00091f6a6937faf51b5b1840daa04058087e4eede8879b477e624e5641cfaab7

General

Target

8a3b2d43fd63447cfd523ed1a06d70e0_NeikiAnalytics.exe
Size

215KB
MD5

8a3b2d43fd63447cfd523ed1a06d70e0
SHA1

8adb76bebaafa632b260f3d7f344ca2056ef5783
SHA256

00091f6a6937faf51b5b1840daa04058087e4eede8879b477e624e5641cfaab7
SHA512

0d5b14a33a84e3c521f6a7ef3625a756a74654043ea568800707cea8e974dbb8b2312c75a044eee2ce17c49aebc2cd868e5e1b3fd4bc9737d0d1db433513981f
SSDEEP

3072:69WpQEJAOE9tHpKrvGCLOwstyhZFChcssc56FUrgxvbSD4UQrO2ExI:nfAB95pK7ShcHUan

Score

9^/10

ransomware

Malware Config

Signatures

Renames multiple (3634) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Executes dropped EXE 2 IoCs

Processes:

_clist.exeZombie.exe

pid process

2192 _clist.exe
2076 Zombie.exe

pid	process
2192	_clist.exe
2076	Zombie.exe

Loads dropped DLL 3 IoCs

Processes:

8a3b2d43fd63447cfd523ed1a06d70e0_NeikiAnalytics.exe

pid	process
2208	8a3b2d43fd63447cfd523ed1a06d70e0_NeikiAnalytics.exe
2208	8a3b2d43fd63447cfd523ed1a06d70e0_NeikiAnalytics.exe
2208	8a3b2d43fd63447cfd523ed1a06d70e0_NeikiAnalytics.exe

Drops file in System32 directory 2 IoCs

Processes:

8a3b2d43fd63447cfd523ed1a06d70e0_NeikiAnalytics.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Zombie.exe	8a3b2d43fd63447cfd523ed1a06d70e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Zombie.exe	8a3b2d43fd63447cfd523ed1a06d70e0_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

Processes:

Zombie.exe

description	ioc	process
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-next-over-select.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Eirunepe.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\feature.xml.tmp	Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Web.Entity.Design.Resources.dll.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\lua\playlist\youtube.luac.tmp	Zombie.exe
File created	C:\Program Files\Windows Journal\Journal.exe.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_up_BIDI.png.tmp	Zombie.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\vdk150.dll.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\HandPrints.jpg.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\license.html.tmp	Zombie.exe
File created	C:\Program Files\Windows Defender\MsMpRes.dll.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\css\calendar.css.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_divider.png.tmp	Zombie.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\EScript.api.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\gadget.xml.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InkDiv.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Majuro.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-windows.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\Antarctica\Vostok.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libequalizer_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\misc\libfingerprinter_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\init.js.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_blue_sun.png.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\highDpiImageSwap.js.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\RSSFeeds.html.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msdaremr.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\NextMenuButtonIcon.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\bin\jsound.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+10.tmp	Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Entity.dll.tmp	Zombie.exe
File created	C:\Program Files\Windows Media Player\de-DE\wmpnscfg.exe.mui.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\gadget.xml.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\24.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-1.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.artifact.repository.nl_ja_4.4.0.v20140623020002.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Apia.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\js\settings.js.tmp	Zombie.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_joined.gif.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\ShapeCollector.exe.mui.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationUp_SelectionSubpicture.png.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\header-background.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-explorer.xml.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\css\settings.css.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\tipresx.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\preloaded_data.pb.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Knox.tmp	Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\UIAutomationProvider.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\weather.js.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\Ole DB\de-DE\sqlxmlx.rll.mui.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jfxmedia.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-common.xml.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\New_Salem.tmp	Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\ReachFramework.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color48.png.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\slideShow.html.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome.exe.sig.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\VERSION.txt.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Gambier.tmp	Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Core.dll.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\vlc.mo.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext-down.png.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\15.png.tmp	Zombie.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\Words.pdf.tmp	Zombie.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

8a3b2d43fd63447cfd523ed1a06d70e0_NeikiAnalytics.exe

description	pid	process	target process
PID 2208 wrote to memory of 2192	2208	8a3b2d43fd63447cfd523ed1a06d70e0_NeikiAnalytics.exe	_clist.exe
PID 2208 wrote to memory of 2192	2208	8a3b2d43fd63447cfd523ed1a06d70e0_NeikiAnalytics.exe	_clist.exe
PID 2208 wrote to memory of 2192	2208	8a3b2d43fd63447cfd523ed1a06d70e0_NeikiAnalytics.exe	_clist.exe
PID 2208 wrote to memory of 2192	2208	8a3b2d43fd63447cfd523ed1a06d70e0_NeikiAnalytics.exe	_clist.exe
PID 2208 wrote to memory of 2076	2208	8a3b2d43fd63447cfd523ed1a06d70e0_NeikiAnalytics.exe	Zombie.exe
PID 2208 wrote to memory of 2076	2208	8a3b2d43fd63447cfd523ed1a06d70e0_NeikiAnalytics.exe	Zombie.exe
PID 2208 wrote to memory of 2076	2208	8a3b2d43fd63447cfd523ed1a06d70e0_NeikiAnalytics.exe	Zombie.exe
PID 2208 wrote to memory of 2076	2208	8a3b2d43fd63447cfd523ed1a06d70e0_NeikiAnalytics.exe	Zombie.exe

C:\Users\Admin\AppData\Local\Temp\8a3b2d43fd63447cfd523ed1a06d70e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8a3b2d43fd63447cfd523ed1a06d70e0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2208

C:\Users\Admin\AppData\Local\Temp\_clist.exe
"_clist.exe"
2⤵
- Executes dropped EXE
PID:2192

C:\Windows\SysWOW64\Zombie.exe
"C:\Windows\system32\Zombie.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2076

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1298544033-3225604241-2703760938-1000\desktop.ini.tmp
Filesize
72KB

MD5
313c4e051be897f10aaee8fdddcbd9f2

SHA1
74f75cc920618b4d7db6513ceea59639997f65d9

SHA256
30df96d72c8ea2afff8846fd1d45229a2dc2687d523ab05e35bf39bde936d4e4

SHA512
a2bbf7be4e293c466de2152ba5b070bf2e74a7b9af98a3604c3822d321b942ca9c0313a12fff9cbd859bc15ca8be9db8bbf11d8afa0af02d44b9ce9bdd0baa96

Download Submit
\Users\Admin\AppData\Local\Temp\_clist.exe
Filesize
143KB

MD5
b27ea830fb39bc056e65f9a2260ae216

SHA1
b69e40ee5cabe0721d2d1e9fbdd4088fd87592d6

SHA256
fb7fab836f744d669451dcd38aa7d2a9c74c6af893c258d079439b58abce70d8

SHA512
22cad79d90a949174828ee5e3ce621113591c7c991c55c1a6a44a4555002adeb3bcbd9bab6cfbbfdefd663b76ac2dae96d70a01c527b312c7e8d223334a30219

Download Submit
\Windows\SysWOW64\Zombie.exe
Filesize
72KB

MD5
0cbbb285bb28920f582a8533553b3c97

SHA1
a77e6ada28051f987d0b6a7724cc5bd4f92e8ea3

SHA256
445f3742790fba302fded9b79c480e98adb0de2dd9276d28966fb522665f6131

SHA512
b15566e8954a2436a2c487fdc20078f273fe219392572ec8fcac23013f3dd00916541ab8e8ea2c960951aba5258a81df8522eaee2ee391f8540fdd7a9d9287ff

Download Submit
memory/2192-19-0x000007FEF5793000-0x000007FEF5794000-memory.dmp

Filesize
4KB

Download
memory/2192-20-0x0000000000EB0000-0x0000000000ED8000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads