Analysis
-
max time kernel
142s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 04:39
Behavioral task
behavioral1
Sample
3608b39a72c56f3c6ce2d805df30abddff09743efcb993ad8dc4c7fa220fd93e_NeikiAnalytics.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
3608b39a72c56f3c6ce2d805df30abddff09743efcb993ad8dc4c7fa220fd93e_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
3608b39a72c56f3c6ce2d805df30abddff09743efcb993ad8dc4c7fa220fd93e_NeikiAnalytics.exe
-
Size
194KB
-
MD5
83a573328a596194fa8ba56940e056e0
-
SHA1
001200a9a06e5bd72fc638ced72380b438010823
-
SHA256
3608b39a72c56f3c6ce2d805df30abddff09743efcb993ad8dc4c7fa220fd93e
-
SHA512
dce23fa54877836029dd508bec65de157cb44c6f4221677a809e05ddb0d3aedb35845f9bc46bb22cfe41d59e45ba074cb31d034d0774a6244835a0077ddfa843
-
SSDEEP
3072:KQSorD98HpKI6GCLOwstyhZFChcssc56FUrgxvbSD4UQrO2LxW:KQSoX9GpKbShcHUaA
Malware Config
Signatures
-
Renames multiple (5068) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 2 IoCs
Processes:
Zombie.exe_choco.exepid process 3044 Zombie.exe 4604 _choco.exe -
Processes:
resource yara_rule behavioral2/memory/4000-0-0x0000000000400000-0x000000000040A000-memory.dmp upx C:\Windows\SysWOW64\Zombie.exe upx C:\$Recycle.Bin\S-1-5-21-3558294865-3673844354-2255444939-1000\desktop.ini.exe upx behavioral2/memory/3044-12-0x0000000000400000-0x000000000040A000-memory.dmp upx -
Drops file in System32 directory 2 IoCs
Processes:
3608b39a72c56f3c6ce2d805df30abddff09743efcb993ad8dc4c7fa220fd93e_NeikiAnalytics.exedescription ioc process File created C:\Windows\SysWOW64\Zombie.exe 3608b39a72c56f3c6ce2d805df30abddff09743efcb993ad8dc4c7fa220fd93e_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\Zombie.exe 3608b39a72c56f3c6ce2d805df30abddff09743efcb993ad8dc4c7fa220fd93e_NeikiAnalytics.exe -
Drops file in Program Files directory 64 IoCs
Processes:
Zombie.exedescription ioc process File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-ul-oob.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONENGINE.DLL.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\index.win32.stats.json.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\PresentationCore.resources.dll.tmp Zombie.exe File created C:\Program Files\Java\jdk-1.8\bin\pack200.exe.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019MSDNR_Retail-ul-oob.xrm-ms.tmp Zombie.exe File created C:\Program Files\Java\jdk-1.8\legal\jdk\lcms.md.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_SubTrial-ul-oob.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_KMS_Client_AE-ppd.xrm-ms.tmp Zombie.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\WindowsBase.resources.dll.tmp Zombie.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\vcruntime140_1.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Xaml.resources.dll.tmp Zombie.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.et-ee.dll.tmp Zombie.exe File created C:\Program Files\Common Files\microsoft shared\ink\ipssrl.xml.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Loader.dll.tmp Zombie.exe File created C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_TW.properties.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Trial-ul-oob.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\CHART.DLL.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Principal.Windows.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\PresentationCore.resources.dll.tmp Zombie.exe File created C:\Program Files\Java\jre-1.8\lib\deploy\messages_de.properties.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-ppd.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.MDXQueryGenerator.dll.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-stdio-l1-1-0.dll.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\PPTICO.EXE.tmp Zombie.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\ucrtbase.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Tasks.Extensions.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.WindowsDesktop.App.runtimeconfig.json.tmp Zombie.exe File created C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11cryptotoken.md.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_PrepidBypass-ppd.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-ul-phn.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\TITLE.XSL.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\PPRESOURCES.DLL.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Xaml.resources.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\UIAutomationTypes.resources.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Extensions.dll.tmp Zombie.exe File created C:\Program Files\7-Zip\Lang\br.txt.tmp Zombie.exe File created C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\vi.pak.tmp Zombie.exe File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml.tmp Zombie.exe File created C:\Program Files\Java\jdk-1.8\jre\legal\javafx\webkit.md.tmp Zombie.exe File created C:\Program Files\Java\jre-1.8\lib\fontconfig.bfc.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\PPINTL.DLL.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\strings.resjson.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.Win32.Registry.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Royale.dll.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-ppd.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\mscss7wre_en.dub.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscordaccore.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.WindowsDesktop.App.deps.json.tmp Zombie.exe File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-synch-l1-1-0.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\UIAutomationClient.resources.dll.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.DataWarehouse.DLL.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-ppd.xrm-ms.tmp Zombie.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad.xml.tmp Zombie.exe File created C:\Program Files\Common Files\microsoft shared\ink\sl-SI\tipresx.dll.mui.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.Win32.Registry.dll.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial3-ul-oob.xrm-ms.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Office16\ONBttnIE.dll.tmp Zombie.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\WindowsFormsIntegration.resources.dll.tmp Zombie.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\ext\sunjce_provider.jar.tmp Zombie.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ul-phn.xrm-ms.tmp Zombie.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
3608b39a72c56f3c6ce2d805df30abddff09743efcb993ad8dc4c7fa220fd93e_NeikiAnalytics.exedescription pid process target process PID 4000 wrote to memory of 3044 4000 3608b39a72c56f3c6ce2d805df30abddff09743efcb993ad8dc4c7fa220fd93e_NeikiAnalytics.exe Zombie.exe PID 4000 wrote to memory of 3044 4000 3608b39a72c56f3c6ce2d805df30abddff09743efcb993ad8dc4c7fa220fd93e_NeikiAnalytics.exe Zombie.exe PID 4000 wrote to memory of 3044 4000 3608b39a72c56f3c6ce2d805df30abddff09743efcb993ad8dc4c7fa220fd93e_NeikiAnalytics.exe Zombie.exe PID 4000 wrote to memory of 4604 4000 3608b39a72c56f3c6ce2d805df30abddff09743efcb993ad8dc4c7fa220fd93e_NeikiAnalytics.exe _choco.exe PID 4000 wrote to memory of 4604 4000 3608b39a72c56f3c6ce2d805df30abddff09743efcb993ad8dc4c7fa220fd93e_NeikiAnalytics.exe _choco.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3608b39a72c56f3c6ce2d805df30abddff09743efcb993ad8dc4c7fa220fd93e_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3608b39a72c56f3c6ce2d805df30abddff09743efcb993ad8dc4c7fa220fd93e_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Zombie.exe"C:\Windows\system32\Zombie.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Users\Admin\AppData\Local\Temp\_choco.exe"_choco.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\$Recycle.Bin\S-1-5-21-3558294865-3673844354-2255444939-1000\desktop.ini.exeFilesize
52KB
MD586fe05dd016b9528fa1896ab2be2bf28
SHA10dd6db704dfd915252e26089fbe45d23dc35cc1d
SHA2562ae4da390990dc2400561568ab9eac36aa0edde18083c557bd7ba8aa02665174
SHA512c54aca16d1cb0bb4dec30f0b5f702df40dcbede86e0d139e57c2a32a51c275d7b47f6be2728a4d474be25ca3c384a55c3438770e60b2610e8503d3651bfcd44b
-
C:\Users\Admin\AppData\Local\Temp\_choco.exeFilesize
142KB
MD581a7c181639679983efb07c2dea2ebd0
SHA193370e8e5cb0d89bf6786445f94dd02dbb84b574
SHA2568320c7f90f65b48e4031b680506a9579751789ded4d90fa2fbfc2fb7db7e3ec8
SHA512599cca13e527c92cdf88df06ed8a01eee1bc602c565ab69e251f7414e19833ce42f0453771bfdf27d16f9f70112835b599d26a6ed92901fdf86bbdf8adf4d2f7
-
C:\Windows\SysWOW64\Zombie.exeFilesize
51KB
MD588d20465fab8100c30c81a06f8f93540
SHA10022afdc511966f9b7918667c44aa94c6e66740b
SHA2564c11a90579007ca1c146c8605ffcbe26cda0c451f8c6c3369088fd0769f2cfe5
SHA5123b8865c026098f34cdf0273b26cef0c3a3bc602e6e18513387368cef5d208d5185d7b22b6eb3b0a2f26bf0b13f7c324c343983494fb2a1883c582931ef443658
-
memory/3044-12-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/4000-0-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/4604-21-0x0000000000790000-0x00000000007B8000-memory.dmpFilesize
160KB
-
memory/4604-22-0x00007FFC9BDF3000-0x00007FFC9BDF5000-memory.dmpFilesize
8KB