863d145abc27e7a006ba1358b68c87366c8b571bb7ad489446c050d6e93d3fef

Analysis

max time kernel
150s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
28/06/2024, 04:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

863d145abc27e7a006ba1358b68c87366c8b571bb7ad489446c050d6e93d3fef_NeikiAnalytics.exe
Size

68KB
MD5

0efef0d68bf54740873e19ac132e8300
SHA1

feeec8c53613c6ab52818a0d30cea4c3a0470dcc
SHA256

863d145abc27e7a006ba1358b68c87366c8b571bb7ad489446c050d6e93d3fef
SHA512

b891367f31996d2dc895e724a8ed21e877dda3e96024af9b209dd54fdbdefa012ea55b90467444e11e5b23fadb5f2131f345ca96ad505da86f63e42d3aafc026
SSDEEP

768:/7BlpQpARFbhIYJIJDYJIJPfFpsJcFfFpsJcmnGUNGU4EXBwzEXBwnR5hrxR5hrs:/7ZQpApze+eJfFpsJOfFpsJeFrxFrs

Score

9^/10

ransomware

Malware Config

Signatures

Renames multiple (5193) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 1 IoCs

pid	Process
1932	Zombie.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Zombie.exe	863d145abc27e7a006ba1358b68c87366c8b571bb7ad489446c050d6e93d3fef_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Zombie.exe	863d145abc27e7a006ba1358b68c87366c8b571bb7ad489446c050d6e93d3fef_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\linessimple.dotx.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\et-EE\tipresx.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\UIAutomationClient.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.h.tmp	Zombie.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\splash_11-lic.gif.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Grace-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNoteNames.gpd.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Overlapped.dll.tmp	Zombie.exe
File created	C:\Program Files\Internet Explorer\ieinstal.exe.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\centered.dotx.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\default_apps\external_extensions.json.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial4-pl.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-flag-dark.png.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\rsod\osmuxmui.msi.16.en-us.tree.dat.tmp	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\offreg.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\UIAutomationTypes.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\ReachFramework.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\Sybase.xsl.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\oledb32r.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-localization-l1-2-0.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\cs\msipc.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\Blog.dotx.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	Zombie.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_kor.xml.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\UIAutomationClient.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-util-l1-1-0.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\lib\jawt.lib.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial3-ppd.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-pl.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\UIAutomationProvider.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\Microsoft.VisualBasic.Forms.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-ppd.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ONBttnIELinkedNotes.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ONLNTCOMLIB.DLL.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_company.png.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\Lang\fr.txt.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\UIAutomationTypes.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Forms.Primitives.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\UIAutomationProvider.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jpeg.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\word2013bw.dotx.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Send2Fluent.png.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Send2Fluent.White.png.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\BOOKOSBI.TTF.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\sqlxmlx.rll.mui.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdatl3.dll.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.InteropServices.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javaw.exe.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\wxpr.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN054.XML.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_Grace-ul-oob.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\clrjit.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\sunec.dll.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue Green.xml.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.shared.Office.x-none.msi.16.x-none.xml.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_KMS_Client_AE-ul.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Grace-ppd.xrm-ms.tmp	Zombie.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Office.Interop.Excel.dll.tmp	Zombie.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4680 wrote to memory of 1932	4680	863d145abc27e7a006ba1358b68c87366c8b571bb7ad489446c050d6e93d3fef_NeikiAnalytics.exe	82
PID 4680 wrote to memory of 1932	4680	863d145abc27e7a006ba1358b68c87366c8b571bb7ad489446c050d6e93d3fef_NeikiAnalytics.exe	82
PID 4680 wrote to memory of 1932	4680	863d145abc27e7a006ba1358b68c87366c8b571bb7ad489446c050d6e93d3fef_NeikiAnalytics.exe	82

C:\Users\Admin\AppData\Local\Temp\863d145abc27e7a006ba1358b68c87366c8b571bb7ad489446c050d6e93d3fef_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\863d145abc27e7a006ba1358b68c87366c8b571bb7ad489446c050d6e93d3fef_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4680
- C:\Windows\SysWOW64\Zombie.exe
  "C:\Windows\system32\Zombie.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1932

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2447855248-390457009-3660902674-1000\desktop.ini.exe

Filesize
68KB

MD5
05abaa8199e296f78bec62f425d4d1ee

SHA1
d15be185030a58f3bd03c30199f875088a120a20

SHA256
c9bbf44e72c0a6adf80300be257446510a4b5578dada45df6b29641bb65f7a19

SHA512
944d0dd778c832d9793f9ac59fb316fb44ec546b1fbc7da457ce490856a877cd79e33ab337a4d28a738257ca469e0ac7b5560eca0ea77b31f2245275c7dc7ba0

Download Submit
C:\Windows\SysWOW64\Zombie.exe

Filesize
68KB

MD5
f9c9886e33fc26d661b3127d7697ae5e

SHA1
8b68fa227501fa70b9fac83d1bfe5805cebd764e

SHA256
dbd9af5d92412f9c1a1ade58a584e908dd4180ddaedb2e28a283219cf2b27274

SHA512
61b064190785354a4e8dea2706069020d986c782320f009ecb7d2ac3671354ac61e21d5e1e3bc831adf2a02db735a3cf23b6498eb9eb6478ad0942edb7f54228

Download Submit
memory/4680-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4680-17-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads