769e75a3c7372d289ef5ae598155a5d9c50a873e32431196228bf210eb154258

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
28/06/2024, 03:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

769e75a3c7372d289ef5ae598155a5d9c50a873e32431196228bf210eb154258_NeikiAnalytics.exe
Size

7.3MB
MD5

6729048bb8f383f975b4980a8f2c4d90
SHA1

a1b5311179da5a7e39eba257d9c9e16ab0bfc2aa
SHA256

769e75a3c7372d289ef5ae598155a5d9c50a873e32431196228bf210eb154258
SHA512

6eac771add0dd9aa04d4da13a1ae7e0c32d2a336bfcad02cc91d73e0340e834e86e81befbd931dbb08eb71b8ba220e8ccb60573a5c4004f99cfa88fd62322ad6
SSDEEP

98304:QtzqBZMMEM0MUMRMxMwMkfqbjxbSzGVr4W11/KsZfGpWqOJwNC:CqBZtlV1qKpkfqbjeGVr4wZfNnJwo

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (4100) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 2 IoCs

pid	Process
2972	Zombie.exe
2552	_choco.exe

Loads dropped DLL 4 IoCs

pid	Process
2872	769e75a3c7372d289ef5ae598155a5d9c50a873e32431196228bf210eb154258_NeikiAnalytics.exe
2872	769e75a3c7372d289ef5ae598155a5d9c50a873e32431196228bf210eb154258_NeikiAnalytics.exe
2872	769e75a3c7372d289ef5ae598155a5d9c50a873e32431196228bf210eb154258_NeikiAnalytics.exe
2872	769e75a3c7372d289ef5ae598155a5d9c50a873e32431196228bf210eb154258_NeikiAnalytics.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2872-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x000b000000015d59-3.dat	upx
behavioral1/memory/2872-4-0x0000000000260000-0x000000000026A000-memory.dmp	upx
behavioral1/memory/2972-13-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x00070000000167bf-15.dat	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Zombie.exe	769e75a3c7372d289ef5ae598155a5d9c50a873e32431196228bf210eb154258_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Zombie.exe	769e75a3c7372d289ef5ae598155a5d9c50a873e32431196228bf210eb154258_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre7\lib\zi\America\Cambridge_Bay.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\Office14\MSOHEVI.DLL.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Vostok.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Cocos.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiling_ja.jar.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe.tmp	Zombie.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\picturePuzzle.html.tmp	Zombie.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\open_original_form.gif.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\gadget.xml.tmp	Zombie.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\QUAD\THMBNAIL.PNG.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msaddsr.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\vlc.mo.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waning-gibbous.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.text_3.5.300.v20130515-1451.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\bin\installer.dll.tmp	Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.IO.Log.Resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\gadget.xml.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.SF.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Petersburg.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\Office14\NAMEEXT.DLL.tmp	Zombie.exe
File created	C:\Program Files\Mozilla Firefox\libGLESv2.dll.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mpeg4audio_plugin.dll.tmp	Zombie.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm.tmp	Zombie.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Thawte Root Certificate.cer.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Tijuana.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\vlc.mo.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\images\vlc16x16.png.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\gadget.xml.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.alert.ja_5.5.0.165303.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.webapp.nl_ja_4.4.0.v20140623020002.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-actions.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jvm.xml.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\es-ES\Minesweeper.exe.mui.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_VideoInset.png.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_left.png.tmp	Zombie.exe
File created	C:\Program Files\Mozilla Firefox\installation_telemetry.json.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\vlc.mo.tmp	Zombie.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-cli_zh_CN.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench3.nl_ja_4.4.0.v20140623020002.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\security\java.policy.tmp	Zombie.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\vlc.mo.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\settings.html.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\feature.xml.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\epl-v10.html.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\en-US\OmdProject.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\Center.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.services_1.1.0.v20140328-1925.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\bin\decora-sse.dll.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\gadget.xml.tmp	Zombie.exe
File created	C:\Program Files\Windows Media Player\wmpnscfg.exe.tmp	Zombie.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SKY\PREVIEW.GIF.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\Lang\sl.txt.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\settings.js.tmp	Zombie.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\css\weather.css.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher_1.3.0.v20140415-2008.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.ui.nl_zh_4.4.0.v20140623020002.jar.tmp	Zombie.exe
File created	C:\Program Files\Internet Explorer\pdmproxy100.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Stockholm.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Adak.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-2.tmp	Zombie.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2552	_choco.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 2972	2872	769e75a3c7372d289ef5ae598155a5d9c50a873e32431196228bf210eb154258_NeikiAnalytics.exe	28
PID 2872 wrote to memory of 2972	2872	769e75a3c7372d289ef5ae598155a5d9c50a873e32431196228bf210eb154258_NeikiAnalytics.exe	28
PID 2872 wrote to memory of 2972	2872	769e75a3c7372d289ef5ae598155a5d9c50a873e32431196228bf210eb154258_NeikiAnalytics.exe	28
PID 2872 wrote to memory of 2972	2872	769e75a3c7372d289ef5ae598155a5d9c50a873e32431196228bf210eb154258_NeikiAnalytics.exe	28
PID 2872 wrote to memory of 2552	2872	769e75a3c7372d289ef5ae598155a5d9c50a873e32431196228bf210eb154258_NeikiAnalytics.exe	29
PID 2872 wrote to memory of 2552	2872	769e75a3c7372d289ef5ae598155a5d9c50a873e32431196228bf210eb154258_NeikiAnalytics.exe	29
PID 2872 wrote to memory of 2552	2872	769e75a3c7372d289ef5ae598155a5d9c50a873e32431196228bf210eb154258_NeikiAnalytics.exe	29
PID 2872 wrote to memory of 2552	2872	769e75a3c7372d289ef5ae598155a5d9c50a873e32431196228bf210eb154258_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\769e75a3c7372d289ef5ae598155a5d9c50a873e32431196228bf210eb154258_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\769e75a3c7372d289ef5ae598155a5d9c50a873e32431196228bf210eb154258_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Windows\SysWOW64\Zombie.exe
  "C:\Windows\system32\Zombie.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2972
- C:\Users\Admin\AppData\Local\Temp\_choco.exe
  "_choco.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2552

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2721934792-624042501-2768869379-1000\desktop.ini.tmp

Filesize
17KB

MD5
54eb1edc7c3d97362989378b9fa3df82

SHA1
e4e32aa095213a4e2d0c2f3c7ac28492a0d96559

SHA256
7e10f6fc1cd610e4a87a0d67ee16dc7c22c99a88331bb45ed115030f80fbbb10

SHA512
98958ace40d9d40bf82733097e1021848033f7fee8d5ab265f78b4a7f1412657645fe56203706c10bcbe1563cce225e6e83152f11c70909eba5c3a59f8c2fde1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_choco.exe

Filesize
7.3MB

MD5
dd6b75a77601d62ac66df1b0a51a7de3

SHA1
699fc35deccb0cd6e341420903fc993535c2c98f

SHA256
2f46a1d48e1589e0aa10f215e77cb48fb90c531e19aa3c05d766f59b449f3c15

SHA512
43bd57e5379c22494aade734a45a443722327d48c7f06aa521048c99adba576e29bd70bba7bd28ba94f8f24f88efed7b8e5a1b3249cbfcb4d95fd0bc1f424d86

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\chocolatey.config.backup

Filesize
809B

MD5
8b6737800745d3b99886d013b3392ac3

SHA1
bb94da3f294922d9e8d31879f2d145586a182e19

SHA256
86f10504ca147d13a157944f926141fe164a89fa8a71847458bda7102abb6594

SHA512
654dda9b645b4900ac6e5bb226494921194dab7de71d75806f645d9b94ed820055914073ef9a5407e468089c0b2ee4d021f03c2ea61e73889b553895e79713df

Download Submit
C:\Users\Admin\AppData\Local\Temp\logs\chocolatey.log

Filesize
4KB

MD5
31dc025f658dc9c3fcd34f8185e2e288

SHA1
bea882c47cc5f31a8ab99cf2908e85bfe8e24421

SHA256
9875d2386f9c90b96c1ee0f4087d4285149fd27dbf0eeee3e8ae77bdf3f2df1a

SHA512
8c945dac5d55ecc8b171b70768a6723853e693c5f9e4454fa951c3468ab8d018a5ce7449a4d7a4749ff16eae54f8ebaee14665c8ee05c20949ff69a3b688bd58

Download Submit
C:\Users\Admin\AppData\Local\Temp\logs\chocolatey.log

Filesize
805B

MD5
459bbb47325c2c6c5dffa09db3517d8f

SHA1
1accb196dcc24305a21eec3f4e1ca2f5bb784991

SHA256
885b7232ac86da90c40137563dfce58cc91639ca05740bc94ad30db4a5719f8d

SHA512
e847e8de7dd18d9e8be278c20a7c48cd72a62182ac5fbcb5b20567ab91af47f30f0c4ca16c20c558ecfee4aa5b80a8b272299db60ce35e7fe94aed48cb2a85ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\logs\chocolatey.log

Filesize
2KB

MD5
9db1f898c72092792e8330b45fab05ec

SHA1
5558d38ba3e89296518fb0739e7f6c5a880dae16

SHA256
ff5c3f3cb1c101afcf9c3553f098764b05edcdaba0a630f9afec423aabb0f2e7

SHA512
68a697f43e4189086bcc3b8ba6b050d167fc87d6b16c824c2946e145b7a377e0d595324dec862c192ac5a7d79e622145b2472115460c172fb4c21fdb43807bb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\redirects\cpush.exe.ignore

Filesize
2B

MD5
81051bcc2cf1bedf378224b0a93e2877

SHA1
ba8ab5a0280b953aa97435ff8946cbcbb2755a27

SHA256
7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

SHA512
1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

Download Submit
\Windows\SysWOW64\Zombie.exe

Filesize
17KB

MD5
b91a12e189a09276e21038f4e5b30546

SHA1
00edb2787fc78fca42c3468f437f33a56673071c

SHA256
b98ff84ca0782c70c06ee561c8fccee780e575d4e7d6bfa45b86b7f47b31db04

SHA512
a79444eb8634e3614b35f9484d4ca649bcc9f7f5ab0507a596e59458f2cda2fc1f05373775b8288bbdb52102a9a92960a8434eee201482b3a586c1a30434f87f

Download Submit
memory/2552-35-0x00000000012D0000-0x0000000001A16000-memory.dmp

Filesize
7.3MB

Download
memory/2552-36-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp

Filesize
9.9MB

Download
memory/2552-44-0x000000001BF10000-0x000000001C1F2000-memory.dmp

Filesize
2.9MB

Download
memory/2552-34-0x000007FEF5AF3000-0x000007FEF5AF4000-memory.dmp

Filesize
4KB

Download
memory/2552-170-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp

Filesize
9.9MB

Download
memory/2872-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2872-12-0x0000000000260000-0x000000000026A000-memory.dmp

Filesize
40KB

Download
memory/2872-4-0x0000000000260000-0x000000000026A000-memory.dmp

Filesize
40KB

Download
memory/2972-13-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download