Analysis
-
max time kernel
150s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
31/05/2024, 15:53
Static task
static1
Behavioral task
behavioral1
Sample
e38513bcf45635c24e16ae761d73d660_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
e38513bcf45635c24e16ae761d73d660_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
e38513bcf45635c24e16ae761d73d660_NeikiAnalytics.exe
-
Size
511KB
-
MD5
e38513bcf45635c24e16ae761d73d660
-
SHA1
b390285019ad40aed1b30a934e5caf5e5a615940
-
SHA256
874533ddd4c446943bb0741a43e8ddd6268369ecf681bc950e90df3bfe2414b2
-
SHA512
e24483d71bccf3126476d25f8dfcdab664cc7ee9d7bb4e03a7e031065404785bfd4c526c15d1991995cd7726eb80dc1b89be4ead8d04455cdf9f54345e75c198
-
SSDEEP
12288:3PxPir9RyiIuGcKbpaSL4vtFVHPyvewDzvUa+:3PxPiRRyisBpaSsvtbiMa+
Malware Config
Signatures
-
Renames multiple (4061) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 2 IoCs
pid Process 2344 _cpush.exe 4036 Zombie.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\Zombie.exe e38513bcf45635c24e16ae761d73d660_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\Zombie.exe e38513bcf45635c24e16ae761d73d660_NeikiAnalytics.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\zh-TW.pak.tmp Zombie.exe File created C:\Program Files\Google\Chrome\Application\110.0.5481.104\VisualElements\SmallLogoCanary.png.tmp Zombie.exe File created C:\Program Files\Java\jdk-1.8\bin\jdeps.exe.tmp Zombie.exe File created C:\Program Files\Java\jdk-1.8\bin\jps.exe.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ul-oob.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-ppd.xrm-ms.tmp Zombie.exe File created C:\Program Files\Common Files\System\it-IT\wab32res.dll.mui.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-processthreads-l1-1-0.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Windows.Forms.Design.resources.dll.tmp Zombie.exe File created C:\Program Files\Common Files\microsoft shared\ink\ro-RO\tipresx.dll.mui.tmp Zombie.exe File created C:\Program Files\Common Files\System\ado\msadomd.dll.tmp Zombie.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\ext\sunec.jar.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-ppd.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-ul-oob.xrm-ms.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-rtlsupport-l1-1-0.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemCore.dll.tmp Zombie.exe File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-console-l1-1-0.dll.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT.xml.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\Microsoft.VisualBasic.Forms.resources.dll.tmp Zombie.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_CopyDrop32x32.gif.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Sockets.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.dll.tmp Zombie.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightRegular.ttf.tmp Zombie.exe File created C:\Program Files\Java\jre-1.8\lib\ext\sunjce_provider.jar.tmp Zombie.exe File created C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOInstallerUI.dll.tmp Zombie.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\t2k.dll.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_KMS_Client-ul-oob.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-pl.xrm-ms.tmp Zombie.exe File created C:\Program Files\Common Files\System\ado\msado15.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Collections.Immutable.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\UIAutomationTypes.resources.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Forms.Primitives.resources.dll.tmp Zombie.exe File created C:\Program Files\Common Files\microsoft shared\ink\ipshi.xml.tmp Zombie.exe File created C:\Program Files\dotnet\LICENSE.txt.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue Warm.xml.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_KMS_Client-ppd.xrm-ms.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ServiceProcess.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Windows.Controls.Ribbon.resources.dll.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-ul-oob.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-ppd.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial2-pl.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_KMS_Client-ul.xrm-ms.tmp Zombie.exe File created C:\Program Files\Java\jre-1.8\bin\dt_socket.dll.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-ul-oob.xrm-ms.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Mail.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\WindowsBase.resources.dll.tmp Zombie.exe File created C:\Program Files\Java\jre-1.8\bin\jaas_nt.dll.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription1-pl.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Grace-ul-oob.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\GR8GALRY.GRA.tmp Zombie.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-profile-l1-1-0.dll.tmp Zombie.exe File created C:\Program Files\Java\jdk-1.8\legal\jdk\asm.md.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\UIAutomationProvider.resources.dll.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Cambria.xml.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-ppd.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-ul-oob.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\IFDPINTL.DLL.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Xaml.resources.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\ReachFramework.resources.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Windows.Controls.Ribbon.resources.dll.tmp Zombie.exe File created C:\Program Files\Java\jre-1.8\lib\jsse.jar.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-ul-phn.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-ppd.xrm-ms.tmp Zombie.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 3644 wrote to memory of 2344 3644 e38513bcf45635c24e16ae761d73d660_NeikiAnalytics.exe 85 PID 3644 wrote to memory of 2344 3644 e38513bcf45635c24e16ae761d73d660_NeikiAnalytics.exe 85 PID 3644 wrote to memory of 4036 3644 e38513bcf45635c24e16ae761d73d660_NeikiAnalytics.exe 86 PID 3644 wrote to memory of 4036 3644 e38513bcf45635c24e16ae761d73d660_NeikiAnalytics.exe 86 PID 3644 wrote to memory of 4036 3644 e38513bcf45635c24e16ae761d73d660_NeikiAnalytics.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\e38513bcf45635c24e16ae761d73d660_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\e38513bcf45635c24e16ae761d73d660_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Users\Admin\AppData\Local\Temp\_cpush.exe"_cpush.exe"2⤵
- Executes dropped EXE
PID:2344
-
-
C:\Windows\SysWOW64\Zombie.exe"C:\Windows\system32\Zombie.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4036
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
368KB
MD51dc2b171e1936764e9852129e886c79e
SHA19e2de3066c456d5a99ae0c7dd33038ac47c2d0b7
SHA256f036414a800fc80bcebcc4942ffd20d7ed3fec1aa473291a91662d3d7e097018
SHA51291ebdc26bc3cac9a0f71c53d8bc7d8ced1a233631aaeee41db4c29655f792e3502d14be76a761337fc867f3831d3f622714258ea2b902d277955c40d50e4ab56
-
Filesize
143KB
MD5c1d5e48111f4984433e6318466ee1bce
SHA1d3379a99f504b38794f491e4fff6c77cfab53eac
SHA256dfdf187874d7368a92bbebb68c8cdc5c183af47d954b5b27ddaeca6774ae4822
SHA512dfce97a9dc92521c2d576b3d21071cb04df4a6d927676a2b95abc0093b67a044aab8d3f8612a4a70f9128cf2555d3a554a1c3f941647a64d30298ab28bba7441
-
Filesize
368KB
MD5f760f6c2a3896c157c5471b10a08d052
SHA1809c4cccddeedba8a4e63f073214bc3cbf909c32
SHA256d2a85cf741c620968c737056426786e859912903cc8270aa788820a288eeb418
SHA51241a10027f1f02f8b832f8554ee550f87a53d6b2846af83efbf3f7a290da27b8427b6ae19fc0b4d9f02fac47aba565e15051392a839bce29efe0a1b4016d95d5a