Overview

overview

9

Static

static

3

9520899231...cs.exe

windows7-x64

9

9520899231...cs.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    14/05/2024, 06:34

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    9520899231aec17bb37583fd4db24c70_NeikiAnalytics.exe

  • Size

    271KB

  • MD5

    9520899231aec17bb37583fd4db24c70

  • SHA1

    c36b30e4a1e43a1953733f8a6d548f167f1ce621

  • SHA256

    9390771bb76035909006cd86e22a96a2eaa665c9b2fc47f9b22eb445a1f2bbd8

  • SHA512

    ad56d6ad15db02abc8a599bbb27cf44f294aa43f0d309c4d559f11e44be2f6226d5536c6cb2b1c4ca14a56911d89ad3439f5266dcdb6c4c667b5b03336bf1aae

  • SSDEEP

    3072:9QWpngTJdwJdpE9tHpKrvGCLOwstyhZFChcssc56FUrgxvbSD4UQrO2Exi:LVgV95pK7ShcHUad

Score
9/10
ransomware

Malware Config

Signatures

  • Renames multiple (3431) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9520899231aec17bb37583fd4db24c70_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\9520899231aec17bb37583fd4db24c70_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2040
    • C:\Users\Admin\AppData\Local\Temp\_clist.exe
      "_clist.exe"
      2⤵
      • Executes dropped EXE
      PID:2168
    • C:\Windows\SysWOW64\Zombie.exe
      "C:\Windows\system32\Zombie.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      PID:2380

Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-3627615824-4061627003-3019543961-1000\desktop.ini.tmp
          Filesize

          128KB

          MD5

          39065ad918841f30c411d69c029aae1a

          SHA1

          601c4d82db452f4e68790a7f9fb3fb57c3f05898

          SHA256

          abf0e60debe87bba715f7f61942e341a16c28b2a4ca5a17055e1f8e91516049c

          SHA512

          cd44aa49aedc36cecddfbd005b0022809ae24fdc6a4fde221e421277723639be2529250e0b663a5474a3a14a3afa4794cf63158ed4b13e6bc56a9bf2ced48b7e

          Download Submit

        • \Users\Admin\AppData\Local\Temp\_clist.exe
          Filesize

          143KB

          MD5

          b27ea830fb39bc056e65f9a2260ae216

          SHA1

          b69e40ee5cabe0721d2d1e9fbdd4088fd87592d6

          SHA256

          fb7fab836f744d669451dcd38aa7d2a9c74c6af893c258d079439b58abce70d8

          SHA512

          22cad79d90a949174828ee5e3ce621113591c7c991c55c1a6a44a4555002adeb3bcbd9bab6cfbbfdefd663b76ac2dae96d70a01c527b312c7e8d223334a30219

          Download Submit

        • \Windows\SysWOW64\Zombie.exe
          Filesize

          128KB

          MD5

          6e47167afecfbecd98613cdfc69699de

          SHA1

          80634698ca65811bf0fa3d1e68d8939789d06a4d

          SHA256

          9ec5b4582552cc2c4e9b6b8a61ea08e12cc082a4c4135ef0651aec7cbe4ae674

          SHA512

          eb43685a4b63307555c379af4b812dc2b0b0ab6dc5d8f07d30fa733296f2758896bdbb425e44dd1231d99ab95c18a806f1e57204b3df701dd32ce362c016becd

          Download Submit

        • memory/2040-0-0x0000000000400000-0x0000000000408000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2040-9-0x0000000000260000-0x0000000000268000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2040-18-0x0000000000260000-0x0000000000268000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2168-23-0x000007FEF5163000-0x000007FEF5164000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2168-24-0x0000000000B10000-0x0000000000B38000-memory.dmp

          Filesize

          160KB

          Download

        • memory/2380-19-0x0000000000400000-0x0000000000408000-memory.dmp

          Filesize

          32KB

          Download