b3f70c4465ceef59c8047f505546bfbd52e72378ccccd2b40aa808d31f5aacc7

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27/05/2024, 23:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

281fd1de65e5e1519b9c2285912fa8b0_NeikiAnalytics.exe
Size

659KB
MD5

281fd1de65e5e1519b9c2285912fa8b0
SHA1

fe6375f8331180009735f2036c36af636a72643d
SHA256

b3f70c4465ceef59c8047f505546bfbd52e72378ccccd2b40aa808d31f5aacc7
SHA512

7fd0068d80ef0294c19f30e64ccfdc77dcc06cd635c937c90c1a8a12c1fd758155fcbf8569c86e79365d768a1d7908a89201c060537669f2ab4de8a988859e24
SSDEEP

6144:wHm3AIuZAIuDMVtM/L2ZKS7bYrIOXsqmWzJrdc6GJRQUWGUA9PRWLiFSbE56FORu:XAIuZAIuOEQ7J2lWRPWhA9PRWg9E

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (2919) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 2 IoCs

pid	Process
2036	_setup.exe
1280	Zombie.exe

Loads dropped DLL 3 IoCs

pid	Process
1048	281fd1de65e5e1519b9c2285912fa8b0_NeikiAnalytics.exe
1048	281fd1de65e5e1519b9c2285912fa8b0_NeikiAnalytics.exe
1048	281fd1de65e5e1519b9c2285912fa8b0_NeikiAnalytics.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1048-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x000c000000012674-6.dat	upx
behavioral1/memory/1048-8-0x00000000003E0000-0x00000000003EB000-memory.dmp	upx
behavioral1/memory/1280-19-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x000800000001564f-21.dat	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Zombie.exe	281fd1de65e5e1519b9c2285912fa8b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Zombie.exe	281fd1de65e5e1519b9c2285912fa8b0_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\eula.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Panama.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.properties.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.actionProvider.exsd.tmp	Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.Printing.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipskor.xml.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Notes_btn-back-static.png.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.exe.tmp	Zombie.exe
File created	C:\Program Files\Internet Explorer\MemoryAnalyzer.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\feature.xml.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\cmm\LINEAR_RGB.pf.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\Antarctica\Davis.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrenclm.dat.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_travel_Thumbnail.bmp.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Paris.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\conticon.gif.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_heb.xml.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.config.tmp	Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\WindowsBase.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\mailapi.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher.nl_zh_4.4.0.v20140623020002.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Fakaofo.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-ui.xml.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Iqaluit.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-4.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\bin\jp2launcher.exe.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Dot.png.tmp	Zombie.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-math-l1-1-0.dll.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\manifest.json.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Juneau.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Warsaw.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\MANIFEST.MF.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-charts_ja.jar.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Cave_Drawings.gif.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\rtstreamsource.ax.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes.nl_zh_4.4.0.v20140623020002.jar.tmp	Zombie.exe
File created	C:\Program Files\Mozilla Firefox\defaultagent_localized.ini.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.swt.nl_zh_4.4.0.v20140623020002.jar.tmp	Zombie.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-private-l1-1-0.dll.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonInset_Alpha2.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaSansDemiBold.ttf.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\org-openide-util.jar.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\vlc.mo.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\tabskb.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationRight_ButtonGraphic.png.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\en-US\WMM2CLIP.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Berlin.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\SystemV\YST9.tmp	Zombie.exe
File created	C:\Program Files\desktop.ini.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\button-highlight.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.console_1.0.300.v20131113-1212.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-io-ui_zh_CN.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-tools.xml.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Denver.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Tahiti.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\id.pak.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\tzmappings.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-api-visual.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\bookicon.gif.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\DumontDUrville.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Aqtobe.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-queries.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-common_zh_CN.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-heapdump_ja.jar.tmp	Zombie.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2036	_setup.exe
2036	_setup.exe
2036	_setup.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 2036	1048	281fd1de65e5e1519b9c2285912fa8b0_NeikiAnalytics.exe	29
PID 1048 wrote to memory of 2036	1048	281fd1de65e5e1519b9c2285912fa8b0_NeikiAnalytics.exe	29
PID 1048 wrote to memory of 2036	1048	281fd1de65e5e1519b9c2285912fa8b0_NeikiAnalytics.exe	29
PID 1048 wrote to memory of 2036	1048	281fd1de65e5e1519b9c2285912fa8b0_NeikiAnalytics.exe	29
PID 1048 wrote to memory of 2036	1048	281fd1de65e5e1519b9c2285912fa8b0_NeikiAnalytics.exe	29
PID 1048 wrote to memory of 2036	1048	281fd1de65e5e1519b9c2285912fa8b0_NeikiAnalytics.exe	29
PID 1048 wrote to memory of 2036	1048	281fd1de65e5e1519b9c2285912fa8b0_NeikiAnalytics.exe	29
PID 1048 wrote to memory of 1280	1048	281fd1de65e5e1519b9c2285912fa8b0_NeikiAnalytics.exe	28
PID 1048 wrote to memory of 1280	1048	281fd1de65e5e1519b9c2285912fa8b0_NeikiAnalytics.exe	28
PID 1048 wrote to memory of 1280	1048	281fd1de65e5e1519b9c2285912fa8b0_NeikiAnalytics.exe	28
PID 1048 wrote to memory of 1280	1048	281fd1de65e5e1519b9c2285912fa8b0_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\281fd1de65e5e1519b9c2285912fa8b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\281fd1de65e5e1519b9c2285912fa8b0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Windows\SysWOW64\Zombie.exe
  "C:\Windows\system32\Zombie.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1280
- C:\Users\Admin\AppData\Local\Temp\_setup.exe
  "_setup.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2036

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3452737119-3959686427-228443150-1000\desktop.ini.tmp

Filesize
202KB

MD5
7c034a0662a88341157d5ef919da8e4b

SHA1
ad8ccd71c7bdb531cc6e80c182596eb1e9222d00

SHA256
40139efa08b88d8ebb18e8c22924a828ef7bdcf6d9d12b78c4dd2da2e9a01643

SHA512
3ced60abce04e4f70327ad9487891c85502e09e581793e7e879c7be4f4994ae1af6b037ffb7c3a7ff7d74b105e309532bb6b25dd2ad2c1ac63525c46673c2614

Download Submit
\Users\Admin\AppData\Local\Temp\_setup.exe

Filesize
457KB

MD5
446366ca32877e2290d0bd8f22e11809

SHA1
b620d296d53566d9a07c1cabc92c50d0f5c4f34a

SHA256
4b76c0ea832d58966f824cfedb9a3831b1c286b13cc22d56e29dad7966847184

SHA512
edbb4cd70b9c372f827136db217087451732f83a34af854ff031a659e9aee0fe849c0005a38d2bd19f438f8277147101a577fa900b89e2e1f804b369134255cf

Download Submit
\Windows\SysWOW64\Zombie.exe

Filesize
202KB

MD5
6a3afa0b51bd0c58471259129916e6c8

SHA1
c81ede222810058f922a4982fc90187c08d9f2d9

SHA256
e39d1245b64e6bb6078306976e3e1cb38df291b9a7d7b34527e009d2f9dd9a09

SHA512
5abf5a297148f94747ffd142bbf202ceb29bf44709870eafc0f2398c45776c2e8f9fb96d05b8979b83f00bb60cc13639bb3b216a717dfc6c796c37b2d0f2d7ae

Download Submit
memory/1048-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1048-8-0x00000000003E0000-0x00000000003EB000-memory.dmp

Filesize
44KB

Download
memory/1048-18-0x00000000003E0000-0x00000000003EB000-memory.dmp

Filesize
44KB

Download
memory/1280-19-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download