Overview

overview

9

Static

static

7

281fd1de65...cs.exe

windows7-x64

9

281fd1de65...cs.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    150s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/05/2024, 23:59

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    281fd1de65e5e1519b9c2285912fa8b0_NeikiAnalytics.exe

  • Size

    659KB

  • MD5

    281fd1de65e5e1519b9c2285912fa8b0

  • SHA1

    fe6375f8331180009735f2036c36af636a72643d

  • SHA256

    b3f70c4465ceef59c8047f505546bfbd52e72378ccccd2b40aa808d31f5aacc7

  • SHA512

    7fd0068d80ef0294c19f30e64ccfdc77dcc06cd635c937c90c1a8a12c1fd758155fcbf8569c86e79365d768a1d7908a89201c060537669f2ab4de8a988859e24

  • SSDEEP

    6144:wHm3AIuZAIuDMVtM/L2ZKS7bYrIOXsqmWzJrdc6GJRQUWGUA9PRWLiFSbE56FORu:XAIuZAIuOEQ7J2lWRPWhA9PRWg9E

Score
9/10
ransomwareupx

Malware Config

Signatures

  • Renames multiple (4646) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Executes dropped EXE 2 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\281fd1de65e5e1519b9c2285912fa8b0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\281fd1de65e5e1519b9c2285912fa8b0_NeikiAnalytics.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:1664
    • C:\Windows\SysWOW64\Zombie.exe
      "C:\Windows\system32\Zombie.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      PID:1968
    • C:\Users\Admin\AppData\Local\Temp\_setup.exe
      "_setup.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3520

Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-540404634-651139247-2967210625-1000\desktop.ini.tmp
          Filesize

          202KB

          MD5

          5025cfaaae268d74eb3d45a3ec629bee

          SHA1

          346b36d6db9a387ed6c5e63dc531fd00b51cf237

          SHA256

          e1ffe1408123999f1f5bda5047fda89ae16ed2319d80e6e92d92014bf0e5eafe

          SHA512

          33d5afddb2848640717759b93b90b20c8354fdabffdca9ebc000703f980731a5035795252750cf80b82076f0f02fab2aa12ea00c11d468e8e15ee21686f1f84a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\_setup.exe
          Filesize

          457KB

          MD5

          446366ca32877e2290d0bd8f22e11809

          SHA1

          b620d296d53566d9a07c1cabc92c50d0f5c4f34a

          SHA256

          4b76c0ea832d58966f824cfedb9a3831b1c286b13cc22d56e29dad7966847184

          SHA512

          edbb4cd70b9c372f827136db217087451732f83a34af854ff031a659e9aee0fe849c0005a38d2bd19f438f8277147101a577fa900b89e2e1f804b369134255cf

          Download Submit

        • C:\Windows\SysWOW64\Zombie.exe
          Filesize

          202KB

          MD5

          6a3afa0b51bd0c58471259129916e6c8

          SHA1

          c81ede222810058f922a4982fc90187c08d9f2d9

          SHA256

          e39d1245b64e6bb6078306976e3e1cb38df291b9a7d7b34527e009d2f9dd9a09

          SHA512

          5abf5a297148f94747ffd142bbf202ceb29bf44709870eafc0f2398c45776c2e8f9fb96d05b8979b83f00bb60cc13639bb3b216a717dfc6c796c37b2d0f2d7ae

          Download Submit

        • memory/1664-0-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

          Download

        • memory/1664-20-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

          Download