Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    13-06-2024 02:36

General

  • Target

    57b502ae4fd0e0e29b3123354fb703c0_NeikiAnalytics.exe

  • Size

    189KB

  • MD5

    57b502ae4fd0e0e29b3123354fb703c0

  • SHA1

    d0bdff08805ddc658bfb97fe8f2571faadf6d2e7

  • SHA256

    2b479fd15fb09fac73d6f59387d6c09d9a5f9ac4391287bc82ccf99b0d934202

  • SHA512

    0d4502b6f96d76e5a48a202f4848b6190adadb141c4e0eee001e8d68d4d7b9457cbe43bb994fd860c3d0349b1c9ce65ae4fa70590b1e617518900377532ddc3b

  • SSDEEP

    3072:KQSoskRY+E9tHpKrvGCLOwstyhZFChcssc56FUrgxvbSD4UQrO2Exy:KQSo1Yx95pK7ShcHUaN

Score
9/10

Malware Config

Signatures

  • Renames multiple (3747) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\57b502ae4fd0e0e29b3123354fb703c0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\57b502ae4fd0e0e29b3123354fb703c0_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:3040
    • C:\Users\Admin\AppData\Local\Temp\_clist.exe
      "_clist.exe"
      2⤵
      • Executes dropped EXE
      PID:3052
    • C:\Windows\SysWOW64\Zombie.exe
      "C:\Windows\system32\Zombie.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      PID:2488

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-2721934792-624042501-2768869379-1000\desktop.ini.tmp
    Filesize

    46KB

    MD5

    7d2355249a6f308ff4b290eac1e9bd44

    SHA1

    2af978feae32ddaae563ee4a658d62d9f7f76795

    SHA256

    2a4b5a1109abfbb530b604683e393399026a6e723f6b8c9a0f9641934d0b063f

    SHA512

    b6b39cd9723a27bc27974cb34226d5ca0fd2c4344b972fa297a50f125bc53964baeb936ceaf01f150d1c756775c343e251a2f5cc7cdb96a06237fb17ed795865

  • \Users\Admin\AppData\Local\Temp\_clist.exe
    Filesize

    143KB

    MD5

    b27ea830fb39bc056e65f9a2260ae216

    SHA1

    b69e40ee5cabe0721d2d1e9fbdd4088fd87592d6

    SHA256

    fb7fab836f744d669451dcd38aa7d2a9c74c6af893c258d079439b58abce70d8

    SHA512

    22cad79d90a949174828ee5e3ce621113591c7c991c55c1a6a44a4555002adeb3bcbd9bab6cfbbfdefd663b76ac2dae96d70a01c527b312c7e8d223334a30219

  • \Windows\SysWOW64\Zombie.exe
    Filesize

    45KB

    MD5

    2318fea0eba3f23050117616a85196dc

    SHA1

    bf49182c7c6313508a7dc90c9c17b40e2088f855

    SHA256

    39f5a3b741123f3dcd067112eae796a219bc2192ea421e81908371efd691a052

    SHA512

    4f4105dc52655d1afc0d6732d9d6323d08431f27c3351dff82a39c19585543064814d791631d0c1aee23e19301f8c96dca0d3168b29d67938046e96f2199bfc0

  • memory/2488-19-0x0000000000400000-0x000000000040A000-memory.dmp
    Filesize

    40KB

  • memory/3040-0-0x0000000000400000-0x000000000040A000-memory.dmp
    Filesize

    40KB

  • memory/3040-9-0x00000000002E0000-0x00000000002EA000-memory.dmp
    Filesize

    40KB

  • memory/3040-18-0x00000000002E0000-0x00000000002EA000-memory.dmp
    Filesize

    40KB

  • memory/3052-23-0x000007FEF5693000-0x000007FEF5694000-memory.dmp
    Filesize

    4KB

  • memory/3052-24-0x0000000000D90000-0x0000000000DB8000-memory.dmp
    Filesize

    160KB