Analysis
-
max time kernel
152s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
22-05-2024 20:26
Static task
static1
Behavioral task
behavioral1
Sample
e5e5e7125c0ed4071386a5eeb81e0e30_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e5e5e7125c0ed4071386a5eeb81e0e30_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
e5e5e7125c0ed4071386a5eeb81e0e30_NeikiAnalytics.exe
-
Size
402KB
-
MD5
e5e5e7125c0ed4071386a5eeb81e0e30
-
SHA1
58280c768ef121f532375e96f90c12d478f28777
-
SHA256
823a08d92b83a3e4d10f3c777c0072d5e239aecb7561af8d226316e176fe75c5
-
SHA512
f756622070aa39eaf20c4152a26466907fbf94202ee027847e0d94d4f982d474f547cb6c282ceef74dab75a1e86aa93c4f70b568787c6aaaad897807135151b4
-
SSDEEP
6144:RqKvb0CYJ973e+eKZ65lqo52kDzMYDJSi7+Ni2ER9Vh98+1PrEVhkQf0huIDaLOD:vvbxYX7Z6MqzBDJkk2ERvT8MPAf/O60
Malware Config
Signatures
-
Renames multiple (511) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 2 IoCs
Processes:
Zombie.exe_7z.exepid process 2172 Zombie.exe 1884 _7z.exe -
Loads dropped DLL 3 IoCs
Processes:
e5e5e7125c0ed4071386a5eeb81e0e30_NeikiAnalytics.exepid process 2008 e5e5e7125c0ed4071386a5eeb81e0e30_NeikiAnalytics.exe 2008 e5e5e7125c0ed4071386a5eeb81e0e30_NeikiAnalytics.exe 2008 e5e5e7125c0ed4071386a5eeb81e0e30_NeikiAnalytics.exe -
Drops file in System32 directory 2 IoCs
Processes:
e5e5e7125c0ed4071386a5eeb81e0e30_NeikiAnalytics.exedescription ioc process File created C:\Windows\SysWOW64\Zombie.exe e5e5e7125c0ed4071386a5eeb81e0e30_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\Zombie.exe e5e5e7125c0ed4071386a5eeb81e0e30_NeikiAnalytics.exe -
Drops file in Program Files directory 64 IoCs
Processes:
Zombie.exedescription ioc process File created C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\tipresx.dll.mui.tmp Zombie.exe File created C:\Program Files\Common Files\Microsoft Shared\VC\msdia100.dll.tmp Zombie.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\chapters-static.png.tmp Zombie.exe File created C:\Program Files\ExitSplit.dll.tmp Zombie.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_wer.dll.tmp Zombie.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\IPSEventLogMsg.dll.mui.tmp Zombie.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\TipBand.dll.mui.tmp Zombie.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\msinfo32.exe.mui.tmp Zombie.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationUp_ButtonGraphic.png.tmp Zombie.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\NextMenuButtonIconSubpictur.png.tmp Zombie.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationLeft_ButtonGraphic.png.tmp Zombie.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\content-background.png.tmp Zombie.exe File created C:\Program Files\Internet Explorer\JSProfilerCore.dll.tmp Zombie.exe File created C:\Program Files\7-Zip\Lang\fr.txt.tmp Zombie.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeulm.dat.tmp Zombie.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\ipscht.xml.tmp Zombie.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\IpsMigrationPlugin.dll.tmp Zombie.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\rtscom.dll.tmp Zombie.exe File created C:\Program Files\Common Files\System\msadc\es-ES\msdaremr.dll.mui.tmp Zombie.exe File created C:\Program Files\DVD Maker\es-ES\OmdProject.dll.mui.tmp Zombie.exe File created C:\Program Files\7-Zip\Lang\mr.txt.tmp Zombie.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\FlickLearningWizard.exe.mui.tmp Zombie.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrcommonlm.dat.tmp Zombie.exe File created C:\Program Files\Common Files\System\Ole DB\oledbjvs.inc.tmp Zombie.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToNotesBackground.wmv.tmp Zombie.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Heart_ButtonGraphic.png.tmp Zombie.exe File created C:\Program Files\Google\Chrome\Application\chrome.exe.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2iexp.dll.tmp Zombie.exe File created C:\Program Files\7-Zip\Lang\nb.txt.tmp Zombie.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\tipresx.dll.mui.tmp Zombie.exe File created C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\MSTTSLoc.dll.tmp Zombie.exe File created C:\Program Files\DVD Maker\Shared\DissolveNoise.png.tmp Zombie.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\performance.png.tmp Zombie.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\nb.pak.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe.tmp Zombie.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\dicjp.dll.tmp Zombie.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\symbase.xml.tmp Zombie.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe.tmp Zombie.exe File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\JAWTAccessBridge-64.dll.tmp Zombie.exe File created C:\Program Files\7-Zip\Lang\ku-ckb.txt.tmp Zombie.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\softedges.png.tmp Zombie.exe File created C:\Program Files\BlockBackup.3gp.tmp Zombie.exe File created C:\Program Files\Common Files\System\ado\msador15.dll.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe.tmp Zombie.exe File created C:\Program Files\7-Zip\Lang\br.txt.tmp Zombie.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_RGB_PAL.wmv.tmp Zombie.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\en-US.pak.tmp Zombie.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMain_PAL.wmv.tmp Zombie.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationLeft_SelectionSubpicture.png.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_pt_BR.jar.tmp Zombie.exe File created C:\Program Files\7-Zip\Lang\mk.txt.tmp Zombie.exe File created C:\Program Files\ConfirmGrant.wav.tmp Zombie.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\1047x576black.png.tmp Zombie.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe.tmp Zombie.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe.tmp Zombie.exe File created C:\Program Files\7-Zip\Lang\nl.txt.tmp Zombie.exe File created C:\Program Files\Common Files\System\msadc\msadcfr.dll.tmp Zombie.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationRight_SelectionSubpicture.png.tmp Zombie.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sw.pak.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\db\LICENSE.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\jpeg.dll.tmp Zombie.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
e5e5e7125c0ed4071386a5eeb81e0e30_NeikiAnalytics.exedescription pid process target process PID 2008 wrote to memory of 2172 2008 e5e5e7125c0ed4071386a5eeb81e0e30_NeikiAnalytics.exe Zombie.exe PID 2008 wrote to memory of 2172 2008 e5e5e7125c0ed4071386a5eeb81e0e30_NeikiAnalytics.exe Zombie.exe PID 2008 wrote to memory of 2172 2008 e5e5e7125c0ed4071386a5eeb81e0e30_NeikiAnalytics.exe Zombie.exe PID 2008 wrote to memory of 2172 2008 e5e5e7125c0ed4071386a5eeb81e0e30_NeikiAnalytics.exe Zombie.exe PID 2008 wrote to memory of 1884 2008 e5e5e7125c0ed4071386a5eeb81e0e30_NeikiAnalytics.exe _7z.exe PID 2008 wrote to memory of 1884 2008 e5e5e7125c0ed4071386a5eeb81e0e30_NeikiAnalytics.exe _7z.exe PID 2008 wrote to memory of 1884 2008 e5e5e7125c0ed4071386a5eeb81e0e30_NeikiAnalytics.exe _7z.exe PID 2008 wrote to memory of 1884 2008 e5e5e7125c0ed4071386a5eeb81e0e30_NeikiAnalytics.exe _7z.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e5e5e7125c0ed4071386a5eeb81e0e30_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\e5e5e7125c0ed4071386a5eeb81e0e30_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\Zombie.exe"C:\Windows\system32\Zombie.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2172 -
C:\Users\Admin\AppData\Local\Temp\_7z.exe"_7z.exe"2⤵
- Executes dropped EXE
PID:1884
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\$Recycle.Bin\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini.tmpFilesize
78KB
MD560f1a2e37191293ebee127456419c444
SHA14e07a989271e2fe39603eef8d77a1980c4419ca9
SHA2563b9c496bc9038bb5cc08df8be8bd42b9220b506df03e88ec233bbd48ab786e23
SHA5121ec4922934c708ca974e2a474129d1bd4c89d65a2020ba7cdb7db492226fecdd7ee2f51a7007566b7d91f06d9bd809cece33ab2804e9515b0db9a5ff0f38f949
-
\Users\Admin\AppData\Local\Temp\_7z.exeFilesize
324KB
MD57187ae605f4dce14bb23ea2623956335
SHA1f7c1df33b875c98f41dcde24117d89d42d25b7ce
SHA2569e2631c19b243c28b0980607ced2540e9447b1166572483475547c1a9dd4ac0e
SHA512f64522e2fb6bb61884fe53c34e79b355efb9ec33c02b2cd67d729af7d763e7b3873a5c7ce6ac7bb4567e6bcf8c70cadbc66f511e8bb151ab05096a832032bc8f
-
\Windows\SysWOW64\Zombie.exeFilesize
78KB
MD55f6f29e29bc5f285d2d6c30cca909155
SHA1c5d91a27fb4784755a1edb41fbc6e1a8fdc8c10d
SHA25632552483635bc7cadb682a84e921283c845bb1e7accde9ec40477319dacc9601
SHA5126016d8292353f5e98d499ba3bfc5d9815eeae8e4c24c88f4e80c775aa0b83d0109c75d8e7220e15d9ad6566897176a8e3969e9502fa921acba56131a005b7a50