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Grace-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_F_COL.HXK.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCOMMON.DLL.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial-ppd.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\MSO.ACL.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-100.png.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-pl.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\tracedefinition130.xml.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Windows.Forms.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest2-pl.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-ppd.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Grace-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-ppd.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Grace-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTrial-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_COL.HXC.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pidgenx.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Primitives.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Luna.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\lib\packager.jar.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Marquee.xml.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\officeinventoryagentfallback.xml.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OWSSUPP.DLL.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\rsod\dcf.x-none.msi.16.x-none.tree.dat.tmp	Zombie.exe
File created	C:\Program Files\Java\jre-1.8\bin\jfxmedia.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-ppd.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\SDXHelperBgt.exe.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-ppd.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ul-phn.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqlxmlx.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Globalization.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Input.Manipulations.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-ul-phn.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-pl.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Library\SOLVER\SOLVER.XLAM.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Security.dll.tmp	Zombie.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3304 wrote to memory of 2428	3304	82e79b09a6cecca253a51635238fb3b0_NeikiAnalytics.exe	89
PID 3304 wrote to memory of 2428	3304	82e79b09a6cecca253a51635238fb3b0_NeikiAnalytics.exe	89
PID 3304 wrote to memory of 1592	3304	82e79b09a6cecca253a51635238fb3b0_NeikiAnalytics.exe	90
PID 3304 wrote to memory of 1592	3304	82e79b09a6cecca253a51635238fb3b0_NeikiAnalytics.exe	90
PID 3304 wrote to memory of 1592	3304	82e79b09a6cecca253a51635238fb3b0_NeikiAnalytics.exe	90

C:\Users\Admin\AppData\Local\Temp\82e79b09a6cecca253a51635238fb3b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\82e79b09a6cecca253a51635238fb3b0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3304
- C:\Users\Admin\AppData\Local\Temp\_checksum.exe
  "_checksum.exe"
  2⤵
  - Executes dropped EXE
  PID:2428
- C:\Windows\SysWOW64\Zombie.exe
  "C:\Windows\system32\Zombie.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3988,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=4300 /prefetch:8
1⤵
PID:2740

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1181767204-2009306918-3718769404-1000\desktop.ini.exe

Filesize
57KB

MD5
3a8d790ef2b83bdaabaf16348e57bc25

SHA1
11f6b18b0ff6da30a72acc544cda97e063e00a89

SHA256
f7e250502d76ce4b36718634591875e542d9e5cefe4e1d261fa748f83c01766b

SHA512
e407c98652deb1401b5287bc4182c4894e46cff302059223f2645adc04df20d05bc36b8876e0f238d08b7fb81a3527d318a514b44ba7eb2b4b762c0a5f21d93b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_checksum.exe

Filesize
35KB

MD5
23f049f14ca0e68af4b9883514791dfe

SHA1
1224ecfda221e54d4536a4ac102a56235320ee25

SHA256
9562aabe1f71d7ff5ec879fd2fb5cfe4be2c8f62a7fa5a1aa49660c3a495f1fb

SHA512
ce91cd089a299ba88f047cf15fd06673389942dabbf8be5bf2e2666e1048bc6da261ce30cae1e2ecb3b50392441a335bf97cc4ed51540554bedabe65590be677

Download Submit
C:\Windows\SysWOW64\Zombie.exe

Filesize
56KB

MD5
422ffd6d973cb221569512f8a86271ea

SHA1
7557de07f388720dfc713900c35bf71470208df4

SHA256
42d9af2aef554c334d1f361a5d2843f80a435cbddd51682f26a3b9cc14657bd6

SHA512
f08fe1e4627488ff45388289de1634386b21fd39ceacb93668a1aff54fa074d5ba383eb1c1133f21965d866e0c6f27cd8a91210537b6357495dd9e1eec845e13

Download Submit
memory/2428-22-0x00000000002E0000-0x00000000002EE000-memory.dmp

Filesize
56KB

Download
memory/2428-21-0x00007FFCC2FB3000-0x00007FFCC2FB5000-memory.dmp

Filesize
8KB

Download
memory/2428-30-0x00007FFCC2FB0000-0x00007FFCC3A71000-memory.dmp

Filesize
10.8MB

Download
memory/2428-1797-0x00007FFCC2FB0000-0x00007FFCC3A71000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads