Analysis

  • max time kernel
    150s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    03/06/2024, 10:39

General

  • Target

    a0681e79a7b3192f0e1095bd50230090_NeikiAnalytics.exe

  • Size

    206KB

  • MD5

    a0681e79a7b3192f0e1095bd50230090

  • SHA1

    ede4c71e7d34095115d8f146f4767be8f53105db

  • SHA256

    7769de9fedf458d1d16fd04b5f5f74216a904fdb7b48fe032b34aa40b0bde2aa

  • SHA512

    5711474900a0a7ca704cebb667c2f113b9622108e59f3f97740e218b26f9daf6c26749e1ff3aebb6ae0a8a2642ec9a32b1c932fd9a5676f77ce921c95c23ab23

  • SSDEEP

    3072:fnyiQSowI9KHpKHDGCLOwstyhZFChcssc56FUrgxvbSD4UQrO2lxGN:KiQSo/9QpKjShcHUaC

Score
9/10

Malware Config

Signatures

  • Renames multiple (539) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a0681e79a7b3192f0e1095bd50230090_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\a0681e79a7b3192f0e1095bd50230090_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2956
    • C:\Windows\SysWOW64\Zombie.exe
      "C:\Windows\system32\Zombie.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      PID:2864
    • C:\Users\Admin\AppData\Local\Temp\_cpush.exe
      "_cpush.exe"
      2⤵
      • Executes dropped EXE
      PID:2996

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini.tmp

    Filesize

    63KB

    MD5

    aab9a2a80f4efb8f67f09db9b10d749c

    SHA1

    dfd427cbeec89ee4d32e31359b73388fd17c5cc0

    SHA256

    58f7bef23a3949d6a50bc992d05f5d155b5aa681ccad5a8d8379da2602e73571

    SHA512

    4fdd5068f382e1c271c9af632194e36c1fc8272867091800f95eea4c616a01c3fb4ac94ea1ac811d71a7d9f83c8a454ad0598909b09adb996238aeb346e0abca

  • \Users\Admin\AppData\Local\Temp\_cpush.exe

    Filesize

    143KB

    MD5

    c1d5e48111f4984433e6318466ee1bce

    SHA1

    d3379a99f504b38794f491e4fff6c77cfab53eac

    SHA256

    dfdf187874d7368a92bbebb68c8cdc5c183af47d954b5b27ddaeca6774ae4822

    SHA512

    dfce97a9dc92521c2d576b3d21071cb04df4a6d927676a2b95abc0093b67a044aab8d3f8612a4a70f9128cf2555d3a554a1c3f941647a64d30298ab28bba7441

  • \Windows\SysWOW64\Zombie.exe

    Filesize

    62KB

    MD5

    a5132d3a3f17bfd6fa64f5b30272e058

    SHA1

    4762186fe00e4e136f23cdbc9c8c855558a5084d

    SHA256

    991038af0a4742dfd53a8f6649369598e4c966a10f0cb83baf3ef540b93d0bc9

    SHA512

    47d47a8058eff2029ead977f48a928ad3a00d6959406e439ddedb04a800aa5af59fbc593f6b52992cf106cbf79030d616bbd4c79eafbb549f59c418048c68e08

  • memory/2864-16-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

  • memory/2956-0-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

  • memory/2956-14-0x00000000003E0000-0x00000000003EB000-memory.dmp

    Filesize

    44KB

  • memory/2956-24-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

  • memory/2996-22-0x000007FEF5A73000-0x000007FEF5A74000-memory.dmp

    Filesize

    4KB

  • memory/2996-23-0x0000000001210000-0x0000000001238000-memory.dmp

    Filesize

    160KB