5b5b3fb978809d16969dea2a09186f085405b049792348f5b8af3b3d8cd67330

General

Target

41d2c387f470e6406be9bcde57772610_NeikiAnalytics.exe
Size

219KB
MD5

41d2c387f470e6406be9bcde57772610
SHA1

a6ba31e69cb629d68ab7dd408dae7b06b6787747
SHA256

5b5b3fb978809d16969dea2a09186f085405b049792348f5b8af3b3d8cd67330
SHA512

8bdba481f05b4b55541f4730b050faf6fb064c780c281e562a15064c987f32337e82f8069782d6b4e8a85ea7fd2f9ca86194c7c3897a211b837fb499310ef6ff
SSDEEP

3072:+nymCAIuZAIuYSMjoqtMHfhf9fAIuZAIuYSMjoqtMHfhf+:JmCAIuZAIuDMVtM/LfAIuZAIuDMVtM/4

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (4367) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4740-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-2539840389-1261165778-1087677076-1000\desktop.ini.tmp	upx
C:\Program Files\7-Zip\7-zip.dll.tmp	upx
behavioral2/memory/4740-1468-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

41d2c387f470e6406be9bcde57772610_NeikiAnalytics.exe

description	ioc	process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Input.Manipulations.resources.dll.tmp	41d2c387f470e6406be9bcde57772610_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-ul-phn.xrm-ms.tmp	41d2c387f470e6406be9bcde57772610_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHLEX.DAT.tmp	41d2c387f470e6406be9bcde57772610_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clretwrc.dll.tmp	41d2c387f470e6406be9bcde57772610_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.VisualBasic.Core.dll.tmp	41d2c387f470e6406be9bcde57772610_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Windows.Input.Manipulations.resources.dll.tmp	41d2c387f470e6406be9bcde57772610_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-pl.xrm-ms.tmp	41d2c387f470e6406be9bcde57772610_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTest-ul-oob.xrm-ms.tmp	41d2c387f470e6406be9bcde57772610_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-pl.xrm-ms.tmp	41d2c387f470e6406be9bcde57772610_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Grace-ppd.xrm-ms.tmp	41d2c387f470e6406be9bcde57772610_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Intrinsics.dll.tmp	41d2c387f470e6406be9bcde57772610_NeikiAnalytics.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\ta.pak.tmp	41d2c387f470e6406be9bcde57772610_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-heap-l1-1-0.dll.tmp	41d2c387f470e6406be9bcde57772610_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ppd.xrm-ms.tmp	41d2c387f470e6406be9bcde57772610_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.dll.tmp	41d2c387f470e6406be9bcde57772610_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Input.Manipulations.resources.dll.tmp	41d2c387f470e6406be9bcde57772610_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\msvcp120.dll.tmp	41d2c387f470e6406be9bcde57772610_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipscht.xml.tmp	41d2c387f470e6406be9bcde57772610_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.InteropServices.RuntimeInformation.dll.tmp	41d2c387f470e6406be9bcde57772610_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Xaml.resources.dll.tmp	41d2c387f470e6406be9bcde57772610_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-environment-l1-1-0.dll.tmp	41d2c387f470e6406be9bcde57772610_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-convert-l1-1-0.dll.tmp	41d2c387f470e6406be9bcde57772610_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msaddsr.dll.mui.tmp	41d2c387f470e6406be9bcde57772610_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-rtlsupport-l1-1-0.dll.tmp	41d2c387f470e6406be9bcde57772610_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\nashorn.jar.tmp	41d2c387f470e6406be9bcde57772610_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-ul-phn.xrm-ms.tmp	41d2c387f470e6406be9bcde57772610_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-ul-oob.xrm-ms.tmp	41d2c387f470e6406be9bcde57772610_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\msdasqlr.dll.mui.tmp	41d2c387f470e6406be9bcde57772610_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.OpenSsl.dll.tmp	41d2c387f470e6406be9bcde57772610_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.dll.tmp	41d2c387f470e6406be9bcde57772610_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Aero.dll.tmp	41d2c387f470e6406be9bcde57772610_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe.tmp	41d2c387f470e6406be9bcde57772610_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-pl.xrm-ms.tmp	41d2c387f470e6406be9bcde57772610_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\el-GR\tipresx.dll.mui.tmp	41d2c387f470e6406be9bcde57772610_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\WindowsBase.resources.dll.tmp	41d2c387f470e6406be9bcde57772610_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jvisualvm.txt.tmp	41d2c387f470e6406be9bcde57772610_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11wrapper.md.tmp	41d2c387f470e6406be9bcde57772610_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-ul-oob.xrm-ms.tmp	41d2c387f470e6406be9bcde57772610_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sl-SI\tipresx.dll.mui.tmp	41d2c387f470e6406be9bcde57772610_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\Microsoft.VisualBasic.Forms.resources.dll.tmp	41d2c387f470e6406be9bcde57772610_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest2-pl.xrm-ms.tmp	41d2c387f470e6406be9bcde57772610_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-ul-phn.xrm-ms.tmp	41d2c387f470e6406be9bcde57772610_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sql70.xsl.tmp	41d2c387f470e6406be9bcde57772610_NeikiAnalytics.exe
File created	C:\Program Files\7-Zip\Lang\cs.txt.tmp	41d2c387f470e6406be9bcde57772610_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\PresentationFramework.resources.dll.tmp	41d2c387f470e6406be9bcde57772610_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Controls.Ribbon.resources.dll.tmp	41d2c387f470e6406be9bcde57772610_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\bin\dt_socket.dll.tmp	41d2c387f470e6406be9bcde57772610_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Times New Roman-Arial.xml.tmp	41d2c387f470e6406be9bcde57772610_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-ppd.xrm-ms.tmp	41d2c387f470e6406be9bcde57772610_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-ul-oob.xrm-ms.tmp	41d2c387f470e6406be9bcde57772610_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\nl-NL\tipresx.dll.mui.tmp	41d2c387f470e6406be9bcde57772610_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.InteropServices.dll.tmp	41d2c387f470e6406be9bcde57772610_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Core.dll.tmp	41d2c387f470e6406be9bcde57772610_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-pl.xrm-ms.tmp	41d2c387f470e6406be9bcde57772610_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-ppd.xrm-ms.tmp	41d2c387f470e6406be9bcde57772610_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Trial-ul-oob.xrm-ms.tmp	41d2c387f470e6406be9bcde57772610_NeikiAnalytics.exe
File created	C:\Program Files\7-Zip\Lang\cy.txt.tmp	41d2c387f470e6406be9bcde57772610_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.zh-cn.dll.tmp	41d2c387f470e6406be9bcde57772610_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.ZipFile.dll.tmp	41d2c387f470e6406be9bcde57772610_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Xaml.resources.dll.tmp	41d2c387f470e6406be9bcde57772610_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\javaws.policy.tmp	41d2c387f470e6406be9bcde57772610_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Trial-pl.xrm-ms.tmp	41d2c387f470e6406be9bcde57772610_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTrial-ul-oob.xrm-ms.tmp	41d2c387f470e6406be9bcde57772610_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub_M365_eula.txt.tmp	41d2c387f470e6406be9bcde57772610_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\41d2c387f470e6406be9bcde57772610_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\41d2c387f470e6406be9bcde57772610_NeikiAnalytics.exe"
1⤵
- Drops file in Program Files directory
PID:4740

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2539840389-1261165778-1087677076-1000\desktop.ini.tmp
Filesize
219KB

MD5
b653feb65a47d793d1c27c37900ea017

SHA1
683a2cf9e484a9a0ca5ac69e5ec4ee30e41684c5

SHA256
e47f806a2d37f2ffd299c9fae5c502ae4298616f3b25dbc880cf06724444d696

SHA512
d567666a6f5492ccb8187a4990e91ddf9bed09b4b35a75a0d4ff65a9d7a633015d769fd4b6983603a028aa3405a71550e844677c749d9d765b87e93d8e93260f

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp
Filesize
318KB

MD5
5854aff56ff09303a48a87a269003174

SHA1
da972b8431064f56b0ccd47bd09bb87d1702276e

SHA256
be0b3652e6e877b804a03756435144e5c8785e0e589bfb4f8347d9bcfc7fad2d

SHA512
56d1b21314481ce1a90040b6a7eb0740c6042c998814e89ed827e09303d55ae30a82840776201ab985ed8809bda216a000c266eb5d5ef655bfe29a4aad4a7c20

Download Submit
memory/4740-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4740-1468-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing