b52b2e8b5319905b765716c775033dca3cc0b191c3ac410d34de1fde8a07b005

Resubmissions

13/05/2024, 10:09

240513-l7ag4ahf7s 9

13/05/2024, 10:05

240513-l4hpasae49 9

13/05/2024, 08:36

240513-khmkpaee61 9

Analysis

max time kernel
150s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
13/05/2024, 08:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aaac11137aa88a7acc11e5070e674900_NeikiAnalytics.exe
Size

152KB
MD5

aaac11137aa88a7acc11e5070e674900
SHA1

a571fb84922b258933262d20e4b48095effc57e1
SHA256

b52b2e8b5319905b765716c775033dca3cc0b191c3ac410d34de1fde8a07b005
SHA512

97de855675c11b2595a88046becad33f8c695be3620641058e6c54ce16ac47de04b77dea058e83ce337bbafc4cf6099883e104ce1f8f0dead45099545989fb55
SSDEEP

3072:KQSo1EZGtKgZGtK/PgtU1wAIuZAIuXwFwtd3:KQSo1EZGtKgZGtK/CAIuZAIuH

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (4862) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1072-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x00090000000235e3-2.dat	upx
behavioral2/files/0x00060000000168ae-6.dat	upx
behavioral2/memory/1072-974-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\PresentationUI.resources.dll.tmp	aaac11137aa88a7acc11e5070e674900_NeikiAnalytics.exe
File created	C:\Program Files\Internet Explorer\ja-JP\iexplore.exe.mui.tmp	aaac11137aa88a7acc11e5070e674900_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-180.png.tmp	aaac11137aa88a7acc11e5070e674900_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-100.png.tmp	aaac11137aa88a7acc11e5070e674900_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Extensions.dll.tmp	aaac11137aa88a7acc11e5070e674900_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\Office16\OSPP.VBS.tmp	aaac11137aa88a7acc11e5070e674900_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-ul-phn.xrm-ms.tmp	aaac11137aa88a7acc11e5070e674900_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Grace-ppd.xrm-ms.tmp	aaac11137aa88a7acc11e5070e674900_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.EditorRibbon.dll.tmp	aaac11137aa88a7acc11e5070e674900_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Forms.dll.tmp	aaac11137aa88a7acc11e5070e674900_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-synch-l1-2-0.dll.tmp	aaac11137aa88a7acc11e5070e674900_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-180.png.tmp	aaac11137aa88a7acc11e5070e674900_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.AeroLite.dll.tmp	aaac11137aa88a7acc11e5070e674900_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-interlocked-l1-1-0.dll.tmp	aaac11137aa88a7acc11e5070e674900_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe.tmp	aaac11137aa88a7acc11e5070e674900_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Frosted Glass.eftx.tmp	aaac11137aa88a7acc11e5070e674900_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\System\msadc\msdarem.dll.tmp	aaac11137aa88a7acc11e5070e674900_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Green Yellow.xml.tmp	aaac11137aa88a7acc11e5070e674900_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml.tmp	aaac11137aa88a7acc11e5070e674900_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Author2XML.XSL.tmp	aaac11137aa88a7acc11e5070e674900_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Interceptor.dll.tmp	aaac11137aa88a7acc11e5070e674900_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-180.png.tmp	aaac11137aa88a7acc11e5070e674900_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Controls.Ribbon.resources.dll.tmp	aaac11137aa88a7acc11e5070e674900_NeikiAnalytics.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\libEGL.dll.tmp	aaac11137aa88a7acc11e5070e674900_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe.tmp	aaac11137aa88a7acc11e5070e674900_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Grace-ul-oob.xrm-ms.tmp	aaac11137aa88a7acc11e5070e674900_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.DataStreamer.Excel.dll.tmp	aaac11137aa88a7acc11e5070e674900_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\PersonaSpy.html.tmp	aaac11137aa88a7acc11e5070e674900_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\GKPowerPoint.dll.tmp	aaac11137aa88a7acc11e5070e674900_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-80.png.tmp	aaac11137aa88a7acc11e5070e674900_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\netstandard.dll.tmp	aaac11137aa88a7acc11e5070e674900_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Input.Manipulations.resources.dll.tmp	aaac11137aa88a7acc11e5070e674900_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\dnsns.jar.tmp	aaac11137aa88a7acc11e5070e674900_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue II.xml.tmp	aaac11137aa88a7acc11e5070e674900_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest5-ppd.xrm-ms.tmp	aaac11137aa88a7acc11e5070e674900_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ChakraCore.Debugger.dll.tmp	aaac11137aa88a7acc11e5070e674900_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART2.BDR.tmp	aaac11137aa88a7acc11e5070e674900_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\kor-kor.xml.tmp	aaac11137aa88a7acc11e5070e674900_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Tasks.dll.tmp	aaac11137aa88a7acc11e5070e674900_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Windows.Forms.Primitives.resources.dll.tmp	aaac11137aa88a7acc11e5070e674900_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\hprof.dll.tmp	aaac11137aa88a7acc11e5070e674900_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Candara.xml.tmp	aaac11137aa88a7acc11e5070e674900_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\word2013bw.dotx.tmp	aaac11137aa88a7acc11e5070e674900_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\tabskb.dll.mui.tmp	aaac11137aa88a7acc11e5070e674900_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationUI.dll.tmp	aaac11137aa88a7acc11e5070e674900_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\lib\orb.idl.tmp	aaac11137aa88a7acc11e5070e674900_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt.tmp	aaac11137aa88a7acc11e5070e674900_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription2-ppd.xrm-ms.tmp	aaac11137aa88a7acc11e5070e674900_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\APPLAUSE.WAV.tmp	aaac11137aa88a7acc11e5070e674900_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Data.DataSetExtensions.dll.tmp	aaac11137aa88a7acc11e5070e674900_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\UIAutomationClient.resources.dll.tmp	aaac11137aa88a7acc11e5070e674900_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16EnterpriseVL_Bypass30-ppd.xrm-ms.tmp	aaac11137aa88a7acc11e5070e674900_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\sqmapi_x64.dll.tmp	aaac11137aa88a7acc11e5070e674900_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.Parallel.dll.tmp	aaac11137aa88a7acc11e5070e674900_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Diagnostics.PerformanceCounter.dll.tmp	aaac11137aa88a7acc11e5070e674900_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Latn-RS\msipc.dll.mui.tmp	aaac11137aa88a7acc11e5070e674900_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Windows.dll.tmp	aaac11137aa88a7acc11e5070e674900_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Luna.dll.tmp	aaac11137aa88a7acc11e5070e674900_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationClient.resources.dll.tmp	aaac11137aa88a7acc11e5070e674900_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\ReachFramework.resources.dll.tmp	aaac11137aa88a7acc11e5070e674900_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe.tmp	aaac11137aa88a7acc11e5070e674900_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-ul-phn.xrm-ms.tmp	aaac11137aa88a7acc11e5070e674900_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-heap-l1-1-0.dll.tmp	aaac11137aa88a7acc11e5070e674900_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-ul-oob.xrm-ms.tmp	aaac11137aa88a7acc11e5070e674900_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\aaac11137aa88a7acc11e5070e674900_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\aaac11137aa88a7acc11e5070e674900_NeikiAnalytics.exe"
1⤵
- Drops file in Program Files directory
PID:1072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4320,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=4232 /prefetch:8
1⤵
PID:2624

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1181767204-2009306918-3718769404-1000\desktop.ini.tmp

Filesize
152KB

MD5
542455b927b9a7ba3fa9a144697b6d47

SHA1
d2312c8e655dc3020543c06c0511eae38d34c85a

SHA256
4ae0100741a3eac2109609b071bdae230aec9bf99af28594ab57b7575e30611b

SHA512
887c0592b2c02046fcd693a59c6c0e622b823be6895f1211b8966fb1cf3ff131f7fabc0d1fd4e20f7b55cd3873ad9710e2a29c556c31d25b67685d922a5c9b71

Download Submit
C:\Program Files\7-Zip\7-zip.chm.tmp

Filesize
265KB

MD5
22e451bd695b7b9b93856e869c3e1a18

SHA1
efaf8c0e8be5e1abcb10c4d533d246193f95d57a

SHA256
dd9b849619fbf603ca929680cac971fdd88305c5234a830fd5ce9d77fa7d8f36

SHA512
8513abb88fa432f0ba7633f098d18b55191dd144caec78265c3c9336c409c5da304569042b9e9c93dc7d197ca12544065210dca0e46c52e6c96f1c517474a440

Download Submit
memory/1072-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1072-974-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download