89c2955518f18e5b96d7d72b66e1f87f82727b17c1b90834d86c53490300bf97

General

Target

c3d53f04557a9e8a701df46810b34d40_NeikiAnalytics.exe
Size

7.3MB
MD5

c3d53f04557a9e8a701df46810b34d40
SHA1

5ea6ab95a69d3c2daf24a7f65cae95c5da366268
SHA256

89c2955518f18e5b96d7d72b66e1f87f82727b17c1b90834d86c53490300bf97
SHA512

f58db0166641ea69d02f5173cf85c6fcf2e76722c2a29acccdc7216416b79930d0bee268a08c2d7fe242d7a229fad858c04dfd9f5687208c9792ad081fcff795
SSDEEP

98304:stzqBZMMEM0MUMRMxMwMkfqbjxbSzGVr4W11/KsZfGpWqOJwN/:mqBZtlV1qKpkfqbjeGVr4wZfNnJw1

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (3814) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Executes dropped EXE 2 IoCs

Processes:

Zombie.exe_choco.exe

pid process

1288 Zombie.exe
2680 _choco.exe

pid	process
1288	Zombie.exe
2680	_choco.exe

Loads dropped DLL 4 IoCs

Processes:

c3d53f04557a9e8a701df46810b34d40_NeikiAnalytics.exe

pid	process
2196	c3d53f04557a9e8a701df46810b34d40_NeikiAnalytics.exe
2196	c3d53f04557a9e8a701df46810b34d40_NeikiAnalytics.exe
2196	c3d53f04557a9e8a701df46810b34d40_NeikiAnalytics.exe
2196	c3d53f04557a9e8a701df46810b34d40_NeikiAnalytics.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2196-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
\Windows\SysWOW64\Zombie.exe	upx
behavioral1/memory/2196-4-0x00000000002E0000-0x00000000002EA000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-3691908287-3775019229-3534252667-1000\desktop.ini.tmp	upx
behavioral1/memory/1288-16-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/2196-15-0x00000000002E0000-0x00000000002EA000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

Processes:

c3d53f04557a9e8a701df46810b34d40_NeikiAnalytics.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Zombie.exe	c3d53f04557a9e8a701df46810b34d40_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Zombie.exe	c3d53f04557a9e8a701df46810b34d40_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

Processes:

Zombie.exe

description	ioc	process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-host-views.jar.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libspeex_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.attach_5.5.0.165303.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Rainy_River.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\15x15dot.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Tirane.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Star_Half.png.tmp	Zombie.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\micaut.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Windows Journal\en-US\jnwdui.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\channel-prefs.js.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\35.png.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\msinfo32.exe.mui.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Funafuti.tmp	Zombie.exe
File created	C:\Program Files\Mozilla Firefox\default-browser-agent.exe.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_left.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\NOTICE.tmp	Zombie.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Beirut.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-options-keymap.xml.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Games\FreeCell\de-DE\FreeCell.exe.mui.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\mshwLatin.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\currency.data.tmp	Zombie.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\7.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-javahelp_ja.jar.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\offset_window.html.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext-disable.png.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\month.png.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)alertIcon.png.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\Lang\hu.txt.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-api_ja.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\Center.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\locale\th\LC_MESSAGES\vlc.mo.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-applemenu.xml.tmp	Zombie.exe
File created	C:\Program Files\Windows Journal\it-IT\Journal.exe.mui.tmp	Zombie.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\OutlookMUI.XML.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Mazatlan.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Port_of_Spain.tmp	Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.Speech.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\net.properties.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Bahia_Banderas.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_a52_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\spu\liblogo_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files\Windows Journal\JNWDRV.dll.tmp	Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\drag.png.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bg-today.png.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\lua\intf\dummy.luac.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\lua\modules\common.luac.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrfrash.dat.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_elf.dll.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\js\settings.js.tmp	Zombie.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE.tmp	Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.IO.Log.dll.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\gadget.xml.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\reveal_hov.png.tmp	Zombie.exe
File created	C:\Program Files\Internet Explorer\DiagnosticsHub_is.dll.tmp	Zombie.exe
File created	C:\Program Files\Windows Defender\MpOAV.dll.tmp	Zombie.exe
File created	C:\Program Files\Mozilla Firefox\pingsender.exe.tmp	Zombie.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\it-IT\Minesweeper.exe.mui.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libmpgv_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Eurosti.TTF.tmp	Zombie.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

_choco.exe

description pid process

Token: SeDebugPrivilege 2680 _choco.exe

description	pid	process
Token: SeDebugPrivilege	2680	_choco.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

c3d53f04557a9e8a701df46810b34d40_NeikiAnalytics.exe

description	pid	process	target process
PID 2196 wrote to memory of 1288	2196	c3d53f04557a9e8a701df46810b34d40_NeikiAnalytics.exe	Zombie.exe
PID 2196 wrote to memory of 1288	2196	c3d53f04557a9e8a701df46810b34d40_NeikiAnalytics.exe	Zombie.exe
PID 2196 wrote to memory of 1288	2196	c3d53f04557a9e8a701df46810b34d40_NeikiAnalytics.exe	Zombie.exe
PID 2196 wrote to memory of 1288	2196	c3d53f04557a9e8a701df46810b34d40_NeikiAnalytics.exe	Zombie.exe
PID 2196 wrote to memory of 2680	2196	c3d53f04557a9e8a701df46810b34d40_NeikiAnalytics.exe	_choco.exe
PID 2196 wrote to memory of 2680	2196	c3d53f04557a9e8a701df46810b34d40_NeikiAnalytics.exe	_choco.exe
PID 2196 wrote to memory of 2680	2196	c3d53f04557a9e8a701df46810b34d40_NeikiAnalytics.exe	_choco.exe
PID 2196 wrote to memory of 2680	2196	c3d53f04557a9e8a701df46810b34d40_NeikiAnalytics.exe	_choco.exe

C:\Users\Admin\AppData\Local\Temp\c3d53f04557a9e8a701df46810b34d40_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\c3d53f04557a9e8a701df46810b34d40_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2196

C:\Windows\SysWOW64\Zombie.exe
"C:\Windows\system32\Zombie.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1288

C:\Users\Admin\AppData\Local\Temp\_choco.exe
"_choco.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2680

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3691908287-3775019229-3534252667-1000\desktop.ini.tmp
Filesize
41KB

MD5
ae7f74ad70a9acca22e568e647ac1f29

SHA1
00565e90a577b7e6c7bbf81007c789e07aec694d

SHA256
410e124569928923e70d4baee07e0c3d7d3ab8cf0b304a7a75c176b09c0cc7ef

SHA512
04080eab1755d9f49aebc871ea732faff4b8a8ccb29dd226982790d682901e6c19672b9a982b1674a408b8866e34c2e2a6561e7f3fbadc16d739740602924393

Download Submit
C:\Users\Admin\AppData\Local\Temp\_choco.exe
Filesize
7.3MB

MD5
dd6b75a77601d62ac66df1b0a51a7de3

SHA1
699fc35deccb0cd6e341420903fc993535c2c98f

SHA256
2f46a1d48e1589e0aa10f215e77cb48fb90c531e19aa3c05d766f59b449f3c15

SHA512
43bd57e5379c22494aade734a45a443722327d48c7f06aa521048c99adba576e29bd70bba7bd28ba94f8f24f88efed7b8e5a1b3249cbfcb4d95fd0bc1f424d86

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\chocolatey.config.backup
Filesize
809B

MD5
8b6737800745d3b99886d013b3392ac3

SHA1
bb94da3f294922d9e8d31879f2d145586a182e19

SHA256
86f10504ca147d13a157944f926141fe164a89fa8a71847458bda7102abb6594

SHA512
654dda9b645b4900ac6e5bb226494921194dab7de71d75806f645d9b94ed820055914073ef9a5407e468089c0b2ee4d021f03c2ea61e73889b553895e79713df

Download Submit
C:\Users\Admin\AppData\Local\Temp\logs\chocolatey.log
Filesize
4KB

MD5
aa0f438fad768df597764d8018ba1720

SHA1
8153e93bbe8536c8f6339d5451103a81337c4fb4

SHA256
913131ac574b25700f785c72657bde151ced5dd028c9d782015c2b38f22ec5a2

SHA512
f36152688304916d2cecdd3b656b92bef895d6c1f210f1c66c2ecf00a9e4fd2508d81001b5ebf30d4ce28059612f2993d7d5172af4bf947e4013372cddac83cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\logs\chocolatey.log
Filesize
805B

MD5
4646cabc779e60f12f32986fb24d15f5

SHA1
2945510958c97c294554de931acf222dbb4ba1ca

SHA256
8702d707f996d6d34248c4e32d9cc5e59de758a2efef7a38bf85eb1619a3c6aa

SHA512
dac59051a3ee5068217bf284bd90d11be1e36167caf0bfea1ffbda1dfc3815ecb5f2295243b2013f8431ddbfe09a91bbb10a901967410ccfd3a4fcac128ab02c

Download Submit
C:\Users\Admin\AppData\Local\Temp\redirects\cpush.exe.ignore
Filesize
2B

MD5
81051bcc2cf1bedf378224b0a93e2877

SHA1
ba8ab5a0280b953aa97435ff8946cbcbb2755a27

SHA256
7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

SHA512
1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

Download Submit
\Windows\SysWOW64\Zombie.exe
Filesize
41KB

MD5
6ec33598531474fbfcf3e4229a62b906

SHA1
6a1cb57da80d705742ae04354cdc492aca0802a1

SHA256
998edbcecdd0c59f9249029af941c1c785f5d3968c939b6d1f0fce40583f45b2

SHA512
9e30ea71fa2e4d6b9684f404e1a60e350dca7b10b4e291803b2d5d72d66bb2cc1adf61ad3877ce0ad516e1bae257991cd2898692dc41d2a904f8017eba7d7864

Download Submit
memory/1288-16-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2196-15-0x00000000002E0000-0x00000000002EA000-memory.dmp

Filesize
40KB

Download
memory/2196-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2196-4-0x00000000002E0000-0x00000000002EA000-memory.dmp

Filesize
40KB

Download
memory/2680-35-0x00000000008D0000-0x0000000001016000-memory.dmp

Filesize
7.3MB

Download
memory/2680-36-0x000007FEF5830000-0x000007FEF621C000-memory.dmp

Filesize
9.9MB

Download
memory/2680-34-0x000007FEF5833000-0x000007FEF5834000-memory.dmp

Filesize
4KB

Download
memory/2680-44-0x000000001C000000-0x000000001C2E2000-memory.dmp

Filesize
2.9MB

Download
memory/2680-170-0x000007FEF5830000-0x000007FEF621C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads