24aecb71d9d0fcc029264fd5638011b90325a1db9214e616552cdb713bf83aa1

General

Target

e691aef25308f0bcd4ace49c2a920c30_NeikiAnalytics.exe
Size

225KB
MD5

e691aef25308f0bcd4ace49c2a920c30
SHA1

1c06f6556b36b9dbefb787c601d27fa2730a7e3f
SHA256

24aecb71d9d0fcc029264fd5638011b90325a1db9214e616552cdb713bf83aa1
SHA512

36bf77710a098bf6a8c414f7df7d32e7808aa2cdf33b8668084b6150dbe78a13a3ced806bdc8c963c904cf5118e55f50c6ffa92ea0cea7b636e22fa03f79c8ff
SSDEEP

6144:RqKvb0CYJ973e+eKZ0V5O9xpKbShcHUan:vvbxYX7Z0VbvUan

Score

9^/10

ransomware

Malware Config

Signatures

Renames multiple (3431) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Executes dropped EXE 2 IoCs

Processes:

_cuninst.exeZombie.exe

pid process

3008 _cuninst.exe
1996 Zombie.exe

pid	process
3008	_cuninst.exe
1996	Zombie.exe

Loads dropped DLL 3 IoCs

Processes:

e691aef25308f0bcd4ace49c2a920c30_NeikiAnalytics.exe

pid	process
2380	e691aef25308f0bcd4ace49c2a920c30_NeikiAnalytics.exe
2380	e691aef25308f0bcd4ace49c2a920c30_NeikiAnalytics.exe
2380	e691aef25308f0bcd4ace49c2a920c30_NeikiAnalytics.exe

Drops file in System32 directory 2 IoCs

Processes:

e691aef25308f0bcd4ace49c2a920c30_NeikiAnalytics.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Zombie.exe	e691aef25308f0bcd4ace49c2a920c30_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Zombie.exe	e691aef25308f0bcd4ace49c2a920c30_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

Processes:

Zombie.exe

description	ioc	process
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_SelectionSubpictureA.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.nl_ja_4.4.0.v20140623020002.jar.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\25.png.tmp	Zombie.exe
File created	C:\Program Files\Internet Explorer\SIGNUP\install.ins.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\MANIFEST.MF.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp.ja_5.5.0.165303.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\Africa\Monrovia.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libvnc_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\Lang\ca.txt.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\ShapeCollector.exe.mui.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationUp_ButtonGraphic.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Davis.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-snaptracer_zh_CN.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Ulaanbaatar.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\it-IT\Minesweeper.exe.mui.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\Lang\ug.txt.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsnld.xml.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\LICENSE.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ia\LC_MESSAGES\vlc.mo.tmp	Zombie.exe
File created	C:\Program Files\Windows Journal\Templates\Shorthand.jtp.tmp	Zombie.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color48.png.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_m.png.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\trad_h.png.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\prev_hov.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\content-types.properties.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\SpiderSolitaire.exe.mui.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\locale\oc\LC_MESSAGES\vlc.mo.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_100_eeeeee_1x100.png.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libsubtitle_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_left_hover.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\startNetworkServer.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\launcher.win32.win32.x86_64.properties.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Wallis.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXEV.DLL.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\settings.js.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-progress-ui.jar.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\ChkrRes.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Windows Defender\fr-FR\MpEvMsg.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\css\picturePuzzle.css.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Tijuana.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Beirut.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-text_ja.jar.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\vlc.mo.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\preface.htm.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-options_zh_CN.jar.tmp	Zombie.exe
File created	C:\Program Files\PushUnpublish.dwg.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Midway.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\EST5EDT.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.xml_1.3.4.v201005080400.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\SystemV\AST4.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\vlc.mo.tmp	Zombie.exe
File created	C:\Program Files\desktop.ini.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToNotesBackground.wmv.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-previous-static.png.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pa\LC_MESSAGES\vlc.mo.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\librotate_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets.tmp	Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\WindowsFormsIntegration.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Entity.Resources.dll.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libshm_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libedgedetection_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwresslm.dat.tmp	Zombie.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

e691aef25308f0bcd4ace49c2a920c30_NeikiAnalytics.exe

description	pid	process	target process
PID 2380 wrote to memory of 3008	2380	e691aef25308f0bcd4ace49c2a920c30_NeikiAnalytics.exe	_cuninst.exe
PID 2380 wrote to memory of 3008	2380	e691aef25308f0bcd4ace49c2a920c30_NeikiAnalytics.exe	_cuninst.exe
PID 2380 wrote to memory of 3008	2380	e691aef25308f0bcd4ace49c2a920c30_NeikiAnalytics.exe	_cuninst.exe
PID 2380 wrote to memory of 3008	2380	e691aef25308f0bcd4ace49c2a920c30_NeikiAnalytics.exe	_cuninst.exe
PID 2380 wrote to memory of 1996	2380	e691aef25308f0bcd4ace49c2a920c30_NeikiAnalytics.exe	Zombie.exe
PID 2380 wrote to memory of 1996	2380	e691aef25308f0bcd4ace49c2a920c30_NeikiAnalytics.exe	Zombie.exe
PID 2380 wrote to memory of 1996	2380	e691aef25308f0bcd4ace49c2a920c30_NeikiAnalytics.exe	Zombie.exe
PID 2380 wrote to memory of 1996	2380	e691aef25308f0bcd4ace49c2a920c30_NeikiAnalytics.exe	Zombie.exe

C:\Users\Admin\AppData\Local\Temp\e691aef25308f0bcd4ace49c2a920c30_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\e691aef25308f0bcd4ace49c2a920c30_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2380

C:\Users\Admin\AppData\Local\Temp\_cuninst.exe
"_cuninst.exe"
2⤵
- Executes dropped EXE
PID:3008

C:\Windows\SysWOW64\Zombie.exe
"C:\Windows\system32\Zombie.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1996

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3627615824-4061627003-3019543961-1000\desktop.ini.tmp
Filesize
82KB

MD5
985c322ceb8ce2e02249a64f13d68cb1

SHA1
61d8cd19375088a9a5dce3537705ce0cf62b1be2

SHA256
e79520638e818cbe4de6bea3366971a30d26372c9ea2287a88c67591485a9738

SHA512
cb12ef69e8b03b997866f89498a1712b5eb91a51f13908d0991e5038fbb24a732b7f138ba33136cb6320a447711419a236dfd9e92252e48511a303f119126ac9

Download Submit
\Users\Admin\AppData\Local\Temp\_cuninst.exe
Filesize
143KB

MD5
7f9f981d970cbccece6ff126ab309045

SHA1
950a14dc6b636237c2f158cce02076b1a1b371e0

SHA256
82596d7d86d685087965457c297973c2aa1fbff0f6a0a3b8d8760f1cc65105cf

SHA512
ac59a2c6bc3b6fad47bac83d84336387b03b45d186c5d021f3c57c7fb160491e8344923d4978e50fb37f6c37e45bbb9c0f9b7cd4b93506ff571c82b795c6fb47

Download Submit
\Windows\SysWOW64\Zombie.exe
Filesize
82KB

MD5
91c73dd48b5f3b73d3eda72ab4b78596

SHA1
2d062b73c13f58ec63faf2c7445c38cb61f242e0

SHA256
83cf0fb8eea30f2d5d422559b76bf677ee6b8c19b60f8125f9c46d8d0525434f

SHA512
13d139acc4d12ed1ad1bd8033222556454363fb824d4302775c3ccae5e2388c73cf11f04c69cfc2bf66b80d3b92fcd8a98a365f002e16db210b579272e9454e4

Download Submit
memory/3008-19-0x000007FEF5633000-0x000007FEF5634000-memory.dmp

Filesize
4KB

Download
memory/3008-20-0x0000000001170000-0x0000000001198000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads