Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
12/05/2024, 21:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5d2f52c087e9c7c4ef00226461c8dfc0_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
5d2f52c087e9c7c4ef00226461c8dfc0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
5d2f52c087e9c7c4ef00226461c8dfc0_NeikiAnalytics.exe
-
Size
253KB
-
MD5
5d2f52c087e9c7c4ef00226461c8dfc0
-
SHA1
2e20f3d7dfa40208455fe320d07da74de50a355d
-
SHA256
399c6e6444b9a7a8b55a005909185930d72d7bbadcc128adc8b09b7959eeb7ee
-
SHA512
076e759cc5d865dab3d50c876adfb5cbbc80ec2508006f0900c17efdea3c55c4159bd4636df0472dad71042865a24f53212b684cc955aabe979864c48133bad5
-
SSDEEP
3072:6QWpqe+ejXrS791HpKIqGCLOwstyhZFChcssc56FUrgxvbSD4UQrO23xl:WEe+eXO9xpKbShcHUar
Score
9/10
Malware Config
Signatures
-
Renames multiple (564) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 2 IoCs
pid Process 2084 _cuninst.exe 2300 Zombie.exe -
Loads dropped DLL 3 IoCs
pid Process 1612 5d2f52c087e9c7c4ef00226461c8dfc0_NeikiAnalytics.exe 1612 5d2f52c087e9c7c4ef00226461c8dfc0_NeikiAnalytics.exe 1612 5d2f52c087e9c7c4ef00226461c8dfc0_NeikiAnalytics.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\Zombie.exe 5d2f52c087e9c7c4ef00226461c8dfc0_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\Zombie.exe 5d2f52c087e9c7c4ef00226461c8dfc0_NeikiAnalytics.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonInset_Alpha2.png.tmp Zombie.exe File created C:\Program Files\7-Zip\Lang\ta.txt.tmp Zombie.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\mshwjpnr.dll.tmp Zombie.exe File created C:\Program Files\Common Files\System\msadc\en-US\msadcor.dll.mui.tmp Zombie.exe File created C:\Program Files\Common Files\System\Ole DB\msdaosp.dll.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\db\bin\derby_common.bat.tmp Zombie.exe File created C:\Program Files\7-Zip\7-zip32.dll.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\net.dll.tmp Zombie.exe File created C:\Program Files\7-Zip\Lang\it.txt.tmp Zombie.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\mip.exe.mui.tmp Zombie.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\TipRes.dll.mui.tmp Zombie.exe File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm.tmp Zombie.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationLeft_SelectionSubpicture.png.tmp Zombie.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\button-highlight.png.tmp Zombie.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\gu.pak.tmp Zombie.exe File created C:\Program Files\7-Zip\Lang\ext.txt.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\access-bridge-64.jar.tmp Zombie.exe File created C:\Program Files\Internet Explorer\en-US\eula.rtf.tmp Zombie.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationUp_ButtonGraphic.png.tmp Zombie.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationUp_ButtonGraphic.png.tmp Zombie.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationLeft_SelectionSubpicture.png.tmp Zombie.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\am.pak.tmp Zombie.exe File created C:\Program Files\Internet Explorer\iedvtool.dll.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\db\bin\setEmbeddedCP.bat.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\include\win32\jawt_md.h.tmp Zombie.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\Bear_Formatted_RGB6_PAL.wmv.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\java_crw_demo.dll.tmp Zombie.exe File created C:\Program Files\Common Files\Services\verisign.bmp.tmp Zombie.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\720x480icongraphic.png.tmp Zombie.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonInset_Alpha1.png.tmp Zombie.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsScenesBackground_PAL.wmv.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\db\LICENSE.tmp Zombie.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\rtscom.dll.tmp Zombie.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InkObj.dll.mui.tmp Zombie.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\tipresx.dll.mui.tmp Zombie.exe File created C:\Program Files\Common Files\System\Ole DB\it-IT\sqlxmlx.rll.mui.tmp Zombie.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyScenesBackground_PAL.wmv.tmp Zombie.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Scene_loop.wmv.tmp Zombie.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\nb.pak.tmp Zombie.exe File created C:\Program Files\Internet Explorer\pdm.dll.tmp Zombie.exe File created C:\Program Files\7-Zip\7-zip.dll.tmp Zombie.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\tipresx.dll.mui.tmp Zombie.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground.wmv.tmp Zombie.exe File created C:\Program Files\7-Zip\Lang\si.txt.tmp Zombie.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\hwritash.dat.tmp Zombie.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsesp.xml.tmp Zombie.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\mip.exe.mui.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\db\bin\stopNetworkServer.bat.tmp Zombie.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\numbase.xml.tmp Zombie.exe File created C:\Program Files\Common Files\Microsoft Shared\Stationery\ShadesOfBlue.jpg.tmp Zombie.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\blackbars60.png.tmp Zombie.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationRight_ButtonGraphic.png.tmp Zombie.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\TipBand.dll.tmp Zombie.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad.xml.tmp Zombie.exe File created C:\Program Files\DVD Maker\es-ES\OmdProject.dll.mui.tmp Zombie.exe File created C:\Program Files\Internet Explorer\msdbg2.dll.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\java.exe.tmp Zombie.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\TipRes.dll.mui.tmp Zombie.exe File created C:\Program Files\Common Files\System\msadc\de-DE\msadcer.dll.mui.tmp Zombie.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\menu_style_default_Thumbnail.png.tmp Zombie.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-previous-static.png.tmp Zombie.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1612 wrote to memory of 2084 1612 5d2f52c087e9c7c4ef00226461c8dfc0_NeikiAnalytics.exe 29 PID 1612 wrote to memory of 2084 1612 5d2f52c087e9c7c4ef00226461c8dfc0_NeikiAnalytics.exe 29 PID 1612 wrote to memory of 2084 1612 5d2f52c087e9c7c4ef00226461c8dfc0_NeikiAnalytics.exe 29 PID 1612 wrote to memory of 2084 1612 5d2f52c087e9c7c4ef00226461c8dfc0_NeikiAnalytics.exe 29 PID 1612 wrote to memory of 2300 1612 5d2f52c087e9c7c4ef00226461c8dfc0_NeikiAnalytics.exe 28 PID 1612 wrote to memory of 2300 1612 5d2f52c087e9c7c4ef00226461c8dfc0_NeikiAnalytics.exe 28 PID 1612 wrote to memory of 2300 1612 5d2f52c087e9c7c4ef00226461c8dfc0_NeikiAnalytics.exe 28 PID 1612 wrote to memory of 2300 1612 5d2f52c087e9c7c4ef00226461c8dfc0_NeikiAnalytics.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\5d2f52c087e9c7c4ef00226461c8dfc0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5d2f52c087e9c7c4ef00226461c8dfc0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\Zombie.exe"C:\Windows\system32\Zombie.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2300
-
-
C:\Users\Admin\AppData\Local\Temp\_cuninst.exe"_cuninst.exe"2⤵
- Executes dropped EXE
PID:2084
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
110KB
MD566d5352706c5edd942d30c4d019514fd
SHA136b02a0a3fdcdf93938d9f2518ce4b000be83205
SHA2566b103f045a8a587f7ca7239f1cc0abf9d65b0561b95dbfccdb7e35de7d0b35b0
SHA5123cf810c21d5054014b32b111aa0fcaa51da8f29fa52fceb51268d7ec38fc02e62f307cecc4c0b1d55bb576441187b770b6b732a8d3b37a42c3f36127cb5146b4
-
Filesize
143KB
MD57f9f981d970cbccece6ff126ab309045
SHA1950a14dc6b636237c2f158cce02076b1a1b371e0
SHA25682596d7d86d685087965457c297973c2aa1fbff0f6a0a3b8d8760f1cc65105cf
SHA512ac59a2c6bc3b6fad47bac83d84336387b03b45d186c5d021f3c57c7fb160491e8344923d4978e50fb37f6c37e45bbb9c0f9b7cd4b93506ff571c82b795c6fb47
-
Filesize
110KB
MD5c526c2e9c3b6a821801040d2f2411f52
SHA1000290ab78a1267fcd3b633752c4429a9070006f
SHA2564b8af4ed2e3481abaf4f3086cf0a64297e42f25109a242fc8c36116fdf5bfcf6
SHA512e3f9b53dcc6fa7828c96a48f7cdf05fe97d5d3bb77a2115fd14d1a37df64fe19411c64d5b1686ad9d783af3aa69afef25c727055bb01d57294ed36e5a1b05e58