c7207f55b0fdb4d1b8101197cba305da13e7fafbde6980771d0ea79ab842309c

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
27/05/2024, 04:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f0861c9246a2f99c450502d398ee5c0_NeikiAnalytics.exe
Size

215KB
MD5

1f0861c9246a2f99c450502d398ee5c0
SHA1

edc2faefbc97b4b5c46dbb3b36c638c13d341366
SHA256

c7207f55b0fdb4d1b8101197cba305da13e7fafbde6980771d0ea79ab842309c
SHA512

53814623dab0c115304aa1d35e06ba39bbb9d4ca0057a67be5301a878fa16ee209436b2c0ce17b0e990bc67a237cc0bbff80ec9f19f669a05fa78145d142de47
SSDEEP

3072:fnyiQSo/w9mHpKZNGCLOwstyhZFChcssc56FUrgxvbSD4UQrO2ZTxx:KiQSoo9UpK7ShcHUaZf

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (3676) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 2 IoCs

pid	Process
2752	_cinst.exe
2252	Zombie.exe

Loads dropped DLL 3 IoCs

pid	Process
1868	1f0861c9246a2f99c450502d398ee5c0_NeikiAnalytics.exe
1868	1f0861c9246a2f99c450502d398ee5c0_NeikiAnalytics.exe
1868	1f0861c9246a2f99c450502d398ee5c0_NeikiAnalytics.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1868-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x000c00000001226d-5.dat	upx
behavioral1/memory/2252-17-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x0008000000015cd6-19.dat	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Zombie.exe	1f0861c9246a2f99c450502d398ee5c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Zombie.exe	1f0861c9246a2f99c450502d398ee5c0_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\drag.png.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsrom.xml.tmp	Zombie.exe
File created	C:\Program Files\GetExpand.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\jni.h.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-print.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-masterfs.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-sampler.xml.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\Africa\Algiers.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\add_down.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Mazatlan.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kuching.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-impl_ja.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-spi-quicksearch_zh_CN.jar.tmp	Zombie.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\HST.tmp	Zombie.exe
File created	C:\Program Files\Windows Media Player\de-DE\wmpnssui.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\settings.ini.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\nacl_irt_x86_64.nexe.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\bin\JAWTAccessBridge-64.dll.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libpng_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files\Windows Journal\ja-JP\Journal.exe.mui.tmp	Zombie.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\manifest.json.tmp	Zombie.exe
File created	C:\Program Files\Mozilla Firefox\nssckbi.dll.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\5.png.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Shorthand.emf.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\photograph.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-spi-actions_ja.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Tijuana.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ca.pak.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-uihandler.xml_hidden.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Port-au-Prince.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\lua\intf\luac.luac.tmp	Zombie.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\ConnectionManager.xml.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_up.png.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\FlickLearningWizard.exe.mui.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsita.xml.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util-lookup.xml.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Danmarkshavn.tmp	Zombie.exe
File created	C:\Program Files\Windows Journal\fr-FR\jnwdui.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Windows Journal\MSPVWCTL.DLL.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\js\calendar.js.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Detroit.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\Monticello.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\file_obj.gif.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\ChkrRes.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Vilnius.tmp	Zombie.exe
File created	C:\Program Files\Windows Defender\MpEvMsg.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\java.policy.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Hermosillo.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\cmm\LINEAR_RGB.pf.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\security\local_policy.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.workbench.nl_ja_4.4.0.v20140623020002.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-execution.xml.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\lua\intf\dummy.luac.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\trad_s.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\MANIFEST.MF.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\bin\nio.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Khandyga.tmp	Zombie.exe
File created	C:\Program Files\UninstallRead.ppsm.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\mshwLatin.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipscat.xml.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\203x8subpicture.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\MANIFEST.MF.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwresslm.dat.tmp	Zombie.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1868 wrote to memory of 2752	1868	1f0861c9246a2f99c450502d398ee5c0_NeikiAnalytics.exe	29
PID 1868 wrote to memory of 2752	1868	1f0861c9246a2f99c450502d398ee5c0_NeikiAnalytics.exe	29
PID 1868 wrote to memory of 2752	1868	1f0861c9246a2f99c450502d398ee5c0_NeikiAnalytics.exe	29
PID 1868 wrote to memory of 2752	1868	1f0861c9246a2f99c450502d398ee5c0_NeikiAnalytics.exe	29
PID 1868 wrote to memory of 2252	1868	1f0861c9246a2f99c450502d398ee5c0_NeikiAnalytics.exe	28
PID 1868 wrote to memory of 2252	1868	1f0861c9246a2f99c450502d398ee5c0_NeikiAnalytics.exe	28
PID 1868 wrote to memory of 2252	1868	1f0861c9246a2f99c450502d398ee5c0_NeikiAnalytics.exe	28
PID 1868 wrote to memory of 2252	1868	1f0861c9246a2f99c450502d398ee5c0_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\1f0861c9246a2f99c450502d398ee5c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1f0861c9246a2f99c450502d398ee5c0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1868
- C:\Windows\SysWOW64\Zombie.exe
  "C:\Windows\system32\Zombie.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2252
- C:\Users\Admin\AppData\Local\Temp\_cinst.exe
  "_cinst.exe"
  2⤵
  - Executes dropped EXE
  PID:2752

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3691908287-3775019229-3534252667-1000\desktop.ini.tmp

Filesize
72KB

MD5
8bcb3af7af4eb2601b06701383c59b55

SHA1
12651f6dd469f297c5926e9a870ed5693ef12df0

SHA256
702e6fffd09389bee75b41a521d519649bd47e1d6498edc33ad651e231418592

SHA512
48b8c3671c5de2812df20872a3337940adb59e5d8a6a2422b9ead83db3683f200c35188d174eb549ca23aaa7df77ee49167679ddcc2f46cc9fa45f2fb172bbc9

Download Submit
\Users\Admin\AppData\Local\Temp\_cinst.exe

Filesize
143KB

MD5
2fdb371d45181dff59577110ba1064e2

SHA1
42a5833cb0ac90e38d734d1327bb3f7c7a6aa453

SHA256
80d7ec8ce3913d81ea5d4f304b8609e56f0e49778c52af9279e742ea54f4a155

SHA512
52982041ba9ca552b90b79b251501ec6c33c5251d09ca9969a1b179af2ec17aca6eb81db6e588e12751bcea04208e1da8d5a754a979dd98ceb3f50780aadea20

Download Submit
\Windows\SysWOW64\Zombie.exe

Filesize
72KB

MD5
91d3e21ecb3b3a942d88fd8245383978

SHA1
5afa4c1f456a92adf42c0c1c3315402bd4d4bb1f

SHA256
70eed4d2d51eba4303cde9c9401931f960479473db7586caf3c5f13d5ff9cc93

SHA512
4386b5578c3c248c9809a4912bc560c8e4fe4924fb33eb04827132d1f8112d9c1a87a24353397b103b72aacaa94a7c74674ba992570ffefe5aa67bfa0db93e3e

Download Submit
memory/1868-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1868-16-0x00000000003A0000-0x00000000003AB000-memory.dmp

Filesize
44KB

Download
memory/2252-17-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2752-22-0x000007FEF6163000-0x000007FEF6164000-memory.dmp

Filesize
4KB

Download
memory/2752-23-0x00000000008C0000-0x00000000008E8000-memory.dmp

Filesize
160KB

Download