Analysis
-
max time kernel
152s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27/05/2024, 04:33
Behavioral task
behavioral1
Sample
1f0861c9246a2f99c450502d398ee5c0_NeikiAnalytics.exe
Resource
win7-20240508-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
1f0861c9246a2f99c450502d398ee5c0_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
1f0861c9246a2f99c450502d398ee5c0_NeikiAnalytics.exe
-
Size
215KB
-
MD5
1f0861c9246a2f99c450502d398ee5c0
-
SHA1
edc2faefbc97b4b5c46dbb3b36c638c13d341366
-
SHA256
c7207f55b0fdb4d1b8101197cba305da13e7fafbde6980771d0ea79ab842309c
-
SHA512
53814623dab0c115304aa1d35e06ba39bbb9d4ca0057a67be5301a878fa16ee209436b2c0ce17b0e990bc67a237cc0bbff80ec9f19f669a05fa78145d142de47
-
SSDEEP
3072:fnyiQSo/w9mHpKZNGCLOwstyhZFChcssc56FUrgxvbSD4UQrO2ZTxx:KiQSoo9UpK7ShcHUaZf
Score
9/10
Malware Config
Signatures
-
Renames multiple (1050) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 2 IoCs
pid Process 2872 Zombie.exe 2800 _cinst.exe -
resource yara_rule behavioral2/memory/4888-0-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/files/0x0009000000023285-6.dat upx behavioral2/files/0x0008000000023289-12.dat upx behavioral2/memory/4888-23-0x0000000000400000-0x000000000040B000-memory.dmp upx -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Zombie.exe 1f0861c9246a2f99c450502d398ee5c0_NeikiAnalytics.exe File created C:\Windows\SysWOW64\Zombie.exe 1f0861c9246a2f99c450502d398ee5c0_NeikiAnalytics.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ko\System.Windows.Forms.Design.resources.dll.tmp Zombie.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-dayi.xml.tmp Zombie.exe File created C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\msinfo32.exe.mui.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Net.Http.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Xml.XPath.XDocument.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Security.AccessControl.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Runtime.Numerics.dll.tmp Zombie.exe File created C:\Program Files\7-Zip\Lang\ky.txt.tmp Zombie.exe File created C:\Program Files\Common Files\microsoft shared\ink\hwrcommonlm.dat.tmp Zombie.exe File created C:\Program Files\Common Files\microsoft shared\ink\it-IT\TipTsf.dll.mui.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.ComponentModel.Annotations.dll.tmp Zombie.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Globalization.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ja\System.Windows.Forms.Design.resources.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Data.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Collections.NonGeneric.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Resources.ResourceManager.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Text.Json.dll.tmp Zombie.exe File created C:\Program Files\7-Zip\7zG.exe.tmp Zombie.exe File created C:\Program Files\7-Zip\Lang\nn.txt.tmp Zombie.exe File created C:\Program Files\Common Files\System\msadc\msadcer.dll.tmp Zombie.exe File created C:\Program Files\Common Files\System\Ole DB\de-DE\oledb32r.dll.mui.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\System.Windows.Presentation.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\System.Windows.Input.Manipulations.dll.tmp Zombie.exe File created C:\Program Files\7-Zip\Lang\ku.txt.tmp Zombie.exe File created C:\Program Files\Common Files\System\ado\msado60.tlb.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Diagnostics.TextWriterTraceListener.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Threading.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\tr\UIAutomationProvider.resources.dll.tmp Zombie.exe File created C:\Program Files\Common Files\microsoft shared\ink\it-IT\tipresx.dll.mui.tmp Zombie.exe File created C:\Program Files\Common Files\microsoft shared\ink\zh-TW\tipresx.dll.mui.tmp Zombie.exe File created C:\Program Files\Common Files\System\Ole DB\sqloledb.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Linq.Expressions.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\tr\PresentationFramework.resources.dll.tmp Zombie.exe File created C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TabTip.exe.mui.tmp Zombie.exe File created C:\Program Files\Common Files\System\ado\msadrh15.dll.tmp Zombie.exe File created C:\Program Files\dotnet\host\fxr\6.0.25\hostfxr.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\cs\UIAutomationClientSideProviders.resources.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ru\System.Windows.Forms.Design.resources.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\System.Xaml.dll.tmp Zombie.exe File created C:\Program Files\7-Zip\Lang\is.txt.tmp Zombie.exe File created C:\Program Files\Common Files\System\msadc\msadco.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\es\System.Windows.Controls.Ribbon.resources.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\es\System.Windows.Input.Manipulations.resources.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.ComponentModel.Annotations.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Memory.dll.tmp Zombie.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ar-sa.dll.tmp Zombie.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sr-latn-rs.dll.tmp Zombie.exe File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TabTip.exe.mui.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Reflection.Emit.Lightweight.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\msquic.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Private.CoreLib.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\de\WindowsFormsIntegration.resources.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\UIAutomationProvider.dll.tmp Zombie.exe File created C:\Program Files\7-Zip\Lang\es.txt.tmp Zombie.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-private-l1-1-0.dll.tmp Zombie.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_jpn.xml.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-crt-multibyte-l1-1-0.dll.tmp Zombie.exe File created C:\Program Files\Common Files\System\msadc\en-US\msadcer.dll.mui.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\es\WindowsBase.resources.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Reflection.Primitives.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Security.SecureString.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\fr\System.Windows.Input.Manipulations.resources.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\cs\PresentationFramework.resources.dll.tmp Zombie.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4888 wrote to memory of 2872 4888 1f0861c9246a2f99c450502d398ee5c0_NeikiAnalytics.exe 91 PID 4888 wrote to memory of 2872 4888 1f0861c9246a2f99c450502d398ee5c0_NeikiAnalytics.exe 91 PID 4888 wrote to memory of 2872 4888 1f0861c9246a2f99c450502d398ee5c0_NeikiAnalytics.exe 91 PID 4888 wrote to memory of 2800 4888 1f0861c9246a2f99c450502d398ee5c0_NeikiAnalytics.exe 92 PID 4888 wrote to memory of 2800 4888 1f0861c9246a2f99c450502d398ee5c0_NeikiAnalytics.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f0861c9246a2f99c450502d398ee5c0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\1f0861c9246a2f99c450502d398ee5c0_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\SysWOW64\Zombie.exe"C:\Windows\system32\Zombie.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2872
-
-
C:\Users\Admin\AppData\Local\Temp\_cinst.exe"_cinst.exe"2⤵
- Executes dropped EXE
PID:2800
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4060 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:81⤵PID:2256
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
72KB
MD59b041b3df69122724c00f1d900395a90
SHA1805e5e42a33712a93296291c286ed06900f8ebeb
SHA2560fa4dc53198e184136acc95bde548678f0ee51189bc45ff25e2930051facf3f4
SHA512501a60de90a67484adff15e2d25fe8416e24c7289ed2c6332f262b514833d66b4fa652a6d47a8e54cb921aba89417ba1e3e7ebc07933d873dd28bec0f5cb9d30
-
Filesize
143KB
MD52fdb371d45181dff59577110ba1064e2
SHA142a5833cb0ac90e38d734d1327bb3f7c7a6aa453
SHA25680d7ec8ce3913d81ea5d4f304b8609e56f0e49778c52af9279e742ea54f4a155
SHA51252982041ba9ca552b90b79b251501ec6c33c5251d09ca9969a1b179af2ec17aca6eb81db6e588e12751bcea04208e1da8d5a754a979dd98ceb3f50780aadea20
-
Filesize
72KB
MD591d3e21ecb3b3a942d88fd8245383978
SHA15afa4c1f456a92adf42c0c1c3315402bd4d4bb1f
SHA25670eed4d2d51eba4303cde9c9401931f960479473db7586caf3c5f13d5ff9cc93
SHA5124386b5578c3c248c9809a4912bc560c8e4fe4924fb33eb04827132d1f8112d9c1a87a24353397b103b72aacaa94a7c74674ba992570ffefe5aa67bfa0db93e3e