Overview

overview

9

Static

static

3

8a3b2d43fd...cs.exe

windows7-x64

9

8a3b2d43fd...cs.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 19:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8a3b2d43fd63447cfd523ed1a06d70e0_NeikiAnalytics.exe

  • Size

    215KB

  • MD5

    8a3b2d43fd63447cfd523ed1a06d70e0

  • SHA1

    8adb76bebaafa632b260f3d7f344ca2056ef5783

  • SHA256

    00091f6a6937faf51b5b1840daa04058087e4eede8879b477e624e5641cfaab7

  • SHA512

    0d5b14a33a84e3c521f6a7ef3625a756a74654043ea568800707cea8e974dbb8b2312c75a044eee2ce17c49aebc2cd868e5e1b3fd4bc9737d0d1db433513981f

  • SSDEEP

    3072:69WpQEJAOE9tHpKrvGCLOwstyhZFChcssc56FUrgxvbSD4UQrO2ExI:nfAB95pK7ShcHUan

Score
9/10
ransomware

Malware Config

Signatures

  • Renames multiple (5195) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8a3b2d43fd63447cfd523ed1a06d70e0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\8a3b2d43fd63447cfd523ed1a06d70e0_NeikiAnalytics.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2028
    • C:\Windows\SysWOW64\Zombie.exe
      "C:\Windows\system32\Zombie.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      PID:1088
    • C:\Users\Admin\AppData\Local\Temp\_clist.exe
      "_clist.exe"
      2⤵
      • Executes dropped EXE
      PID:1080

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-3558294865-3673844354-2255444939-1000\desktop.ini.exe
    Filesize

    72KB

    MD5

    17b922237c047fbff08d16c991b79870

    SHA1

    04e97eef5d0184ae10896a7e20df34e8b5eae91c

    SHA256

    2dd1c179f71db3574931a886de3eec9af2d2444eed01be0b05fc1d498ef64fe7

    SHA512

    d801c9ebfab5ee7122152cd376befb142a1bafcf4fe6e09db22b3f878d759bc204e3795704fd63345b8bf910a998dd89b77dae14123696130839fe8d4f93956a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_clist.exe
    Filesize

    143KB

    MD5

    b27ea830fb39bc056e65f9a2260ae216

    SHA1

    b69e40ee5cabe0721d2d1e9fbdd4088fd87592d6

    SHA256

    fb7fab836f744d669451dcd38aa7d2a9c74c6af893c258d079439b58abce70d8

    SHA512

    22cad79d90a949174828ee5e3ce621113591c7c991c55c1a6a44a4555002adeb3bcbd9bab6cfbbfdefd663b76ac2dae96d70a01c527b312c7e8d223334a30219

    Download Submit
  • C:\Windows\SysWOW64\Zombie.exe
    Filesize

    72KB

    MD5

    0cbbb285bb28920f582a8533553b3c97

    SHA1

    a77e6ada28051f987d0b6a7724cc5bd4f92e8ea3

    SHA256

    445f3742790fba302fded9b79c480e98adb0de2dd9276d28966fb522665f6131

    SHA512

    b15566e8954a2436a2c487fdc20078f273fe219392572ec8fcac23013f3dd00916541ab8e8ea2c960951aba5258a81df8522eaee2ee391f8540fdd7a9d9287ff

    Download Submit
  • memory/1080-22-0x00007FFB43783000-0x00007FFB43785000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1080-19-0x00000000003E0000-0x0000000000408000-memory.dmp
    Filesize

    160KB

    Download