3608b39a72c56f3c6ce2d805df30abddff09743efcb993ad8dc4c7fa220fd93e

Analysis

max time kernel
150s
max time network
127s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 04:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3608b39a72c56f3c6ce2d805df30abddff09743efcb993ad8dc4c7fa220fd93e_NeikiAnalytics.exe
Size

194KB
MD5

83a573328a596194fa8ba56940e056e0
SHA1

001200a9a06e5bd72fc638ced72380b438010823
SHA256

3608b39a72c56f3c6ce2d805df30abddff09743efcb993ad8dc4c7fa220fd93e
SHA512

dce23fa54877836029dd508bec65de157cb44c6f4221677a809e05ddb0d3aedb35845f9bc46bb22cfe41d59e45ba074cb31d034d0774a6244835a0077ddfa843
SSDEEP

3072:KQSorD98HpKI6GCLOwstyhZFChcssc56FUrgxvbSD4UQrO2LxW:KQSoX9GpKbShcHUaA

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (711) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Executes dropped EXE 2 IoCs

Processes:

_choco.exeZombie.exe

pid process

2704 _choco.exe
3052 Zombie.exe

pid	process
2704	_choco.exe
3052	Zombie.exe

Loads dropped DLL 3 IoCs

Processes:

3608b39a72c56f3c6ce2d805df30abddff09743efcb993ad8dc4c7fa220fd93e_NeikiAnalytics.exe

pid	process
2268	3608b39a72c56f3c6ce2d805df30abddff09743efcb993ad8dc4c7fa220fd93e_NeikiAnalytics.exe
2268	3608b39a72c56f3c6ce2d805df30abddff09743efcb993ad8dc4c7fa220fd93e_NeikiAnalytics.exe
2268	3608b39a72c56f3c6ce2d805df30abddff09743efcb993ad8dc4c7fa220fd93e_NeikiAnalytics.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2268-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
\Windows\SysWOW64\Zombie.exe	upx
behavioral1/memory/2268-6-0x00000000002D0000-0x00000000002DA000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-39690363-730359138-1046745555-1000\desktop.ini.tmp	upx
behavioral1/memory/3052-20-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

Processes:

3608b39a72c56f3c6ce2d805df30abddff09743efcb993ad8dc4c7fa220fd93e_NeikiAnalytics.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Zombie.exe	3608b39a72c56f3c6ce2d805df30abddff09743efcb993ad8dc4c7fa220fd93e_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Zombie.exe	3608b39a72c56f3c6ce2d805df30abddff09743efcb993ad8dc4c7fa220fd93e_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

Processes:

Zombie.exe

description	ioc	process
File created	C:\Program Files\7-Zip\7zCon.sfx.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\TipRes.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\jmxremote.password.template.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\ShapeCollector.exe.mui.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Abidjan.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwresplm.dat.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\msadc\adcjavas.inc.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationLeft_SelectionSubpicture.png.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\scene_button_style_default_Thumbnail.bmp.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\Lang\cy.txt.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\tipresx.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-phonetic.xml.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Edmonton.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\mip.exe.mui.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\tipresx.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_VideoInset.png.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\Lang\is.txt.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\split.avi.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipTsf.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msadcer.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\gstreamer-lite.dll.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\Lang\cs.txt.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\Lang\tt.txt.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Filters\offfiltx.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\local_policy.jar.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsnor.xml.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Graph.emf.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\shatter.png.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_VideoInset.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\eula.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkDrop32x32.gif.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Godthab.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\mshwjpnr.dll.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\msinfo32.exe.mui.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-image-mask.png.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\15x15dot.png.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationRight_ButtonGraphic.png.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_ko.properties.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\fr-FR\WMM2CLIP.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Memo.emf.tmp	Zombie.exe
File created	C:\Program Files\Common Files\System\ado\de-DE\msader15.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derby.war.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_ja.properties.tmp	Zombie.exe
File created	C:\Program Files\7-Zip\History.txt.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\tabskb.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\Microsoft.Ink.dll.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\et.pak.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ta.pak.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\tr.pak.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\libxml2.dll.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\ffjcext.zip.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Small_News.jpg.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground_PAL.wmv.tmp	Zombie.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\en-US.pak.tmp	Zombie.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\rtscom.dll.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_PreComp_MATTE_PAL.wmv.tmp	Zombie.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\NetworkServerControl.bat.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\de-DE\OmdProject.dll.mui.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_SelectionSubpicture.png.tmp	Zombie.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\button-highlight.png.tmp	Zombie.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

3608b39a72c56f3c6ce2d805df30abddff09743efcb993ad8dc4c7fa220fd93e_NeikiAnalytics.exe

description	pid	process	target process
PID 2268 wrote to memory of 2704	2268	3608b39a72c56f3c6ce2d805df30abddff09743efcb993ad8dc4c7fa220fd93e_NeikiAnalytics.exe	_choco.exe
PID 2268 wrote to memory of 2704	2268	3608b39a72c56f3c6ce2d805df30abddff09743efcb993ad8dc4c7fa220fd93e_NeikiAnalytics.exe	_choco.exe
PID 2268 wrote to memory of 2704	2268	3608b39a72c56f3c6ce2d805df30abddff09743efcb993ad8dc4c7fa220fd93e_NeikiAnalytics.exe	_choco.exe
PID 2268 wrote to memory of 2704	2268	3608b39a72c56f3c6ce2d805df30abddff09743efcb993ad8dc4c7fa220fd93e_NeikiAnalytics.exe	_choco.exe
PID 2268 wrote to memory of 3052	2268	3608b39a72c56f3c6ce2d805df30abddff09743efcb993ad8dc4c7fa220fd93e_NeikiAnalytics.exe	Zombie.exe
PID 2268 wrote to memory of 3052	2268	3608b39a72c56f3c6ce2d805df30abddff09743efcb993ad8dc4c7fa220fd93e_NeikiAnalytics.exe	Zombie.exe
PID 2268 wrote to memory of 3052	2268	3608b39a72c56f3c6ce2d805df30abddff09743efcb993ad8dc4c7fa220fd93e_NeikiAnalytics.exe	Zombie.exe
PID 2268 wrote to memory of 3052	2268	3608b39a72c56f3c6ce2d805df30abddff09743efcb993ad8dc4c7fa220fd93e_NeikiAnalytics.exe	Zombie.exe

C:\Users\Admin\AppData\Local\Temp\3608b39a72c56f3c6ce2d805df30abddff09743efcb993ad8dc4c7fa220fd93e_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3608b39a72c56f3c6ce2d805df30abddff09743efcb993ad8dc4c7fa220fd93e_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2268

C:\Windows\SysWOW64\Zombie.exe
"C:\Windows\system32\Zombie.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3052

C:\Users\Admin\AppData\Local\Temp\_choco.exe
"_choco.exe"
2⤵
- Executes dropped EXE
PID:2704

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-39690363-730359138-1046745555-1000\desktop.ini.tmp
Filesize
52KB

MD5
642afc52829cfa72860ff4f5d20173cf

SHA1
e62958a758238dde24a0115279119fca985f9735

SHA256
281a783c2365f1f844b71292a5096456fe10aec05f498b7b6afad02f1f66957f

SHA512
8a395b676ee392add028ca93bdaa7bf11d28a69891750bc0d61e83fce0d8df48c8cd5ea365da54930888d64924fd82a78285378754f3dd9f3c123bacaa14502d

Download Submit
\Users\Admin\AppData\Local\Temp\_choco.exe
Filesize
142KB

MD5
81a7c181639679983efb07c2dea2ebd0

SHA1
93370e8e5cb0d89bf6786445f94dd02dbb84b574

SHA256
8320c7f90f65b48e4031b680506a9579751789ded4d90fa2fbfc2fb7db7e3ec8

SHA512
599cca13e527c92cdf88df06ed8a01eee1bc602c565ab69e251f7414e19833ce42f0453771bfdf27d16f9f70112835b599d26a6ed92901fdf86bbdf8adf4d2f7

Download Submit
\Windows\SysWOW64\Zombie.exe
Filesize
51KB

MD5
88d20465fab8100c30c81a06f8f93540

SHA1
0022afdc511966f9b7918667c44aa94c6e66740b

SHA256
4c11a90579007ca1c146c8605ffcbe26cda0c451f8c6c3369088fd0769f2cfe5

SHA512
3b8865c026098f34cdf0273b26cef0c3a3bc602e6e18513387368cef5d208d5185d7b22b6eb3b0a2f26bf0b13f7c324c343983494fb2a1883c582931ef443658

Download Submit
memory/2268-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2268-6-0x00000000002D0000-0x00000000002DA000-memory.dmp

Filesize
40KB

Download
memory/2268-19-0x00000000002D0000-0x00000000002DA000-memory.dmp

Filesize
40KB

Download
memory/2704-23-0x000007FEF5FE3000-0x000007FEF5FE4000-memory.dmp

Filesize
4KB

Download
memory/2704-24-0x00000000010F0000-0x0000000001118000-memory.dmp

Filesize
160KB

Download
memory/3052-20-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads