9390771bb76035909006cd86e22a96a2eaa665c9b2fc47f9b22eb445a1f2bbd8

Analysis

max time kernel
150s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14-05-2024 06:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9520899231aec17bb37583fd4db24c70_NeikiAnalytics.exe
Size

271KB
MD5

9520899231aec17bb37583fd4db24c70
SHA1

c36b30e4a1e43a1953733f8a6d548f167f1ce621
SHA256

9390771bb76035909006cd86e22a96a2eaa665c9b2fc47f9b22eb445a1f2bbd8
SHA512

ad56d6ad15db02abc8a599bbb27cf44f294aa43f0d309c4d559f11e44be2f6226d5536c6cb2b1c4ca14a56911d89ad3439f5266dcdb6c4c667b5b03336bf1aae
SSDEEP

3072:9QWpngTJdwJdpE9tHpKrvGCLOwstyhZFChcssc56FUrgxvbSD4UQrO2Exi:LVgV95pK7ShcHUad

Score

9^/10

ransomware

Malware Config

Signatures

Renames multiple (4906) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 2 IoCs

pid	Process
436	_clist.exe
4900	Zombie.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Zombie.exe	9520899231aec17bb37583fd4db24c70_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Zombie.exe	9520899231aec17bb37583fd4db24c70_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Linq.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\ReachFramework.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-synch-l1-2-0.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.StackTrace.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscordaccore.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-pl.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.XLS.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\Default.dotx.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN120.XML.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XDocument.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Primitives.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jre-1.8\bin\j2pkcs11.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\WindowsBase.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Grace-ppd.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\AUTHOR.XSL.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-ppd.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ul-phn.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\YEAR.XSL.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\PresentationUI.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Forms.Design.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\UIAutomationClient.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\vcruntime140.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-ul-phn.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ppd.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Trial-ppd.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\Lang\it.txt.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\sqloledb.rll.mui.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\coreclr.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.ConnectionUI.Dialog.dll.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\ado\msado21.tlb.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ppd.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Trial-ppd.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-pl.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-pl.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-ul-phn.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sv-SE\tipresx.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\ReachFramework.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Drawing.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Client\vccorlib140.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial.xml.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-180.png.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.Queryable.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\UIAutomationTypes.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Controls.Ribbon.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jre-1.8\bin\jp2iexp.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OneNote\prnSendToOneNote.cat.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ObjectModel.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 7.0.16 (x64).swidtag.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-convert-l1-1-0.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jre-1.8\bin\plugin2\vcruntime140_1.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-root.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-ppd.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.BackEnd.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\msvcr120.dll.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\TipTsf.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\TipRes.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\ReachFramework.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest2-pl.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription1-ppd.xrm-ms.tmp	Zombie.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4456 wrote to memory of 436	4456	9520899231aec17bb37583fd4db24c70_NeikiAnalytics.exe	81
PID 4456 wrote to memory of 436	4456	9520899231aec17bb37583fd4db24c70_NeikiAnalytics.exe	81
PID 4456 wrote to memory of 4900	4456	9520899231aec17bb37583fd4db24c70_NeikiAnalytics.exe	82
PID 4456 wrote to memory of 4900	4456	9520899231aec17bb37583fd4db24c70_NeikiAnalytics.exe	82
PID 4456 wrote to memory of 4900	4456	9520899231aec17bb37583fd4db24c70_NeikiAnalytics.exe	82

C:\Users\Admin\AppData\Local\Temp\9520899231aec17bb37583fd4db24c70_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9520899231aec17bb37583fd4db24c70_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4456
- C:\Users\Admin\AppData\Local\Temp\_clist.exe
  "_clist.exe"
  2⤵
  - Executes dropped EXE
  PID:436
- C:\Windows\SysWOW64\Zombie.exe
  "C:\Windows\system32\Zombie.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:4900

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2539840389-1261165778-1087677076-1000\desktop.ini.exe

Filesize
128KB

MD5
6d337e2b835168e2b4c57a191ef46d5d

SHA1
b8da27a789c7fc4d7f17e72107281ad7b00fa8ca

SHA256
bb96063723dcacda4af4474fb01b816a16d948e2fb8f3ba3d86467f1073a34c9

SHA512
f67c0a4fe674914a782c395573da2ef0db4011dd9b85054315dacaf75e7f96d9714d769b1f4ac1b2af17e1286760f3e045725ca0f53696aa416fc2c9ec56186e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_clist.exe

Filesize
143KB

MD5
b27ea830fb39bc056e65f9a2260ae216

SHA1
b69e40ee5cabe0721d2d1e9fbdd4088fd87592d6

SHA256
fb7fab836f744d669451dcd38aa7d2a9c74c6af893c258d079439b58abce70d8

SHA512
22cad79d90a949174828ee5e3ce621113591c7c991c55c1a6a44a4555002adeb3bcbd9bab6cfbbfdefd663b76ac2dae96d70a01c527b312c7e8d223334a30219

Download Submit
C:\Windows\SysWOW64\Zombie.exe

Filesize
128KB

MD5
6e47167afecfbecd98613cdfc69699de

SHA1
80634698ca65811bf0fa3d1e68d8939789d06a4d

SHA256
9ec5b4582552cc2c4e9b6b8a61ea08e12cc082a4c4135ef0651aec7cbe4ae674

SHA512
eb43685a4b63307555c379af4b812dc2b0b0ab6dc5d8f07d30fa733296f2758896bdbb425e44dd1231d99ab95c18a806f1e57204b3df701dd32ce362c016becd

Download Submit
memory/436-23-0x00007FFFE9CF3000-0x00007FFFE9CF5000-memory.dmp

Filesize
8KB

Download
memory/436-24-0x0000000000D10000-0x0000000000D38000-memory.dmp

Filesize
160KB

Download
memory/4456-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4900-10-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads