Analysis

  • max time kernel
    149s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    10-06-2024 23:22

General

  • Target

    1efe27e85891a46a1e7959c12fd137b0_NeikiAnalytics.exe

  • Size

    396KB

  • MD5

    1efe27e85891a46a1e7959c12fd137b0

  • SHA1

    cb2a2fe051231b335393982e85ebed4e37f27a3b

  • SHA256

    19c7b6bbf6dca55efbe542bd69260269a5c1afbb4b93b70dface6145c485fb19

  • SHA512

    6be1392d7126a6997314db44d7d1df60a2a0aa7a50140ae7c4363feff8c9fca1fa6bc8057f3d9e1fcba5b83504eb79dc55aa912b6db946bd44b6da5a585f8d1f

  • SSDEEP

    6144:RqAtkemFTlAOB6pcq+HpFeHPgsHsSYafq8g2Oo:dkhAzpcqapMvgzS/Jl

Score
9/10

Malware Config

Signatures

  • Renames multiple (3505) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1efe27e85891a46a1e7959c12fd137b0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\1efe27e85891a46a1e7959c12fd137b0_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:1244
    • C:\Windows\SysWOW64\Zombie.exe
      "C:\Windows\system32\Zombie.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      PID:1712
    • C:\Users\Admin\AppData\Local\Temp\_ConfigSecurityPolicy.exe
      "_ConfigSecurityPolicy.exe"
      2⤵
      • Executes dropped EXE
      PID:2368

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-2248906074-2862704502-246302768-1000\desktop.ini.tmp

    Filesize

    92KB

    MD5

    bb281d1b23e57c7bcd2bf4429eb6230a

    SHA1

    3252fdf655843f1911be49e2507cc3634685e805

    SHA256

    6dc6bc5b2ce78befd9149c5ffa1e3bd4b35603931cc129375d97cfe7038ca51e

    SHA512

    c84fbb7e787d2f558bd874b273d72361ffa5b66587a635560d72adb9201a5137ba641a5ecf3cfcee50a7114c322be8aba17c9fd5dd236eb1407f44d2e226f00f

  • C:\Users\Admin\AppData\Local\Temp\_ConfigSecurityPolicy.exe

    Filesize

    304KB

    MD5

    a2ff144973a98d241d129081fa9baa6b

    SHA1

    7db942775d84fe782e85390c0ddd1b1ef61617b1

    SHA256

    1cc8e44c620067448bdd2fa88f9ff3a3c64b9a3f06b51c4116ab73376a48bc0a

    SHA512

    c71abb7c0ad554d5f1a5e324163763c6ff5476d37145092c69f213973278c7899818a3809a80323184eaedcbd45f9f5a6acd73d776dc617d32ededc89f84a303

  • \Windows\SysWOW64\Zombie.exe

    Filesize

    92KB

    MD5

    0ee6b6de6a5dfda15635bf72507964e9

    SHA1

    5c2266fe332d7fee86d02041482310adee86fb9c

    SHA256

    5a2dc4a2e4bddde80baf9143b58a06779134bb03a693449523f92e3867766e0a

    SHA512

    c60b923b00a3f843ee4a514d0ff0549a68bdd14d71e3d214b923a15a13b6f945024368a29cf14ac2368189548325ae6f10ab8f7bb870cb00065ee91e524d0411