Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-06-2024 02:36

General

  • Target

    57b502ae4fd0e0e29b3123354fb703c0_NeikiAnalytics.exe

  • Size

    189KB

  • MD5

    57b502ae4fd0e0e29b3123354fb703c0

  • SHA1

    d0bdff08805ddc658bfb97fe8f2571faadf6d2e7

  • SHA256

    2b479fd15fb09fac73d6f59387d6c09d9a5f9ac4391287bc82ccf99b0d934202

  • SHA512

    0d4502b6f96d76e5a48a202f4848b6190adadb141c4e0eee001e8d68d4d7b9457cbe43bb994fd860c3d0349b1c9ce65ae4fa70590b1e617518900377532ddc3b

  • SSDEEP

    3072:KQSoskRY+E9tHpKrvGCLOwstyhZFChcssc56FUrgxvbSD4UQrO2Exy:KQSo1Yx95pK7ShcHUaN

Score
9/10

Malware Config

Signatures

  • Renames multiple (5190) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Executes dropped EXE 2 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\57b502ae4fd0e0e29b3123354fb703c0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\57b502ae4fd0e0e29b3123354fb703c0_NeikiAnalytics.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:4128
    • C:\Windows\SysWOW64\Zombie.exe
      "C:\Windows\system32\Zombie.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      PID:2128
    • C:\Users\Admin\AppData\Local\Temp\_clist.exe
      "_clist.exe"
      2⤵
      • Executes dropped EXE
      PID:4844

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-4204450073-1267028356-951339405-1000\desktop.ini.exe
    Filesize

    46KB

    MD5

    18568f2a38b3eb95fbffef78a542e5ea

    SHA1

    769c6f3bf510dccb0df0476abb2abe734ad4bee1

    SHA256

    db390c8cd5de6a5bc93eb72b932e053aa621e78b566a9a2955053a02d55226ad

    SHA512

    f0a726b44a9a2ad1c8d7ddc2b2251067856009c6f4779b394e6f0b2cd998e1aeee519602b333ecfcc784f83018c268a063d560689f5e6085fd9ed8c3430e9c53

  • C:\Users\Admin\AppData\Local\Temp\_clist.exe
    Filesize

    143KB

    MD5

    b27ea830fb39bc056e65f9a2260ae216

    SHA1

    b69e40ee5cabe0721d2d1e9fbdd4088fd87592d6

    SHA256

    fb7fab836f744d669451dcd38aa7d2a9c74c6af893c258d079439b58abce70d8

    SHA512

    22cad79d90a949174828ee5e3ce621113591c7c991c55c1a6a44a4555002adeb3bcbd9bab6cfbbfdefd663b76ac2dae96d70a01c527b312c7e8d223334a30219

  • C:\Windows\SysWOW64\Zombie.exe
    Filesize

    45KB

    MD5

    2318fea0eba3f23050117616a85196dc

    SHA1

    bf49182c7c6313508a7dc90c9c17b40e2088f855

    SHA256

    39f5a3b741123f3dcd067112eae796a219bc2192ea421e81908371efd691a052

    SHA512

    4f4105dc52655d1afc0d6732d9d6323d08431f27c3351dff82a39c19585543064814d791631d0c1aee23e19301f8c96dca0d3168b29d67938046e96f2199bfc0

  • memory/4128-0-0x0000000000400000-0x000000000040A000-memory.dmp
    Filesize

    40KB

  • memory/4128-24-0x0000000000400000-0x000000000040A000-memory.dmp
    Filesize

    40KB

  • memory/4844-20-0x0000000000740000-0x0000000000768000-memory.dmp
    Filesize

    160KB

  • memory/4844-21-0x00007FF93ADA3000-0x00007FF93ADA5000-memory.dmp
    Filesize

    8KB