Analysis
-
max time kernel
150s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 01:48
Static task
static1
Behavioral task
behavioral1
Sample
54a627905c2973d98dc6f7acdd9a9ae0_NeikiAnalytics.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
54a627905c2973d98dc6f7acdd9a9ae0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
54a627905c2973d98dc6f7acdd9a9ae0_NeikiAnalytics.exe
-
Size
174KB
-
MD5
54a627905c2973d98dc6f7acdd9a9ae0
-
SHA1
d1ccec8c368bad8f6e756fc3d53f7e8ad92476d3
-
SHA256
689bb2f7b76075ad38ec5735be8af81eed90e11586a119e8da86de677459c0dc
-
SHA512
1bb4cc4a9809ff94e31fa18a3fe1a8b10c4002c8211610829a357068afe053e6b31faaed1f5dbe98e2b6f2bcaa3ef24b641f507558be3181e9a21384d1c7d76c
-
SSDEEP
1536:W7ZhA7pApvOsOKjC0YSilpFpfkJOM2kJOMIsKsc696xZgxgkvk9u51wuRzVWp5Yc:6e7WpXYvndxik9u8uRzVWbYOobIhNFz
Malware Config
Signatures
-
Renames multiple (5192) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 2 IoCs
Processes:
_python3.11.exeZombie.exepid process 3732 _python3.11.exe 3192 Zombie.exe -
Drops file in System32 directory 2 IoCs
Processes:
54a627905c2973d98dc6f7acdd9a9ae0_NeikiAnalytics.exedescription ioc process File created C:\Windows\SysWOW64\Zombie.exe 54a627905c2973d98dc6f7acdd9a9ae0_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\Zombie.exe 54a627905c2973d98dc6f7acdd9a9ae0_NeikiAnalytics.exe -
Drops file in Program Files directory 64 IoCs
Processes:
Zombie.exedescription ioc process File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Tracing.dll.tmp Zombie.exe File created C:\Program Files\Google\Chrome\Application\110.0.5481.104\vk_swiftshader_icd.json.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-80.png.tmp Zombie.exe File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-namedpipe-l1-1-0.dll.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-140.png.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-ul-oob.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\uk\msipc.dll.mui.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL016.XML.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_KMS_Client-ul.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] Zombie.exe File created C:\Program Files\Microsoft Office\root\rsod\officemuiset.msi.16.en-us.boot.tree.dat.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\Microsoft.VisualBasic.Forms.resources.dll.tmp Zombie.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-util-l1-1-0.dll.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-ul-phn.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-pl.xrm-ms.tmp Zombie.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProDemoR_BypassTrial180-ppd.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\PROOF\msth8EN.LEX.tmp Zombie.exe File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\TipRes.dll.mui.tmp Zombie.exe File created C:\Program Files\Common Files\microsoft shared\ink\ipsita.xml.tmp Zombie.exe File created C:\Program Files\Common Files\System\msadc\adcjavas.inc.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\PresentationCore.resources.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ValueTuple.dll.tmp Zombie.exe File created C:\Program Files\Java\jre-1.8\lib\ext\access-bridge-64.jar.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.dll.tmp Zombie.exe File created C:\Program Files\Java\jdk-1.8\bin\rmic.exe.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ul-oob.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-ul-phn.xrm-ms.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Tools.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.DriveInfo.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.Xml.dll.tmp Zombie.exe File created C:\Program Files\Internet Explorer\it-IT\ieinstal.exe.mui.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Interop.MSDASC.dll.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\DIFF_MATCH_PATCH_WIN32.DLL.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\msotd.exe.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\UIAutomationClientSideProviders.resources.dll.tmp Zombie.exe File created C:\Program Files\Java\jdk-1.8\lib\ant-javafx.jar.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Cambria.xml.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-ppd.xrm-ms.tmp Zombie.exe File created C:\Program Files\Google\Chrome\Application\110.0.5481.104\WidevineCdm\LICENSE.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Grace-ppd.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-ul-oob.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Grace-ul-oob.xrm-ms.tmp Zombie.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad.xml.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.DataAnnotations.dll.tmp Zombie.exe File created C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome.exe.sig.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\TellMeRuntime.dll.tmp Zombie.exe File created C:\Program Files\Common Files\microsoft shared\ink\en-GB\tipresx.dll.mui.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-pl.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ul-oob.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.Common.FrontEnd.dll.tmp Zombie.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub2019_eula.txt.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\1033\PowerPivotExcelClientAddIn.rll.tmp Zombie.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\vcruntime140.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Forms.Design.resources.dll.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-ul-phn.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\mip_clienttelemetry.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Primitives.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Xaml.resources.dll.tmp Zombie.exe File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-runtime-l1-1-0.dll.tmp Zombie.exe File created C:\Program Files\Java\jre-1.8\bin\zip.dll.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\PersonaSpy.js.tmp Zombie.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
54a627905c2973d98dc6f7acdd9a9ae0_NeikiAnalytics.exedescription pid process target process PID 2584 wrote to memory of 3732 2584 54a627905c2973d98dc6f7acdd9a9ae0_NeikiAnalytics.exe _python3.11.exe PID 2584 wrote to memory of 3732 2584 54a627905c2973d98dc6f7acdd9a9ae0_NeikiAnalytics.exe _python3.11.exe PID 2584 wrote to memory of 3192 2584 54a627905c2973d98dc6f7acdd9a9ae0_NeikiAnalytics.exe Zombie.exe PID 2584 wrote to memory of 3192 2584 54a627905c2973d98dc6f7acdd9a9ae0_NeikiAnalytics.exe Zombie.exe PID 2584 wrote to memory of 3192 2584 54a627905c2973d98dc6f7acdd9a9ae0_NeikiAnalytics.exe Zombie.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\54a627905c2973d98dc6f7acdd9a9ae0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\54a627905c2973d98dc6f7acdd9a9ae0_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\_python3.11.exe"_python3.11.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Zombie.exe"C:\Windows\system32\Zombie.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini.exeFilesize
77KB
MD533475d111897bd98e7522e046639a331
SHA1f67cb6684a17164d028e3158a37185a3d766d0d0
SHA25620813c770ad246f96a990fb397b5d56b6e2ef856b5226c189012ec4f07d4cc08
SHA51212a3ef378fd00a0e7ef7b12db501262ecea602f1aeb2eeb2cfa8418694326dcbee7de2e86cc5c3f63dce3de45a82ae36e31f675b209d8633e533b29defd7a650
-
C:\Users\Admin\AppData\Local\Temp\_python3.11.exeFilesize
97KB
MD51ef967b52d9e06df1226625314911edf
SHA1559244c326df5697ca07aeb66787a5d7ae43b487
SHA256cfedc6fe0cafe07c7d975bf1d77e129e138ddc3a716dd664e614b5feae7eeb15
SHA512ea9537de8c0aeb4a16f9abb97223876be6aaf24418715dd55be5f14cbb707471e28b489ceffe5b459a9e15555bf3435f8c6c2f2f39ed4899a8553977b787383c
-
C:\Windows\SysWOW64\Zombie.exeFilesize
77KB
MD57e50597791c7e2f3521c6ab01209b234
SHA150296ecddf9201a37e35deb1f0130dc450d37fdf
SHA256510c633fd8bc067e908472baa68a1e7becac90924b60d6c2d1857f24cf43fe59
SHA512a27eca5c087a7ced1563179db6547d8efafb88c43aee0ac6849146244c95e91ee13e2cfd37a8352914f7fe22caa95b877f7ad00d40024b89c19f86b7f5103215
-
memory/3732-19-0x00007FFF9E763000-0x00007FFF9E765000-memory.dmpFilesize
8KB
-
memory/3732-20-0x0000000000930000-0x000000000094E000-memory.dmpFilesize
120KB