Overview

overview

10

Static

static

3

8a9ffacfca...cs.exe

windows7-x64

10

8a9ffacfca...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/06/2024, 06:49 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe

  • Size

    319KB

  • MD5

    e875f3e021beab1203a92da7fbe51490

  • SHA1

    36dfa6259dcaf170959c56ea54b85233bfbff4c7

  • SHA256

    8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99

  • SHA512

    2f2f21279c80385e7a246941e43091fe8988bf886395c0ad260ae435a992dea77f1c036b174da7d54c6ecd3fab2af22a6bea6985c79520574694e86191241a2e

  • SSDEEP

    6144:vwU64s9KvnLbLtvSVLx9y9TBA3QvEOpP7WYhw1bRh2Z:vc4s9KvfZ679y9TagvEEP6SwR+

Score
10/10
azovdiscoverypersistenceransomwarewiper

Malware Config

Signatures

  • Azov

    A wiper seeking only damage, first seen in 2022.

    ransomwarewiperazov
  • Renames multiple (143) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:2468
    • C:\Windows\system32\icacls.exe
      C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
      2⤵
      • Modifies file permissions
      PID:2360

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    13.86.106.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.86.106.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    80.90.14.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    80.90.14.23.in-addr.arpa
    IN PTR
    Response
    80.90.14.23.in-addr.arpa
    IN PTR
    a23-14-90-80deploystaticakamaitechnologiescom
  • flag-us
    DNS
    69.31.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    69.31.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    86.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    86.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    13.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.227.111.52.in-addr.arpa
    IN PTR
    Response
No results found
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    13.86.106.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    13.86.106.20.in-addr.arpa

  • 8.8.8.8:53
    80.90.14.23.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    80.90.14.23.in-addr.arpa

  • 8.8.8.8:53
    69.31.126.40.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    69.31.126.40.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    86.23.85.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    86.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    13.227.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    13.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\7-Zip\Lang\RESTORE_FILES.txt
    Filesize

    2KB

    MD5

    78ede93114e65f9160fd03d3357c56e6

    SHA1

    88d531b101e57655f1d0d26c6b3257aa2468d460

    SHA256

    c97412fbf88da8f91099a52888dea4c3f222cd95af3e681e3271cbca8b6b7bb5

    SHA512

    074a4c741273902ccacb6f573b96d8accedb2ee405dbd04350cdbf54d180c1fd577a4e90c2aae26bf72f3782403f4494db6e3501a04cfd9d7d81a6bc14884b9d

    Download Submit

  • C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
    Filesize

    46B

    MD5

    5a3b209f5ccb92ec08ded37233d5ed1e

    SHA1

    ae2f89002e90806f5ea1977701053858b8bc2b01

    SHA256

    6a7b3255aad98eb56bcc5a54258c27fb6b03a5f4349c704d671b8865b02d8af0

    SHA512

    e1da8a9be79bd613afb00714758e49e5961a56cda875f15e0499437a6456f1a79175ad9b6715f35908773a9854cef30d651dcdcd35d109a04b6c3480eaa75eab

    Download Submit

  • memory/2468-3-0x0000016748030000-0x0000016748035000-memory.dmp

    Filesize

    20KB

    Download

  • memory/2468-2-0x00007FF6CC290000-0x00007FF6CC2D7000-memory.dmp

    Filesize

    284KB

    Download

  • memory/2468-0-0x0000016748040000-0x0000016748044000-memory.dmp

    Filesize

    16KB

    Download

  • memory/2468-4-0x0000016748030000-0x0000016748035000-memory.dmp

    Filesize

    20KB

    Download

  • memory/2468-7-0x0000016748040000-0x0000016748044000-memory.dmp

    Filesize

    16KB

    Download

  • memory/2468-6-0x0000016746760000-0x0000016746767000-memory.dmp

    Filesize

    28KB

    Download

  • memory/2468-11-0x0000016748030000-0x0000016748035000-memory.dmp

    Filesize

    20KB

    Download

  • memory/2468-164-0x0000016748790000-0x0000016748A00000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/2468-403-0x0000016748110000-0x0000016748111000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2468-427-0x0000016748790000-0x0000016748A00000-memory.dmp

    Filesize

    2.4MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.