Overview

overview

9

Static

static

7

133ebe8fc9...cs.exe

windows7-x64

9

133ebe8fc9...cs.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    116s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    27-06-2024 20:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    133ebe8fc9c1f5edeb75167211d23ffbbbb8489a1afd97ba757304b17c0a2078_NeikiAnalytics.exe

  • Size

    433KB

  • MD5

    50b93aa568ebd97ca02b9449932ed1a0

  • SHA1

    48b6062ef504c908a6f9d8c088ae63c77408580d

  • SHA256

    133ebe8fc9c1f5edeb75167211d23ffbbbb8489a1afd97ba757304b17c0a2078

  • SHA512

    346346b76cfeb94efe6e64f34f7966428442e70da1e4875c6aa38eafbd51321b7f5299091b93e829988337ad32e00cb4585b903ab2e72e3276cf73b0a3e58e80

  • SSDEEP

    12288:KQtcNUhiHOR4LucvSFSrux88ndNtJXzLFzig:KIGUhiHOeE8rin3thLL

Score
9/10
ransomwareupx

Malware Config

Signatures

  • Renames multiple (3309) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\133ebe8fc9c1f5edeb75167211d23ffbbbb8489a1afd97ba757304b17c0a2078_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\133ebe8fc9c1f5edeb75167211d23ffbbbb8489a1afd97ba757304b17c0a2078_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2184
    • C:\Windows\SysWOW64\Zombie.exe
      "C:\Windows\system32\Zombie.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      PID:2204
    • C:\Users\Admin\AppData\Local\Temp\_AdobeARMHelper.exe
      "_AdobeARMHelper.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2248

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-268080393-3149932598-1824759070-1000\desktop.ini.tmp
    Filesize

    45KB

    MD5

    aee3f12226ea178acbbca2a37a7977c1

    SHA1

    69cb2e819d593207f04fd22580ea539f3cede2d2

    SHA256

    1c616679a826ca8b9aff609ea22f71f6d7cde333802d521d94358e7c3de4ff78

    SHA512

    75381c582529bb2ebd6e224e9cecd6e4282b873f104b74528fc6b95c47732d48550ac9cebdf95e31a945a7480d4263bae6f51b3d03d73932f037d92f2cf12bbc

    Download Submit

  • \Users\Admin\AppData\Local\Temp\_AdobeARMHelper.exe
    Filesize

    387KB

    MD5

    c18baf4d858b36dbf1e679c79c659a70

    SHA1

    f5638a26a57a9ef9dbfb0b1a324c13f2b548f308

    SHA256

    843dd18df8fd40e9e8ab2cecc52c03f2e95b0c2933162ba860d83e23c207b82c

    SHA512

    a46d780398f5066a90de5e0772a0a0f55f802dca023e8c90db271507aacec8f73a6f3a8cbd086031235e2037eab83975b68e52c17519efc4c6148b48f2ad2ee2

    Download Submit

  • \Windows\SysWOW64\Zombie.exe
    Filesize

    45KB

    MD5

    c25cc95aa5975dbb1a479e1df5538a23

    SHA1

    bc0e472c7f024b246dc250427a370fe7d5f578db

    SHA256

    1d89bd15bf124ca9e2631c548c8455261cb5001212f09f5da83cd43dabf193dd

    SHA512

    652f1022af483b939bef006ca79c3d5685dc11fe015eb5e9b159e9d2172a4109569c9cdad0a30af90c59140de14e179cbf634d7239732ebd34ca4c5d76904626

    Download Submit

  • memory/2184-0-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2184-12-0x0000000000270000-0x000000000027A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2184-30-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download