a758160c32cc9a36ace89a09b1c780cfc833f97b082a1b8140423e1505c3652e

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2024, 17:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2294cb30527865276de7c666554cea20_NeikiAnalytics.exe
Size

143KB
MD5

2294cb30527865276de7c666554cea20
SHA1

34f319e1998c220b824cd4a08db81c442914ebc3
SHA256

a758160c32cc9a36ace89a09b1c780cfc833f97b082a1b8140423e1505c3652e
SHA512

e358cfc0c94616e3718f46643b413d01b67cbfea2ba2684877c7338ff6808f3c88b19e0a56aac020598bc71047d87993898c393b8e4f5e5017b7b00e68a8ad06
SSDEEP

3072:+nymCAIuZAIuYSMjoqtMHfhfgpW0/5Zeb7:JmCAIuZAIuDMVtM/6p7q7

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (4838) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 2 IoCs

pid	Process
2296	Zombie.exe
692	_MofCompiler.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2724-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x0005000000023276-8.dat	upx
behavioral2/files/0x00070000000233f9-14.dat	upx
behavioral2/memory/2296-10-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Zombie.exe	2294cb30527865276de7c666554cea20_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Zombie.exe	2294cb30527865276de7c666554cea20_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-100.png.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Extensions.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\UIAutomationTypes.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Windows.Controls.Ribbon.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019MSDNR_Retail-ul-phn.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\sqmapi_x64.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\AugLoop\bundle.js.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe.tmp	Zombie.exe
File created	C:\Program Files\Java\jre-1.8\bin\glib-lite.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jre-1.8\lib\tzdb.dat.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTest-ppd.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVOrchestration.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Forms.Primitives.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\DATATRANSFORMERWRAPPER.DLL.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-runtime-l1-1-0.dll.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\ShapeCollector.exe.mui.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntime2019R_PrepidBypass-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Grace-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Grace-ppd.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-ppd.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_KMS_Client-ppd.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.StackTrace.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Emit.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Forms.Primitives.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\instrument.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\jfxrt.jar.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-environment-l1-1-0.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription5-ppd.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-pl.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OneNote\prnSendToOneNote_win7.cat.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sl-SI\tipresx.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Controls.Ribbon.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Threading.AccessControl.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_fr.properties.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_KMS_Client-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_KMS_Client-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-140.png.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscorlib.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Forms.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\libxml2.md.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\jce.jar.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Windows.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-synch-l1-1-0.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-140.png.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ONBttnOL.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL011.XML.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\7z.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Algorithms.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\jni_md.h.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-pl.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.dll.tmp	Zombie.exe
File created	C:\Program Files\Internet Explorer\uk-UA\iexplore.exe.mui.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\cryptix.md.tmp	Zombie.exe
File created	C:\Program Files\Java\jre-1.8\bin\eula.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\policy\limited\local_policy.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\trusted.libraries.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\PresentationCore.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\dcpr.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win7_RTL.wmv.tmp	Zombie.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2724 wrote to memory of 2296	2724	2294cb30527865276de7c666554cea20_NeikiAnalytics.exe	82
PID 2724 wrote to memory of 2296	2724	2294cb30527865276de7c666554cea20_NeikiAnalytics.exe	82
PID 2724 wrote to memory of 2296	2724	2294cb30527865276de7c666554cea20_NeikiAnalytics.exe	82
PID 2724 wrote to memory of 692	2724	2294cb30527865276de7c666554cea20_NeikiAnalytics.exe	83
PID 2724 wrote to memory of 692	2724	2294cb30527865276de7c666554cea20_NeikiAnalytics.exe	83

C:\Users\Admin\AppData\Local\Temp\2294cb30527865276de7c666554cea20_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2294cb30527865276de7c666554cea20_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2724
- C:\Windows\SysWOW64\Zombie.exe
  "C:\Windows\system32\Zombie.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2296
- C:\Users\Admin\AppData\Local\Temp\_MofCompiler.exe
  "_MofCompiler.exe"
  2⤵
  - Executes dropped EXE
  PID:692

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3558294865-3673844354-2255444939-1000\desktop.ini.exe

Filesize
122KB

MD5
29014981459b5833e83a38c5e1542522

SHA1
eb1a5bb56daf0cd4894a479d7ba84298e2d0b58b

SHA256
c440e9d6ffe800a5cc818c609f0aca29d87e96633bd68e6091dd88d7fee65c46

SHA512
9fd97b197ec47766480b5ca1da83b4f183702175af5b1b8e81169e7e4f9eff84e72b374117b42d27fb2ef1e6309319be2f3bef9380a8996091dc21e3242a41f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MofCompiler.exe

Filesize
21KB

MD5
0fe6e0e01318f2a27ece0176423ea4f8

SHA1
71cf6aaa4a88a2e892ce113fe35518441a58a97d

SHA256
36217b7c4ac6aabc74a7f9d0d8da2002f5909d1d6dcb663c9cb1ec2c02a387b3

SHA512
56be67fcf76f46a171c0ebcaa988e1e20cdba5fa91871e076b424b0b9bdd21219a19ca70c85314e5a79c1f878b7f68d7e51596b49536296e41ded5846158ac9b

Download Submit
C:\Windows\SysWOW64\Zombie.exe

Filesize
121KB

MD5
8f11f3322f4c3c02bf58eb8cafc31d29

SHA1
8066f7edf9cfc0aeb22d1388ff07fff9e94a1a75

SHA256
60f2b57e91b825bca68b4d5fc3c9f9cdc92129f1c5f527dc0ff34004717d2d44

SHA512
b7e17b985684af4d37958f5ebc455cf2f9b7c4445d2ed0f5badfbacc883cf2ca3c5fb5cc472762abe5dcc0e08e5830362de1d7cba4dc3d05d96ccfa671f149f9

Download Submit
memory/692-17-0x00007FF9181B3000-0x00007FF9181B5000-memory.dmp

Filesize
8KB

Download
memory/692-20-0x000002E8B7EA0000-0x000002E8B7EAA000-memory.dmp

Filesize
40KB

Download
memory/2296-10-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2724-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download