706866f5897be71aa330689114ac961a79c12915f86afaed9023f4901b5c4fc0

General

Target

bfe14481df004c90ea4eb3e5c8a37b20_NeikiAnalytics.exe
Size

498KB
MD5

bfe14481df004c90ea4eb3e5c8a37b20
SHA1

bb94f50e9ea5ac243c232c270669ad06b1d6d38b
SHA256

706866f5897be71aa330689114ac961a79c12915f86afaed9023f4901b5c4fc0
SHA512

e929b35a0789995d8c3cdc0ae62995e8fff58c35dee887e0e7de1f5fa1b58623e1d375d23ca7d969eaa6a308fee877a01f1d6b0f00821f079225ed9ca7d297af
SSDEEP

6144:KQSo1YrIOXsqmWzJrdc6GJRQUWGUA9PRWLiFSbE56FORFO:KQt32lWRPWhA9PRWg9+

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (5338) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Executes dropped EXE 2 IoCs

Processes:

Zombie.exe_setup.exe

pid process

1032 Zombie.exe
2692 _setup.exe

pid	process
1032	Zombie.exe
2692	_setup.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4984-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
C:\Windows\SysWOW64\Zombie.exe	upx
C:\$Recycle.Bin\S-1-5-21-2804150937-2146708401-419095071-1000\desktop.ini.exe	upx
behavioral2/memory/1032-6-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

Processes:

bfe14481df004c90ea4eb3e5c8a37b20_NeikiAnalytics.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Zombie.exe	bfe14481df004c90ea4eb3e5c8a37b20_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Zombie.exe	bfe14481df004c90ea4eb3e5c8a37b20_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

Processes:

Zombie.exe

description	ioc	process
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-ul-phn.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-process-l1-1-0.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\SalesReport.xltx.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msadcer.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Diagnostics.PerformanceCounter.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-convert-l1-1-0.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-pl.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\MSYHBD.TTC.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.TextWriterTraceListener.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.Primitives.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-profile-l1-1-0.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jre-1.8\bin\jpeg.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win8_RTL.mp4.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-pl.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-pl.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-BA\msipc.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\PresentationCore.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\UIAutomationTypes.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\cldrdata.jar.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msotelemetry.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\rsod\osmuxmui.msi.16.en-us.tree.dat.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-pl.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-ppd.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-interlocked-l1-1-0.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\j2gss.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial2-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial5-pl.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-pl.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.WebSockets.Client.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Controls.Ribbon.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationClient.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Retail-ppd.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\osfFPA\addins.xml.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-file-l1-1-0.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Grace-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msaddsr.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.ReaderWriter.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\UIAutomationProvider.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PowerPointCombinedFloatieModel.bin.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GARABD.TTF.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.OpenSsl.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaTypewriterBold.ttf.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Trial-ppd.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\VCRUNTIME140_APP.DLL.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebClient.dll.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.ReportDesign.Forms.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\public_suffix.md.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond.xml.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\StoreLogo.png.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.OpenSsl.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Xaml.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\WindowsBase.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\rsod\powerview.x-none.msi.16.x-none.boot.tree.dat.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsymk.ttf.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javaw.exe.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Client\C2R32.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-ppd.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WacLangPackEula.txt.tmp	Zombie.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

_setup.exe

pid process

2692 _setup.exe
2692 _setup.exe
2692 _setup.exe

pid	process
2692	_setup.exe
2692	_setup.exe
2692	_setup.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

bfe14481df004c90ea4eb3e5c8a37b20_NeikiAnalytics.exe

description	pid	process	target process
PID 4984 wrote to memory of 1032	4984	bfe14481df004c90ea4eb3e5c8a37b20_NeikiAnalytics.exe	Zombie.exe
PID 4984 wrote to memory of 1032	4984	bfe14481df004c90ea4eb3e5c8a37b20_NeikiAnalytics.exe	Zombie.exe
PID 4984 wrote to memory of 1032	4984	bfe14481df004c90ea4eb3e5c8a37b20_NeikiAnalytics.exe	Zombie.exe
PID 4984 wrote to memory of 2692	4984	bfe14481df004c90ea4eb3e5c8a37b20_NeikiAnalytics.exe	_setup.exe
PID 4984 wrote to memory of 2692	4984	bfe14481df004c90ea4eb3e5c8a37b20_NeikiAnalytics.exe	_setup.exe
PID 4984 wrote to memory of 2692	4984	bfe14481df004c90ea4eb3e5c8a37b20_NeikiAnalytics.exe	_setup.exe

C:\Users\Admin\AppData\Local\Temp\bfe14481df004c90ea4eb3e5c8a37b20_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\bfe14481df004c90ea4eb3e5c8a37b20_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4984

C:\Windows\SysWOW64\Zombie.exe
"C:\Windows\system32\Zombie.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1032

C:\Users\Admin\AppData\Local\Temp\_setup.exe
"_setup.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2692

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2804150937-2146708401-419095071-1000\desktop.ini.exe

Filesize
40KB

MD5
c8e184b9eb42dead43ed9f9a74a9a4f8

SHA1
fadea0b7031e715a3f5826adeb82958f5c42f0b5

SHA256
649d3baab7fe416bf1d7c18519886e40ceb42536e312cd2735b1a3e2994975ca

SHA512
523912f97bc20adcacf518a4fe236b438f4071f0c12eec5cd63c26a9d4ccf3fba546fb541edbdbc48958289b47760b384ea70b126bfa783a7a3196119287a407

Download Submit
C:\Users\Admin\AppData\Local\Temp\_setup.exe

Filesize
457KB

MD5
446366ca32877e2290d0bd8f22e11809

SHA1
b620d296d53566d9a07c1cabc92c50d0f5c4f34a

SHA256
4b76c0ea832d58966f824cfedb9a3831b1c286b13cc22d56e29dad7966847184

SHA512
edbb4cd70b9c372f827136db217087451732f83a34af854ff031a659e9aee0fe849c0005a38d2bd19f438f8277147101a577fa900b89e2e1f804b369134255cf

Download Submit
C:\Windows\SysWOW64\Zombie.exe

Filesize
40KB

MD5
1215f99809437b0f338c89b2b8758889

SHA1
f1d8b324fdf4bdaf1a7b1032f9740cb656ea3962

SHA256
ccae93e70036c4766d8da849c6abd1e2d25accb72d3537680ebc58cf6cf7d0b0

SHA512
5f5132303890fd33591244f4af91c5e8bfdd55e4a865c0b4b911329063c1563472bc88f9c5d1cf6737d208e0cd2801fb7dfa3828aa3cd63d96ddd2412b745b0c

Download Submit
memory/1032-6-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4984-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads