Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 01:48
Static task
static1
Behavioral task
behavioral1
Sample
54a627905c2973d98dc6f7acdd9a9ae0_NeikiAnalytics.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
54a627905c2973d98dc6f7acdd9a9ae0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
54a627905c2973d98dc6f7acdd9a9ae0_NeikiAnalytics.exe
-
Size
174KB
-
MD5
54a627905c2973d98dc6f7acdd9a9ae0
-
SHA1
d1ccec8c368bad8f6e756fc3d53f7e8ad92476d3
-
SHA256
689bb2f7b76075ad38ec5735be8af81eed90e11586a119e8da86de677459c0dc
-
SHA512
1bb4cc4a9809ff94e31fa18a3fe1a8b10c4002c8211610829a357068afe053e6b31faaed1f5dbe98e2b6f2bcaa3ef24b641f507558be3181e9a21384d1c7d76c
-
SSDEEP
1536:W7ZhA7pApvOsOKjC0YSilpFpfkJOM2kJOMIsKsc696xZgxgkvk9u51wuRzVWp5Yc:6e7WpXYvndxik9u8uRzVWbYOobIhNFz
Malware Config
Signatures
-
Renames multiple (3463) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 2 IoCs
Processes:
_python3.11.exeZombie.exepid process 2776 _python3.11.exe 1728 Zombie.exe -
Loads dropped DLL 3 IoCs
Processes:
54a627905c2973d98dc6f7acdd9a9ae0_NeikiAnalytics.exepid process 1732 54a627905c2973d98dc6f7acdd9a9ae0_NeikiAnalytics.exe 1732 54a627905c2973d98dc6f7acdd9a9ae0_NeikiAnalytics.exe 1732 54a627905c2973d98dc6f7acdd9a9ae0_NeikiAnalytics.exe -
Drops file in System32 directory 2 IoCs
Processes:
54a627905c2973d98dc6f7acdd9a9ae0_NeikiAnalytics.exedescription ioc process File created C:\Windows\SysWOW64\Zombie.exe 54a627905c2973d98dc6f7acdd9a9ae0_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\Zombie.exe 54a627905c2973d98dc6f7acdd9a9ae0_NeikiAnalytics.exe -
Drops file in Program Files directory 64 IoCs
Processes:
Zombie.exedescription ioc process File created C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_pt_BR.jar.tmp Zombie.exe File created C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_ogg_plugin.dll.tmp Zombie.exe File created C:\Program Files\Windows Defender\ja-JP\MsMpRes.dll.mui.tmp Zombie.exe File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\weather.html.tmp Zombie.exe File created C:\Program Files\Java\jre7\lib\zi\Europe\Prague.tmp Zombie.exe File created C:\Program Files\Windows Media Player\en-US\wmpnscfg.exe.mui.tmp Zombie.exe File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\highDpiImageSwap.js.tmp Zombie.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\tabskb.dll.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkHandle.png.tmp Zombie.exe File created C:\Program Files\Java\jre7\lib\zi\Etc\GMT+9.tmp Zombie.exe File created C:\Program Files\VideoLAN\VLC\plugins\gui\libqt_plugin.dll.tmp Zombie.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\106.0.5249.119.manifest.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-favorites_zh_CN.jar.tmp Zombie.exe File created C:\Program Files\VideoLAN\VLC\lua\http\css\main.css.tmp Zombie.exe File created C:\Program Files\VideoLAN\VLC\plugins\codec\libsvcdsub_plugin.dll.tmp Zombie.exe File created C:\Program Files\Windows Journal\Templates\Genko_1.jtp.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-visual_ja.jar.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-charts.jar.tmp Zombie.exe File created C:\Program Files\Java\jre7\bin\servertool.exe.tmp Zombie.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\Microsoft.Build.Utilities.v3.5.resources.dll.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\New_York.tmp Zombie.exe File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\1px.gif.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.databinding_1.6.200.v20140528-1422.jar.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-text.xml.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sampler_zh_CN.jar.tmp Zombie.exe File created C:\Program Files\Java\jre7\lib\zi\Pacific\Fiji.tmp Zombie.exe File created C:\Program Files\VideoLAN\VLC\plugins\video_output\libcaca_plugin.dll.tmp Zombie.exe File created C:\Program Files\7-Zip\Lang\tk.txt.tmp Zombie.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\mshwLatin.dll.mui.tmp Zombie.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\FlickLearningWizard.exe.mui.tmp Zombie.exe File created C:\Program Files\Windows Mail\WinMail.exe.tmp Zombie.exe File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\43.png.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\license.html.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-actions_ja.jar.tmp Zombie.exe File created C:\Program Files\Java\jre7\lib\zi\Antarctica\Mawson.tmp Zombie.exe File created C:\Program Files\Java\jre7\lib\alt-rt.jar.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Guayaquil.tmp Zombie.exe File created C:\Program Files\Microsoft Office\Office14\ONFILTER.DLL.tmp Zombie.exe File created C:\Program Files\Windows Photo Viewer\es-ES\ImagingDevices.exe.mui.tmp Zombie.exe File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\library.js.tmp Zombie.exe File created C:\Program Files\Java\jre7\lib\zi\America\Iqaluit.tmp Zombie.exe File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\css\settings.css.tmp Zombie.exe File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\timer_over.png.tmp Zombie.exe File created C:\Program Files\7-Zip\Lang\kaa.txt.tmp Zombie.exe File created C:\Program Files\Common Files\System\msadc\msdaprst.dll.tmp Zombie.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsNotesBackground.wmv.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+2.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.commands.nl_zh_4.4.0.v20140623020002.jar.tmp Zombie.exe File created C:\Program Files\VideoLAN\VLC\plugins\demux\libmjpeg_plugin.dll.tmp Zombie.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_SelectionSubpicture.png.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.base_4.0.200.v20141007-2301.jar.tmp Zombie.exe File created C:\Program Files\Java\jre7\bin\decora-sse.dll.tmp Zombie.exe File created C:\Program Files\Java\jre7\lib\zi\Africa\Johannesburg.tmp Zombie.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Management.Instrumentation.dll.tmp Zombie.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_heb.xml.tmp Zombie.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\720x480icongraphic.png.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Bogota.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-options-keymap.xml_hidden.tmp Zombie.exe File created C:\Program Files\Windows Journal\jnwppr.dll.tmp Zombie.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\content-foreground.png.tmp Zombie.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationRight_SelectionSubpicture.png.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861258748.profile.gz.tmp Zombie.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.descriptorProvider.exsd.tmp Zombie.exe File created C:\Program Files\Java\jre7\lib\zi\America\Jamaica.tmp Zombie.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
54a627905c2973d98dc6f7acdd9a9ae0_NeikiAnalytics.exedescription pid process target process PID 1732 wrote to memory of 2776 1732 54a627905c2973d98dc6f7acdd9a9ae0_NeikiAnalytics.exe _python3.11.exe PID 1732 wrote to memory of 2776 1732 54a627905c2973d98dc6f7acdd9a9ae0_NeikiAnalytics.exe _python3.11.exe PID 1732 wrote to memory of 2776 1732 54a627905c2973d98dc6f7acdd9a9ae0_NeikiAnalytics.exe _python3.11.exe PID 1732 wrote to memory of 2776 1732 54a627905c2973d98dc6f7acdd9a9ae0_NeikiAnalytics.exe _python3.11.exe PID 1732 wrote to memory of 1728 1732 54a627905c2973d98dc6f7acdd9a9ae0_NeikiAnalytics.exe Zombie.exe PID 1732 wrote to memory of 1728 1732 54a627905c2973d98dc6f7acdd9a9ae0_NeikiAnalytics.exe Zombie.exe PID 1732 wrote to memory of 1728 1732 54a627905c2973d98dc6f7acdd9a9ae0_NeikiAnalytics.exe Zombie.exe PID 1732 wrote to memory of 1728 1732 54a627905c2973d98dc6f7acdd9a9ae0_NeikiAnalytics.exe Zombie.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\54a627905c2973d98dc6f7acdd9a9ae0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\54a627905c2973d98dc6f7acdd9a9ae0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Zombie.exe"C:\Windows\system32\Zombie.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Users\Admin\AppData\Local\Temp\_python3.11.exe"_python3.11.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\$Recycle.Bin\S-1-5-21-2812790648-3157963462-487717889-1000\desktop.ini.tmpFilesize
77KB
MD5e078df45314ef6d59e91b64fdc2d9e43
SHA16a40893abdc841a9f2d4d0941b33e6192b414a62
SHA25629f2fa0b20b818d21c6d18309be94a1bf25ec9a35f8fff6f9d47ec2ae4fdd8d5
SHA5125ce588e429a2004b762f5f9a0566a4a87ee07a55ec1f5657fc41f7f35c476bc2ad9a0190c77d1cb834433cd1a7a7a4fc964e0aee7d2dd5cee58af5c4002bf4e2
-
\Users\Admin\AppData\Local\Temp\_python3.11.exeFilesize
97KB
MD51ef967b52d9e06df1226625314911edf
SHA1559244c326df5697ca07aeb66787a5d7ae43b487
SHA256cfedc6fe0cafe07c7d975bf1d77e129e138ddc3a716dd664e614b5feae7eeb15
SHA512ea9537de8c0aeb4a16f9abb97223876be6aaf24418715dd55be5f14cbb707471e28b489ceffe5b459a9e15555bf3435f8c6c2f2f39ed4899a8553977b787383c
-
\Windows\SysWOW64\Zombie.exeFilesize
77KB
MD57e50597791c7e2f3521c6ab01209b234
SHA150296ecddf9201a37e35deb1f0130dc450d37fdf
SHA256510c633fd8bc067e908472baa68a1e7becac90924b60d6c2d1857f24cf43fe59
SHA512a27eca5c087a7ced1563179db6547d8efafb88c43aee0ac6849146244c95e91ee13e2cfd37a8352914f7fe22caa95b877f7ad00d40024b89c19f86b7f5103215
-
memory/2776-19-0x000007FEF5743000-0x000007FEF5744000-memory.dmpFilesize
4KB
-
memory/2776-20-0x00000000003F0000-0x000000000040E000-memory.dmpFilesize
120KB