f6eaa399be182c3d3bc1fcf84b43cda8cd915c79896115afa887cbf4bc5aee56

General

Target

43f51244e9354228cc97beac972292a0_NeikiAnalytics.exe
Size

158KB
MD5

43f51244e9354228cc97beac972292a0
SHA1

e0b2bb6e004b17a93bad820276193c5f873e3062
SHA256

f6eaa399be182c3d3bc1fcf84b43cda8cd915c79896115afa887cbf4bc5aee56
SHA512

d680c3670d6c752b9e9a7e8ea6bb6846dd8621a7197a3eaccf786cea7f11fc92d77643e196e04536515bda9ae4103a46e92e0008839b2f3938d790c4766deb1b
SSDEEP

3072:KQSo1EZGtKgZGtK/PgtU1wAIuZAIuXwFwtdB:KQSo1EZGtKgZGtK/CAIuZAIuR

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (4737) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2244-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-4018855536-2201274732-320770143-1000\desktop.ini.tmp	upx
C:\Program Files\7-Zip\7-zip.dll.tmp	upx
behavioral2/memory/2244-852-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

43f51244e9354228cc97beac972292a0_NeikiAnalytics.exe

description	ioc	process
File created	C:\Program Files\7-Zip\Lang\ro.txt.tmp	43f51244e9354228cc97beac972292a0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lt-lt.dll.tmp	43f51244e9354228cc97beac972292a0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-datetime-l1-1-0.dll.tmp	43f51244e9354228cc97beac972292a0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe.tmp	43f51244e9354228cc97beac972292a0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\mesa3d.md.tmp	43f51244e9354228cc97beac972292a0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-ul-oob.xrm-ms.tmp	43f51244e9354228cc97beac972292a0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PPINTL.DLL.tmp	43f51244e9354228cc97beac972292a0_NeikiAnalytics.exe
File created	C:\Program Files\7-Zip\Lang\id.txt.tmp	43f51244e9354228cc97beac972292a0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\classlist.tmp	43f51244e9354228cc97beac972292a0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription5-pl.xrm-ms.tmp	43f51244e9354228cc97beac972292a0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clrgc.dll.tmp	43f51244e9354228cc97beac972292a0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.dll.tmp	43f51244e9354228cc97beac972292a0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\WindowsFormsIntegration.resources.dll.tmp	43f51244e9354228cc97beac972292a0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.AeroLite.dll.tmp	43f51244e9354228cc97beac972292a0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\vcruntime140.dll.tmp	43f51244e9354228cc97beac972292a0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\lib\cmm\GRAY.pf.tmp	43f51244e9354228cc97beac972292a0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\zh-CN\tipresx.dll.mui.tmp	43f51244e9354228cc97beac972292a0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.dll.tmp	43f51244e9354228cc97beac972292a0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\PresentationFramework.resources.dll.tmp	43f51244e9354228cc97beac972292a0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_KMS_Client-ppd.xrm-ms.tmp	43f51244e9354228cc97beac972292a0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-pl.xrm-ms.tmp	43f51244e9354228cc97beac972292a0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\vcruntime140_cor3.dll.tmp	43f51244e9354228cc97beac972292a0_NeikiAnalytics.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\sk.pak.tmp	43f51244e9354228cc97beac972292a0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\lib\ct.sym.tmp	43f51244e9354228cc97beac972292a0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Integration\Integrator.exe.tmp	43f51244e9354228cc97beac972292a0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-ul-oob.xrm-ms.tmp	43f51244e9354228cc97beac972292a0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-pl.xrm-ms.tmp	43f51244e9354228cc97beac972292a0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOMessageProvider.dll.tmp	43f51244e9354228cc97beac972292a0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\verify.dll.tmp	43f51244e9354228cc97beac972292a0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-ul-oob.xrm-ms.tmp	43f51244e9354228cc97beac972292a0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.dll.tmp	43f51244e9354228cc97beac972292a0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\System.Web.Mvc.dll.tmp	43f51244e9354228cc97beac972292a0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOSVG.DLL.tmp	43f51244e9354228cc97beac972292a0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\UIAutomationProvider.resources.dll.tmp	43f51244e9354228cc97beac972292a0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\UIAutomationTypes.resources.dll.tmp	43f51244e9354228cc97beac972292a0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-ul-oob.xrm-ms.tmp	43f51244e9354228cc97beac972292a0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTest-ul-oob.xrm-ms.tmp	43f51244e9354228cc97beac972292a0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_KMS_Client-ul.xrm-ms.tmp	43f51244e9354228cc97beac972292a0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-180.png.tmp	43f51244e9354228cc97beac972292a0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Overlapped.dll.tmp	43f51244e9354228cc97beac972292a0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebProxy.dll.tmp	43f51244e9354228cc97beac972292a0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\bin\dt_socket.dll.tmp	43f51244e9354228cc97beac972292a0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial.xml.tmp	43f51244e9354228cc97beac972292a0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-ul-oob.xrm-ms.tmp	43f51244e9354228cc97beac972292a0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-ppd.xrm-ms.tmp	43f51244e9354228cc97beac972292a0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml.tmp	43f51244e9354228cc97beac972292a0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.dll.tmp	43f51244e9354228cc97beac972292a0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\UIAutomationClientSideProviders.resources.dll.tmp	43f51244e9354228cc97beac972292a0_NeikiAnalytics.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\VisualElements\SmallLogoDev.png.tmp	43f51244e9354228cc97beac972292a0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe.tmp	43f51244e9354228cc97beac972292a0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-140.png.tmp	43f51244e9354228cc97beac972292a0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.Serialization.dll.tmp	43f51244e9354228cc97beac972292a0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\ReachFramework.resources.dll.tmp	43f51244e9354228cc97beac972292a0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\giflib.md.tmp	43f51244e9354228cc97beac972292a0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\lib\cmm\sRGB.pf.tmp	43f51244e9354228cc97beac972292a0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-ppd.xrm-ms.tmp	43f51244e9354228cc97beac972292a0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-ppd.xrm-ms.tmp	43f51244e9354228cc97beac972292a0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\sqlxmlx.rll.mui.tmp	43f51244e9354228cc97beac972292a0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\libxml2.md.tmp	43f51244e9354228cc97beac972292a0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_LinkNoDrop32x32.gif.tmp	43f51244e9354228cc97beac972292a0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCONTROL.DLL.tmp	43f51244e9354228cc97beac972292a0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSVCP140_APP.DLL.tmp	43f51244e9354228cc97beac972292a0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\word2013bw.dotx.tmp	43f51244e9354228cc97beac972292a0_NeikiAnalytics.exe
File created	C:\Program Files\7-Zip\Lang\mk.txt.tmp	43f51244e9354228cc97beac972292a0_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\43f51244e9354228cc97beac972292a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\43f51244e9354228cc97beac972292a0_NeikiAnalytics.exe"
1⤵
- Drops file in Program Files directory
PID:2244

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4018855536-2201274732-320770143-1000\desktop.ini.tmp
Filesize
158KB

MD5
12e19fe5a824e71288d8b5f993f33e27

SHA1
6c266bb28df05b66dd6aee222c1817f5e07cd3e9

SHA256
56fdb345f1df67c159fb4c8a927cb33af439b397a000b21ccbdfe855d460b819

SHA512
d03aff3016b9476b2ef2d432c2a38065ace6b7a5067a29990daa39b01c58c957a6d23e725b2c3c5b15595db9b305fd1d0da9f1719f96d4a01bde31ab61c8d9a0

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp
Filesize
257KB

MD5
80756905133fa9893066267aaf71028f

SHA1
26788e6793b1d6b5355c41c95c39e79b0a4bf841

SHA256
726b4de688c4b296c02cc0521f745df52fea5f42219c27c0318811fc2145d46a

SHA512
b364a93d5bd81623fa2012fdfb83f735d434d44d909f2fac6633684396829706155a8b92d4b92882aa9806c854275e3eb31bb250bb8ef2b49b065fe2f5029183

Download Submit
memory/2244-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2244-852-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing