Analysis

  • max time kernel
    150s
  • max time network
    101s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/05/2024, 15:53

General

  • Target

    e38513bcf45635c24e16ae761d73d660_NeikiAnalytics.exe

  • Size

    511KB

  • MD5

    e38513bcf45635c24e16ae761d73d660

  • SHA1

    b390285019ad40aed1b30a934e5caf5e5a615940

  • SHA256

    874533ddd4c446943bb0741a43e8ddd6268369ecf681bc950e90df3bfe2414b2

  • SHA512

    e24483d71bccf3126476d25f8dfcdab664cc7ee9d7bb4e03a7e031065404785bfd4c526c15d1991995cd7726eb80dc1b89be4ead8d04455cdf9f54345e75c198

  • SSDEEP

    12288:3PxPir9RyiIuGcKbpaSL4vtFVHPyvewDzvUa+:3PxPiRRyisBpaSsvtbiMa+

Score
9/10

Malware Config

Signatures

  • Renames multiple (4061) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e38513bcf45635c24e16ae761d73d660_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\e38513bcf45635c24e16ae761d73d660_NeikiAnalytics.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:3644
    • C:\Users\Admin\AppData\Local\Temp\_cpush.exe
      "_cpush.exe"
      2⤵
      • Executes dropped EXE
      PID:2344
    • C:\Windows\SysWOW64\Zombie.exe
      "C:\Windows\system32\Zombie.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      PID:4036

Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-1337824034-2731376981-3755436523-1000\desktop.ini.exe

          Filesize

          368KB

          MD5

          1dc2b171e1936764e9852129e886c79e

          SHA1

          9e2de3066c456d5a99ae0c7dd33038ac47c2d0b7

          SHA256

          f036414a800fc80bcebcc4942ffd20d7ed3fec1aa473291a91662d3d7e097018

          SHA512

          91ebdc26bc3cac9a0f71c53d8bc7d8ced1a233631aaeee41db4c29655f792e3502d14be76a761337fc867f3831d3f622714258ea2b902d277955c40d50e4ab56

        • C:\Users\Admin\AppData\Local\Temp\_cpush.exe

          Filesize

          143KB

          MD5

          c1d5e48111f4984433e6318466ee1bce

          SHA1

          d3379a99f504b38794f491e4fff6c77cfab53eac

          SHA256

          dfdf187874d7368a92bbebb68c8cdc5c183af47d954b5b27ddaeca6774ae4822

          SHA512

          dfce97a9dc92521c2d576b3d21071cb04df4a6d927676a2b95abc0093b67a044aab8d3f8612a4a70f9128cf2555d3a554a1c3f941647a64d30298ab28bba7441

        • C:\Windows\SysWOW64\Zombie.exe

          Filesize

          368KB

          MD5

          f760f6c2a3896c157c5471b10a08d052

          SHA1

          809c4cccddeedba8a4e63f073214bc3cbf909c32

          SHA256

          d2a85cf741c620968c737056426786e859912903cc8270aa788820a288eeb418

          SHA512

          41a10027f1f02f8b832f8554ee550f87a53d6b2846af83efbf3f7a290da27b8427b6ae19fc0b4d9f02fac47aba565e15051392a839bce29efe0a1b4016d95d5a

        • memory/2344-19-0x00007FFE5BD23000-0x00007FFE5BD25000-memory.dmp

          Filesize

          8KB

        • memory/2344-20-0x0000000000480000-0x00000000004A8000-memory.dmp

          Filesize

          160KB