164858d8e06ec75ce27c8347af3021d02b0d426e3d947115be51248d726d2b8c

General

Target

82e62616c82891583e01b7687e4e8b80_NeikiAnalytics.exe
Size

226KB
MD5

82e62616c82891583e01b7687e4e8b80
SHA1

44cf51ec7ed29419f5b0bc7b16dc5f026d114013
SHA256

164858d8e06ec75ce27c8347af3021d02b0d426e3d947115be51248d726d2b8c
SHA512

dd6755b5671b25ceed586deb3a31db7c944523e183b05e33449749adc626452e997fbf501447eead5257735704b8307a41267b78fdb18576f13cbddef3b0091f
SSDEEP

3072:6pWpUFpEhLfyBtPf50FWkFpPDze/qFsxEhLfyBtPf50FWkFpPDze/qFslEhLfyBP:PqFF2Ie+e1EO9xpKbShcHUaP

Score

9^/10

ransomware

Malware Config

Signatures

Renames multiple (1476) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Executes dropped EXE 2 IoCs

Processes:

_cuninst.exeZombie.exe

pid process

2004 _cuninst.exe
2084 Zombie.exe

pid	process
2004	_cuninst.exe
2084	Zombie.exe

Loads dropped DLL 3 IoCs

Processes:

82e62616c82891583e01b7687e4e8b80_NeikiAnalytics.exe

pid	process
568	82e62616c82891583e01b7687e4e8b80_NeikiAnalytics.exe
568	82e62616c82891583e01b7687e4e8b80_NeikiAnalytics.exe
568	82e62616c82891583e01b7687e4e8b80_NeikiAnalytics.exe

Drops file in System32 directory 2 IoCs

Processes:

82e62616c82891583e01b7687e4e8b80_NeikiAnalytics.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Zombie.exe	82e62616c82891583e01b7687e4e8b80_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Zombie.exe	82e62616c82891583e01b7687e4e8b80_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

Processes:

Zombie.exe

description	ioc	process
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msadcer.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\106.0.5249.119.manifest.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-delete.avi.tmp	Zombie.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\fr-FR\MSTTSLoc.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\ECLIPSE_.SF.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ui_5.5.0.165303.jar.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\title_trans_scene.wmv.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationUp_SelectionSubpicture.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\feature.properties.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector_1.0.200.v20131115-1210.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.util_1.0.500.v20130404-1337.jar.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Memo.emf.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-next-over-select.png.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_buttongraphic.png.tmp	Zombie.exe
File created	C:\Program Files\Internet Explorer\msdbg2.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+12.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\artifacts.xml.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark.css.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\join.avi.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_mainImage-mask.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_it.properties.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BlackRectangle.bmp.tmp	Zombie.exe
File created	C:\Program Files\Internet Explorer\en-US\ieinstal.exe.mui.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Riga.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.batik.util_1.7.0.v201011041433.jar.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\tipresx.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\directshowtap.ax.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationUp_ButtonGraphic.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\management.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\ECLIPSE_.RSA.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ext_5.5.0.165303.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.batik.css_1.7.0.v201011041433.jar.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\Lang\ast.txt.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msadcor.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\Ole DB\de-DE\oledb32r.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\CompareSync.sql.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-9.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Tanspecks.jpg.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\scene_button_style_default_Thumbnail.bmp.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_pt_BR.properties.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.syntheticnotification.exsd.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler_1.2.0.v20140422-1847.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net.nl_zh_4.4.0.v20140623020002.jar.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\Lang\en.ttt.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdatl3.dll.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\blackbars60.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\setEmbeddedCP.bat.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Brussels.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Auckland.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\MANIFEST.MF.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app.nl_ja_4.4.0.v20140623020002.jar.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ko-kr.xml.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeslm.dat.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_INTRO_BG_PAL.wmv.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\16_9-frame-background.png.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\Lang\va.txt.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Stucco.gif.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonInset_Alpha2.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.sat4j.core_2.3.5.v201308161310.jar.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\oskmenubase.xml.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\TipBand.dll.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\msadc\msadcs.dll.tmp	Zombie.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

82e62616c82891583e01b7687e4e8b80_NeikiAnalytics.exe

description	pid	process	target process
PID 568 wrote to memory of 2004	568	82e62616c82891583e01b7687e4e8b80_NeikiAnalytics.exe	_cuninst.exe
PID 568 wrote to memory of 2004	568	82e62616c82891583e01b7687e4e8b80_NeikiAnalytics.exe	_cuninst.exe
PID 568 wrote to memory of 2004	568	82e62616c82891583e01b7687e4e8b80_NeikiAnalytics.exe	_cuninst.exe
PID 568 wrote to memory of 2004	568	82e62616c82891583e01b7687e4e8b80_NeikiAnalytics.exe	_cuninst.exe
PID 568 wrote to memory of 2084	568	82e62616c82891583e01b7687e4e8b80_NeikiAnalytics.exe	Zombie.exe
PID 568 wrote to memory of 2084	568	82e62616c82891583e01b7687e4e8b80_NeikiAnalytics.exe	Zombie.exe
PID 568 wrote to memory of 2084	568	82e62616c82891583e01b7687e4e8b80_NeikiAnalytics.exe	Zombie.exe
PID 568 wrote to memory of 2084	568	82e62616c82891583e01b7687e4e8b80_NeikiAnalytics.exe	Zombie.exe

C:\Users\Admin\AppData\Local\Temp\82e62616c82891583e01b7687e4e8b80_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\82e62616c82891583e01b7687e4e8b80_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:568

C:\Windows\SysWOW64\Zombie.exe
"C:\Windows\system32\Zombie.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2084

C:\Users\Admin\AppData\Local\Temp\_cuninst.exe
"_cuninst.exe"
2⤵
- Executes dropped EXE
PID:2004

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-481678230-3773327859-3495911762-1000\desktop.ini.tmp
Filesize
83KB

MD5
8197ee4957ab1aabe4832ccacea3f3d6

SHA1
283d4f9b350f621d4a68a7229f977a8441205ef6

SHA256
5a4c9dc6b8b4688ad91ecf740d7729944b106ab294967bf71678ae2984ca299b

SHA512
4a2cdc696bbc506640c37763039cc843b7ff7e7ce78c848abb61d17382076ceb478aa97499cd044c48a145c7572ec4ba4e3ff6fbd6fe5036273ab1720cf4696b

Download Submit
\Users\Admin\AppData\Local\Temp\_cuninst.exe
Filesize
143KB

MD5
7f9f981d970cbccece6ff126ab309045

SHA1
950a14dc6b636237c2f158cce02076b1a1b371e0

SHA256
82596d7d86d685087965457c297973c2aa1fbff0f6a0a3b8d8760f1cc65105cf

SHA512
ac59a2c6bc3b6fad47bac83d84336387b03b45d186c5d021f3c57c7fb160491e8344923d4978e50fb37f6c37e45bbb9c0f9b7cd4b93506ff571c82b795c6fb47

Download Submit
\Windows\SysWOW64\Zombie.exe
Filesize
83KB

MD5
6c89b5bc444d1aab2a753b6fb6c4b5cb

SHA1
2cf5c71857ad9034a214a13d89c5f5f0bd4207b5

SHA256
937e37323421d3c7406ecdc22ad77ff9460f35fa5b335c650c27246e1c913186

SHA512
14f138fbba063f291b4e8d78d545005420239837e98e43e404ff3e46306f810ed9277a27cf3359d9baa71a80d71f87f068f07ab0e9617c74fb6ed0aa6326661e

Download Submit
memory/2004-19-0x000007FEF51F3000-0x000007FEF51F4000-memory.dmp

Filesize
4KB

Download
memory/2004-26-0x00000000010A0000-0x00000000010C8000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads