133ebe8fc9c1f5edeb75167211d23ffbbbb8489a1afd97ba757304b17c0a2078

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
27/06/2024, 20:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

133ebe8fc9c1f5edeb75167211d23ffbbbb8489a1afd97ba757304b17c0a2078_NeikiAnalytics.exe
Size

433KB
MD5

50b93aa568ebd97ca02b9449932ed1a0
SHA1

48b6062ef504c908a6f9d8c088ae63c77408580d
SHA256

133ebe8fc9c1f5edeb75167211d23ffbbbb8489a1afd97ba757304b17c0a2078
SHA512

346346b76cfeb94efe6e64f34f7966428442e70da1e4875c6aa38eafbd51321b7f5299091b93e829988337ad32e00cb4585b903ab2e72e3276cf73b0a3e58e80
SSDEEP

12288:KQtcNUhiHOR4LucvSFSrux88ndNtJXzLFzig:KIGUhiHOeE8rin3thLL

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (5030) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	_AdobeARMHelper.exe

Executes dropped EXE 2 IoCs

pid	Process
1016	_AdobeARMHelper.exe
2416	Zombie.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1820-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/memory/2416-12-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x0007000000023467-14.dat	upx
behavioral2/files/0x0005000000022f58-10.dat	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Zombie.exe	133ebe8fc9c1f5edeb75167211d23ffbbbb8489a1afd97ba757304b17c0a2078_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Zombie.exe	133ebe8fc9c1f5edeb75167211d23ffbbbb8489a1afd97ba757304b17c0a2078_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-CA\tipresx.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-file-l1-1-0.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.EditorRibbon.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-ul-phn.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Localytics.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-libraryloader-l1-1-0.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Windows.Forms.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\nio.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\jaccess.jar.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\UCRTBASE.DLL.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebProxy.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.VisualBasic.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_SubTrial-ppd.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-140.png.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\Lang\sr-spl.txt.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-util-l1-1-0.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Security.dll.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\VisualElements\LogoCanary.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jre-1.8\bin\jfxmedia.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription1-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-100.png.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert.xml.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemCore.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\PresentationFramework.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\fr.pak.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTrial-pl.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-180.png.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\Lang\mng.txt.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipschs.xml.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msadcer.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Xaml.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hr-hr.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Controls.Ribbon.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-pl.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-100.png.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL054.XML.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-datetime-l1-1-0.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jre-1.8\lib\jvm.hprof.txt.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-pl.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Grace-ppd.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Trial-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Buffers.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Primitives.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\UIAutomationClientSideProviders.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteFreeR_Bypass-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Grace-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_PrepidBypass-ppd.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.DriveInfo.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Input.Manipulations.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Windows.Controls.Ribbon.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\US_export_policy.jar.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\msgrammar8.dll.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.Annotations.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\ReachFramework.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ul-phn.xrm-ms.tmp	Zombie.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1016	_AdobeARMHelper.exe
1016	_AdobeARMHelper.exe
1016	_AdobeARMHelper.exe
1016	_AdobeARMHelper.exe
1016	_AdobeARMHelper.exe
1016	_AdobeARMHelper.exe
1016	_AdobeARMHelper.exe
1016	_AdobeARMHelper.exe
1016	_AdobeARMHelper.exe
1016	_AdobeARMHelper.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3472	AdobeARM.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1820 wrote to memory of 1016	1820	133ebe8fc9c1f5edeb75167211d23ffbbbb8489a1afd97ba757304b17c0a2078_NeikiAnalytics.exe	84
PID 1820 wrote to memory of 1016	1820	133ebe8fc9c1f5edeb75167211d23ffbbbb8489a1afd97ba757304b17c0a2078_NeikiAnalytics.exe	84
PID 1820 wrote to memory of 1016	1820	133ebe8fc9c1f5edeb75167211d23ffbbbb8489a1afd97ba757304b17c0a2078_NeikiAnalytics.exe	84
PID 1820 wrote to memory of 2416	1820	133ebe8fc9c1f5edeb75167211d23ffbbbb8489a1afd97ba757304b17c0a2078_NeikiAnalytics.exe	85
PID 1820 wrote to memory of 2416	1820	133ebe8fc9c1f5edeb75167211d23ffbbbb8489a1afd97ba757304b17c0a2078_NeikiAnalytics.exe	85
PID 1820 wrote to memory of 2416	1820	133ebe8fc9c1f5edeb75167211d23ffbbbb8489a1afd97ba757304b17c0a2078_NeikiAnalytics.exe	85
PID 1016 wrote to memory of 3472	1016	_AdobeARMHelper.exe	86
PID 1016 wrote to memory of 3472	1016	_AdobeARMHelper.exe	86
PID 1016 wrote to memory of 3472	1016	_AdobeARMHelper.exe	86
PID 3472 wrote to memory of 2900	3472	AdobeARM.exe	97
PID 3472 wrote to memory of 2900	3472	AdobeARM.exe	97
PID 3472 wrote to memory of 2900	3472	AdobeARM.exe	97

C:\Users\Admin\AppData\Local\Temp\133ebe8fc9c1f5edeb75167211d23ffbbbb8489a1afd97ba757304b17c0a2078_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\133ebe8fc9c1f5edeb75167211d23ffbbbb8489a1afd97ba757304b17c0a2078_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Users\Admin\AppData\Local\Temp\_AdobeARMHelper.exe
  "_AdobeARMHelper.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1016
- - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3472
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"
      4⤵
      PID:2900
- C:\Windows\SysWOW64\Zombie.exe
  "C:\Windows\system32\Zombie.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3169499791-3545231813-3156325206-1000\desktop.ini.exe

Filesize
45KB

MD5
4f93a2c445f384ac1eab870c47a221c1

SHA1
a945af84ec66da8e06d375ce0c5032b1b8ee0ade

SHA256
8835c4d63cb0160dc5cadae6016f9e9f92541a5465eee8fde8a112dfe4bde27a

SHA512
b92b554501cc94be3428aea5caad02d8449f8765da26b528b9efe98881ecdc392f4330a395e5b7acce6ef76cc43c53d6fc2f6cc8593a44c04ce98e7795ccb9f4

Download Submit
C:\ProgramData\Adobe\ARM\ArmReport.ini

Filesize
746B

MD5
5757246b0746f04f7c6c7685c433d80f

SHA1
910a75876285c35fe0fa03c11f36257aeba8a2b3

SHA256
d33f7174ff6e717d72bfb38cf92e25135823d3d02273bf3f575f95d2afdc12dc

SHA512
8f2f3642154d4f016f7679567cc5879e8d4a794a07b62b9663905406a77aebb111b04032353588719a631d9e5223acf543499ef7f7b36e0e15ec966c638219f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdobeARM.log

Filesize
178B

MD5
0bb00ef9fd7aec54a8031d9daec89dd5

SHA1
1c7ce34c3035dc5709af4ba78231f06e7ad8fe67

SHA256
bda8be6d3fde7f41471c2761ed0df1d35ce64b438ed265080dceae1b638daaf9

SHA512
17b58ea0ef6462bdbfe994e1a1dcc04876adc3b4be187336379ee35c573eb0366cef4b73b956061a5b667b91452990be5170ed79492a1a2d47e6bde4e11b7f30

Download Submit
C:\Users\Admin\AppData\Local\Temp\ArmUI.ini

Filesize
251KB

MD5
864c22fb9a1c0670edf01c6ed3e4fbe4

SHA1
bf636f8baed998a1eb4531af9e833e6d3d8df129

SHA256
b4d4dcd9594d372d7c0c975d80ef5802c88502895ed4b8a26ca62e225f2f18b0

SHA512
ff23616ee67d51daa2640ae638f59a8d331930a29b98c2d1bd3b236d2f651f243f9bae38d58515714886cfbb13b9be721d490aad4f2d10cbba74d7701ab34e09

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp980A.tmp

Filesize
3KB

MD5
bbb796dd2b53f7fb7ce855bb39535e2f

SHA1
dfb022a179775c82893fe8c4f59df8f6d19bd2fd

SHA256
ff9b4cf04e3202f150f19c1711767361343935da7841c98b876c42fd2cabce9b

SHA512
0d122f454fcbf4524c2756692f0f33dc98f5bd2426839c6f03cd5c5f4fd507a8a15cf489d7a7ceadd1b95cf31b506c04bf03d613a9ba7d76add92766b1dc5c2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpB7B9.tmp

Filesize
3KB

MD5
ec946860cff4f4a6d325a8de7d6254d2

SHA1
7c909f646d9b2d23c58f73ec2bb603cd59dc11fd

SHA256
19fe53c801ad7edc635f61e9e28d07da31780c2480e6f37ecfc63fffe1b250fe

SHA512
38a98b18dbae063bc533a1ff25a3467a7de197651e07e77a1b22cf8ce251282ab31f61dcff5c51ef186cfd115dc506181d480eabffbe92af01dee6282cbee13e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpB7D9.tmp

Filesize
3KB

MD5
fc2430057cb1be74c788f10c2d4540c8

SHA1
cab67ee8d5191fbf9f25545825e06c1a822af2f2

SHA256
dcc9d2695125406282ba990fec39403c44b12964acf51b5e0dc7f2080d714398

SHA512
4e2b9709a9e3ca5173abb35816e5a0aebbf2a7aaf971d7f75f3ae66e4a812cbade103baa5016525f5ab83a60c18f8d3c278c90ff83e4afdae419f81673cb5aee

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpBA6B.tmp

Filesize
3KB

MD5
a58599260c64cb41ed7d156db8ac13ef

SHA1
fb9396eb1270e9331456a646ebf1419fc283dc06

SHA256
aabf92089e16fdb28706356dbc4efb5a81f5277946f2e67695b31676616ed2d2

SHA512
6970cbc42e7ec64ccdb8e5633b7017b1e9ec0d4ad094869e221e9275b814b1442b84827996190159543bdb5e86df6885c45197c533d657db4660fca8ad761a71

Download Submit
C:\Users\Admin\AppData\Local\Temp\_AdobeARMHelper.exe

Filesize
387KB

MD5
c18baf4d858b36dbf1e679c79c659a70

SHA1
f5638a26a57a9ef9dbfb0b1a324c13f2b548f308

SHA256
843dd18df8fd40e9e8ab2cecc52c03f2e95b0c2933162ba860d83e23c207b82c

SHA512
a46d780398f5066a90de5e0772a0a0f55f802dca023e8c90db271507aacec8f73a6f3a8cbd086031235e2037eab83975b68e52c17519efc4c6148b48f2ad2ee2

Download Submit
C:\Windows\SysWOW64\Zombie.exe

Filesize
45KB

MD5
c25cc95aa5975dbb1a479e1df5538a23

SHA1
bc0e472c7f024b246dc250427a370fe7d5f578db

SHA256
1d89bd15bf124ca9e2631c548c8455261cb5001212f09f5da83cd43dabf193dd

SHA512
652f1022af483b939bef006ca79c3d5685dc11fe015eb5e9b159e9d2172a4109569c9cdad0a30af90c59140de14e179cbf634d7239732ebd34ca4c5d76904626

Download Submit
memory/1820-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2416-12-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download