33b87797901292f6247a6a84a762c44baecb769ca4bee021bc4f36ade93a5bfb

Analysis

max time kernel
108s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 03:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33b87797901292f6247a6a84a762c44baecb769ca4bee021bc4f36ade93a5bfb_NeikiAnalytics.exe
Size

59KB
MD5

b4c7c8d7ccb5c2d5e7e3cd8029512c50
SHA1

1f28a3522e9013da6b1fb040ea6f0b362b7056d2
SHA256

33b87797901292f6247a6a84a762c44baecb769ca4bee021bc4f36ade93a5bfb
SHA512

4a2ebcb544baf67313bfe8d814c4bc1082f4200d39113c7dae3f9d28c2d5da97eb983f4d406b99e0201782545ab438a3692499ae2110981c8c0429b5619d68ab
SSDEEP

768:W7BlpppARFbhFANJKaJKjZP7PKCZapW0/13cYqSC9z/+:W7ZppApoJKaJKjZP7iNpW0/137qSez/+

Score

9^/10

ransomware

Malware Config

Signatures

Renames multiple (2933) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Executes dropped EXE 2 IoCs

Processes:

_MofCompiler.exeZombie.exe

pid process

2136 _MofCompiler.exe
1356 Zombie.exe

pid	process
2136	_MofCompiler.exe
1356	Zombie.exe

Loads dropped DLL 3 IoCs

Processes:

33b87797901292f6247a6a84a762c44baecb769ca4bee021bc4f36ade93a5bfb_NeikiAnalytics.exe

pid	process
1484	33b87797901292f6247a6a84a762c44baecb769ca4bee021bc4f36ade93a5bfb_NeikiAnalytics.exe
1484	33b87797901292f6247a6a84a762c44baecb769ca4bee021bc4f36ade93a5bfb_NeikiAnalytics.exe
1484	33b87797901292f6247a6a84a762c44baecb769ca4bee021bc4f36ade93a5bfb_NeikiAnalytics.exe

Drops file in System32 directory 2 IoCs

Processes:

33b87797901292f6247a6a84a762c44baecb769ca4bee021bc4f36ade93a5bfb_NeikiAnalytics.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Zombie.exe	33b87797901292f6247a6a84a762c44baecb769ca4bee021bc4f36ade93a5bfb_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Zombie.exe	33b87797901292f6247a6a84a762c44baecb769ca4bee021bc4f36ade93a5bfb_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

Processes:

Zombie.exe

description	ioc	process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.operations_2.4.0.v20131119-0908.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-lib-uihandler_zh_CN.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-nodes_ja.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-common.xml.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\fonts\LucidaBrightDemiBold.ttf.tmp	Zombie.exe
File created	C:\Program Files\Internet Explorer\en-US\iedvtool.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaBrightDemiItalic.ttf.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\MANIFEST.MF.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Oslo.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-text.xml.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-lib-profiler-charts.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-templates.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\management\jmxremote.password.template.tmp	Zombie.exe
File created	C:\Program Files\Internet Explorer\F12Tools.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Khandyga.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\EET.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\icudtl.dat.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.p2.ui.overridden_5.5.0.165303.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.ssl_1.1.0.v20140827-1444.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-util-enumerations.xml.tmp	Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\PresentationCore.resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\ado\msado25.tlb.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationLeft_ButtonGraphic.png.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsNotesBackground_PAL.wmv.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.app_1.3.200.v20130910-1609.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.forms_3.6.100.v20140422-1825.jar.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationLeft_SelectionSubpicture.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2ssv.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\St_Johns.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\mshwjpn.dll.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\NextMenuButtonIconSubpictur.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\bin\libxslt.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Kiev.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multiview_zh_CN.jar.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\push_item.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\javafx.policy.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Cairo.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\epl-v10.html.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.jobs_3.6.0.v20140424-0053.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Anadyr.tmp	Zombie.exe
File created	C:\Program Files\Mozilla Firefox\browser\VisualElements\PrivateBrowsing_70.png.tmp	Zombie.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Entity.Resources.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Pohnpei.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\time-span-16.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding_1.4.2.v20140729-1044.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-visual_ja.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jmx.xml.tmp	Zombie.exe
File created	C:\Program Files\Java\jre7\lib\management\jmxremote.access.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-search.xml.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-javahelp.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_winxp_blu.css.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-execution_zh_CN.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp.ja_5.5.0.165303.jar.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsita.xml.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\bear_formatted_matte2.wmv.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+5.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-uihandler.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\jhall-2.0_05.jar.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\Lang\fur.txt.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\IPSEventLogMsg.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\jconsole.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-annotations-common_zh_CN.jar.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-options-keymap.jar.tmp	Zombie.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

33b87797901292f6247a6a84a762c44baecb769ca4bee021bc4f36ade93a5bfb_NeikiAnalytics.exe_MofCompiler.exe

description	pid	process	target process
PID 1484 wrote to memory of 2136	1484	33b87797901292f6247a6a84a762c44baecb769ca4bee021bc4f36ade93a5bfb_NeikiAnalytics.exe	_MofCompiler.exe
PID 1484 wrote to memory of 2136	1484	33b87797901292f6247a6a84a762c44baecb769ca4bee021bc4f36ade93a5bfb_NeikiAnalytics.exe	_MofCompiler.exe
PID 1484 wrote to memory of 2136	1484	33b87797901292f6247a6a84a762c44baecb769ca4bee021bc4f36ade93a5bfb_NeikiAnalytics.exe	_MofCompiler.exe
PID 1484 wrote to memory of 2136	1484	33b87797901292f6247a6a84a762c44baecb769ca4bee021bc4f36ade93a5bfb_NeikiAnalytics.exe	_MofCompiler.exe
PID 1484 wrote to memory of 1356	1484	33b87797901292f6247a6a84a762c44baecb769ca4bee021bc4f36ade93a5bfb_NeikiAnalytics.exe	Zombie.exe
PID 1484 wrote to memory of 1356	1484	33b87797901292f6247a6a84a762c44baecb769ca4bee021bc4f36ade93a5bfb_NeikiAnalytics.exe	Zombie.exe
PID 1484 wrote to memory of 1356	1484	33b87797901292f6247a6a84a762c44baecb769ca4bee021bc4f36ade93a5bfb_NeikiAnalytics.exe	Zombie.exe
PID 1484 wrote to memory of 1356	1484	33b87797901292f6247a6a84a762c44baecb769ca4bee021bc4f36ade93a5bfb_NeikiAnalytics.exe	Zombie.exe
PID 2136 wrote to memory of 2600	2136	_MofCompiler.exe	WerFault.exe
PID 2136 wrote to memory of 2600	2136	_MofCompiler.exe	WerFault.exe
PID 2136 wrote to memory of 2600	2136	_MofCompiler.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\33b87797901292f6247a6a84a762c44baecb769ca4bee021bc4f36ade93a5bfb_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\33b87797901292f6247a6a84a762c44baecb769ca4bee021bc4f36ade93a5bfb_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1484

C:\Users\Admin\AppData\Local\Temp\_MofCompiler.exe
"_MofCompiler.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2136

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2136 -s 512
3⤵
PID:2600

C:\Windows\SysWOW64\Zombie.exe
"C:\Windows\system32\Zombie.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1356

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2737914667-933161113-3798636211-1000\desktop.ini.tmp
Filesize
37KB

MD5
deb3114ed138a4bab3ae4bca887c786e

SHA1
a6ccd47126a287c1e604e040eeaae6de2e0c5e4d

SHA256
b02064542436885b6790ad4559338557f8b7f0760e342701cdc9dc567808a76f

SHA512
fc96b15ff52e3b075184481fbc5b9801cbc6fed39712b434222fa55f689a63012719f119f8415cb7466cfc04cc201e3db65aed24a1a84d537f9d0202234ee67a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MofCompiler.exe
Filesize
21KB

MD5
0fe6e0e01318f2a27ece0176423ea4f8

SHA1
71cf6aaa4a88a2e892ce113fe35518441a58a97d

SHA256
36217b7c4ac6aabc74a7f9d0d8da2002f5909d1d6dcb663c9cb1ec2c02a387b3

SHA512
56be67fcf76f46a171c0ebcaa988e1e20cdba5fa91871e076b424b0b9bdd21219a19ca70c85314e5a79c1f878b7f68d7e51596b49536296e41ded5846158ac9b

Download Submit
C:\Windows\SysWOW64\Zombie.exe
Filesize
37KB

MD5
e9950d542a10bdd1c84b5039f7acac07

SHA1
0032e7b5fd754df9029c33ce789853ae0aead09d

SHA256
1d4f69a1c526e0fa0c4e94008dc82a732b9d9cbe88ea27d5dc67dbb4f2202452

SHA512
edb29fa48a3ac889cf8989cf4ee4c1326b64792a4e7412b0aaf49eb06d7c1ef0cb5c84b69c24133a5bbe821f2a05ca8f77360f475fbcd38c1c8e4b900fc8b5b9

Download Submit
memory/2136-20-0x0000000000140000-0x000000000014A000-memory.dmp

Filesize
40KB

Download
memory/2136-19-0x000007FEF5A13000-0x000007FEF5A14000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads