07a1e9d22e31f238ce86947d87850e74cc516bd8b8baffacdd05a8b5286e35ff

General

Target

41f01e35afe5f7ea68ef58f5f68d50c0_NeikiAnalytics.exe
Size

217KB
MD5

41f01e35afe5f7ea68ef58f5f68d50c0
SHA1

c500d41d360e14ae7099ddfa8dd456c78db9f4bf
SHA256

07a1e9d22e31f238ce86947d87850e74cc516bd8b8baffacdd05a8b5286e35ff
SHA512

cb57e3b52c013c16bd2d44d30906da21f85654e7978c7affd8a83b5831d50ddad9b96888d93524c1d34db4a1fefe07d99fd02386cd3b8b2e5118935b5baf9371
SSDEEP

3072:+nymCAIuZAIuYSMjoqtMHfhf9fAIuZAIuYSMjoqtMHfhfA:JmCAIuZAIuDMVtM/LfAIuZAIuDMVtM/W

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (4618) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4500-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-4018855536-2201274732-320770143-1000\desktop.ini.tmp	upx
C:\Program Files\7-Zip\7-zip.dll.tmp	upx
behavioral2/memory/4500-1604-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

41f01e35afe5f7ea68ef58f5f68d50c0_NeikiAnalytics.exe

description	ioc	process
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest3-ul-oob.xrm-ms.tmp	41f01e35afe5f7ea68ef58f5f68d50c0_NeikiAnalytics.exe
File created	C:\Program Files\7-Zip\Lang\hi.txt.tmp	41f01e35afe5f7ea68ef58f5f68d50c0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Forms.resources.dll.tmp	41f01e35afe5f7ea68ef58f5f68d50c0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.StackTrace.dll.tmp	41f01e35afe5f7ea68ef58f5f68d50c0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.WebSockets.Client.dll.tmp	41f01e35afe5f7ea68ef58f5f68d50c0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Xaml.resources.dll.tmp	41f01e35afe5f7ea68ef58f5f68d50c0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Royale.dll.tmp	41f01e35afe5f7ea68ef58f5f68d50c0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-filesystem-l1-1-0.dll.tmp	41f01e35afe5f7ea68ef58f5f68d50c0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\mshwLatin.dll.mui.tmp	41f01e35afe5f7ea68ef58f5f68d50c0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ppd.xrm-ms.tmp	41f01e35afe5f7ea68ef58f5f68d50c0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\UIAutomationClientSideProviders.resources.dll.tmp	41f01e35afe5f7ea68ef58f5f68d50c0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe.tmp	41f01e35afe5f7ea68ef58f5f68d50c0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG.HXS.tmp	41f01e35afe5f7ea68ef58f5f68d50c0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\UIAutomationClient.resources.dll.tmp	41f01e35afe5f7ea68ef58f5f68d50c0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusDemoR_BypassTrial365-ppd.xrm-ms.tmp	41f01e35afe5f7ea68ef58f5f68d50c0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.FileVersionInfo.dll.tmp	41f01e35afe5f7ea68ef58f5f68d50c0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.BackEnd.dll.tmp	41f01e35afe5f7ea68ef58f5f68d50c0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019DemoR_BypassTrial180-ppd.xrm-ms.tmp	41f01e35afe5f7ea68ef58f5f68d50c0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_PrepidBypass-ul-oob.xrm-ms.tmp	41f01e35afe5f7ea68ef58f5f68d50c0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msdaprsr.dll.mui.tmp	41f01e35afe5f7ea68ef58f5f68d50c0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ul-oob.xrm-ms.tmp	41f01e35afe5f7ea68ef58f5f68d50c0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\Microsoft.VisualBasic.Forms.resources.dll.tmp	41f01e35afe5f7ea68ef58f5f68d50c0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Sockets.dll.tmp	41f01e35afe5f7ea68ef58f5f68d50c0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\Microsoft.VisualBasic.Forms.resources.dll.tmp	41f01e35afe5f7ea68ef58f5f68d50c0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ReachFramework.dll.tmp	41f01e35afe5f7ea68ef58f5f68d50c0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\Microsoft.VisualBasic.Forms.resources.dll.tmp	41f01e35afe5f7ea68ef58f5f68d50c0_NeikiAnalytics.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\hu.pak.tmp	41f01e35afe5f7ea68ef58f5f68d50c0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-environment-l1-1-0.dll.tmp	41f01e35afe5f7ea68ef58f5f68d50c0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-console-l1-1-0.dll.tmp	41f01e35afe5f7ea68ef58f5f68d50c0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Trial-pl.xrm-ms.tmp	41f01e35afe5f7ea68ef58f5f68d50c0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll.tmp	41f01e35afe5f7ea68ef58f5f68d50c0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Formats.Asn1.dll.tmp	41f01e35afe5f7ea68ef58f5f68d50c0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-ul-oob.xrm-ms.tmp	41f01e35afe5f7ea68ef58f5f68d50c0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.Recommendation.Client.Picasso.Sampler.dll.tmp	41f01e35afe5f7ea68ef58f5f68d50c0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml.tmp	41f01e35afe5f7ea68ef58f5f68d50c0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-pl.xrm-ms.tmp	41f01e35afe5f7ea68ef58f5f68d50c0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationCore.dll.tmp	41f01e35afe5f7ea68ef58f5f68d50c0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\jawt_md.h.tmp	41f01e35afe5f7ea68ef58f5f68d50c0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-pl.xrm-ms.tmp	41f01e35afe5f7ea68ef58f5f68d50c0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\FUNCRES.XLAM.tmp	41f01e35afe5f7ea68ef58f5f68d50c0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\UIAutomationProvider.dll.tmp	41f01e35afe5f7ea68ef58f5f68d50c0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Transactions.dll.tmp	41f01e35afe5f7ea68ef58f5f68d50c0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationClient.resources.dll.tmp	41f01e35afe5f7ea68ef58f5f68d50c0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-file-l1-2-0.dll.tmp	41f01e35afe5f7ea68ef58f5f68d50c0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\WindowsFormsIntegration.resources.dll.tmp	41f01e35afe5f7ea68ef58f5f68d50c0_NeikiAnalytics.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\et.pak.tmp	41f01e35afe5f7ea68ef58f5f68d50c0_NeikiAnalytics.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\ta.pak.tmp	41f01e35afe5f7ea68ef58f5f68d50c0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\bin\jsdt.dll.tmp	41f01e35afe5f7ea68ef58f5f68d50c0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\clretwrc.dll.tmp	41f01e35afe5f7ea68ef58f5f68d50c0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\WindowsFormsIntegration.resources.dll.tmp	41f01e35afe5f7ea68ef58f5f68d50c0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp140.dll.tmp	41f01e35afe5f7ea68ef58f5f68d50c0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\System\msadc\msdaremr.dll.tmp	41f01e35afe5f7ea68ef58f5f68d50c0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.nb-no.dll.tmp	41f01e35afe5f7ea68ef58f5f68d50c0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Author2XML.XSL.tmp	41f01e35afe5f7ea68ef58f5f68d50c0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.OpenSsl.dll.tmp	41f01e35afe5f7ea68ef58f5f68d50c0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription3-ppd.xrm-ms.tmp	41f01e35afe5f7ea68ef58f5f68d50c0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientARMRefer2019_eula.txt.tmp	41f01e35afe5f7ea68ef58f5f68d50c0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msoasb.exe.tmp	41f01e35afe5f7ea68ef58f5f68d50c0_NeikiAnalytics.exe
File created	C:\Program Files\7-Zip\7z.dll.tmp	41f01e35afe5f7ea68ef58f5f68d50c0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-multibyte-l1-1-0.dll.tmp	41f01e35afe5f7ea68ef58f5f68d50c0_NeikiAnalytics.exe
File created	C:\Program Files\Internet Explorer\fr-FR\ieinstal.exe.mui.tmp	41f01e35afe5f7ea68ef58f5f68d50c0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\content-types.properties.tmp	41f01e35afe5f7ea68ef58f5f68d50c0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription2-pl.xrm-ms.tmp	41f01e35afe5f7ea68ef58f5f68d50c0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Forms.Design.Editors.dll.tmp	41f01e35afe5f7ea68ef58f5f68d50c0_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\41f01e35afe5f7ea68ef58f5f68d50c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\41f01e35afe5f7ea68ef58f5f68d50c0_NeikiAnalytics.exe"
1⤵
- Drops file in Program Files directory
PID:4500

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4018855536-2201274732-320770143-1000\desktop.ini.tmp
Filesize
217KB

MD5
3f6a85eb6f8922925286ca8a8381a15a

SHA1
66eba125b9f2b0316b4dcac96590572db535984c

SHA256
24afb6ec5384eceeef92efb244a1b00a4216afece9c21a3bd186abbaeec14934

SHA512
ea579e1a8cb42428ecf923e28698318ec626bca85527d5eb5ace655495f41e501f9cf8e39f40e8c269490e8890446561fc526ebaa32460c8fdd14383b3dfefad

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp
Filesize
316KB

MD5
8329b9913150c789e809c7859971b1d4

SHA1
68ad2367da6d92acd8bfee2784a54b400eeaf056

SHA256
dd935a9fe4fd6f8bdbd0b0d5beb1fd8fc7da7c4daa768c9ee6677267f3c001d9

SHA512
e32eb74750cdae8b0c64fe7724ec8da16eed10700a9646bb3c04f826f8301b58497a008565c700499615fadd052787120ca7de1a8d57f32d46d615f4f13c6376

Download Submit
memory/4500-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4500-1604-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing