Malware Analysis Report

2025-01-03 08:26

Sample ID 240617-gsr2daxend
Target 56330c4b8bf3f300c3f0b63f4fa825d0_NeikiAnalytics.exe
SHA256 b4924e8c9bab5adc6e77e2e4d4b5b2a1796707e186ea056b37815f5260993c86
Tags
ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

b4924e8c9bab5adc6e77e2e4d4b5b2a1796707e186ea056b37815f5260993c86

Threat Level: Likely malicious

The file 56330c4b8bf3f300c3f0b63f4fa825d0_NeikiAnalytics.exe was found to be: Likely malicious.

Malicious Activity Summary

ransomware

Renames multiple (4856) files with added filename extension

Executes dropped EXE

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-17 06:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 06:04

Reported

2024-06-17 06:06

Platform

win7-20240221-en

Max time kernel

121s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\56330c4b8bf3f300c3f0b63f4fa825d0_NeikiAnalytics.exe"

Signatures

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\56330c4b8bf3f300c3f0b63f4fa825d0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\56330c4b8bf3f300c3f0b63f4fa825d0_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\56330c4b8bf3f300c3f0b63f4fa825d0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\56330c4b8bf3f300c3f0b63f4fa825d0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 06:04

Reported

2024-06-17 06:07

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

98s

Command Line

"C:\Users\Admin\AppData\Local\Temp\56330c4b8bf3f300c3f0b63f4fa825d0_NeikiAnalytics.exe"

Signatures

Renames multiple (4856) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\56330c4b8bf3f300c3f0b63f4fa825d0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\56330c4b8bf3f300c3f0b63f4fa825d0_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\msix.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\mip.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\ReachFramework.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub_eula.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-100.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.Brotli.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\WindowsBase.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\UIAutomationClientSideProviders.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscordbi.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.TraceSource.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-handle-l1-1-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\msquic.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Drawing.Design.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-heap-l1-1-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Trial-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTrial-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_COL.HXT.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Diagnostics.EventLog.Messages.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Grace-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ServiceModel.Web.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\UIAutomationClient.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_KMS_Client_AE-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.XLHost.Modeler.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\ca\msipc.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscordaccore_amd64_amd64_7.0.1624.6629.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Dynamic.Runtime.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\freebxml.md.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-ul-phn.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_SubTrial-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\System.Runtime.InteropServices.RuntimeInformation.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-180.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebSockets.Client.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OMML2MML.XSL.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-file-l1-1-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\WindowsBase.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial2-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\zlibwapi.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN086.XML.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-ul-phn.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\tipresx.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Google\Chrome\Application\110.0.5481.104\110.0.5481.104.manifest.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_PrepidBypass-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\MSO.ACL.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_WHATSNEW.XML.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\ado\msado27.tlb.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\PresentationFramework.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Tasks.Extensions.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\javafx\webkit.md.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSOADFPS.DLL.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\7z.sfx.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Private.CoreLib.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Windows.Forms.Design.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_KMS_Client-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusDemoR_BypassTrial180-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL012.XML.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.id-id.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Debug.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.ZipFile.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\PresentationUI.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\History.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\56330c4b8bf3f300c3f0b63f4fa825d0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\56330c4b8bf3f300c3f0b63f4fa825d0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
BE 2.17.107.105:443 www.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 105.107.17.2.in-addr.arpa udp
BE 2.17.107.105:443 www.bing.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

C:\Windows\SysWOW64\Zombie.exe

MD5 9e1c1243553d048f422ace912520f891
SHA1 0184c089ead7c847cbb1c4ff32609c6a9a166b5e
SHA256 57fb26202c7f1fad90a97aa541c55589a4f68ddb2a7999e243848fe1ac3410bf
SHA512 c8cbe3c9b2998503f8f32a6dba0c34f9f8072f248b5131b4fb3d5d9b1f710524788bfed2fdb700ec067860e7816ec1a9238f9f2634dda16a15b25a53b39d457a

C:\$Recycle.Bin\S-1-5-21-3169499791-3545231813-3156325206-1000\desktop.ini.exe

MD5 a502bb1f6e21a4bd033b5385ae4eb146
SHA1 aa6997879c95f987632c7d1fe9dc9e18bdd64efa
SHA256 fc3013bd6b406117b9142c3e87de9de01d464e6e6333446c7618c2bafc287f5d
SHA512 42481bb5faadc249e04dba897f0af1d423e2fd672265299c9061ec50467a62ef0098b0c6eb21bb2340cc2c066c3048e38248b3bef8c5d2a9a43bc6716686f184