Extracted

Extracted

• • Target

    7a4d85a1bef0ca4cecfe376e0ee91090_NeikiAnalytics.exe

  • Size

    388KB

  • MD5

    7a4d85a1bef0ca4cecfe376e0ee91090

  • SHA1

    0eaab4a4cf009d2d0d2d525bad4742356ca06317

  • SHA256

    0cfff9ddd855236e2c89d1778e88bd87db965a29d0e4e6b75178add06fd4fdb0

  • SHA512

    963509e2871858ba356a6b1e2af71b05c22019ffe4172a3ed8d70d54597bf10a67607d8083fef90e549521cf194d76af1112f7628b23943d0da0ebde0704e280

  • SSDEEP

    6144:VPHkQ4ydZZb+Q7Qf4+4/X+8PvjAsYcHte9qYJkIb/VNIFNgQfo/Xse6+pA+Z0S:BrZZbJu4+Q+8RBe9qYacVNyN/l+pn5

  Score

  10^/10

  teslacryptdefense_evasionexecutionimpactpersistenceransomwarespywarestealer

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

    ransomwareteslacrypt

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Renames multiple (423) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Drops startup file

  • Executes dropped EXE

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral1behavioral2