7e3acd00f381e0bd2ddb873f98ab0468b1837f2107cbfbe60c6210a604ebacdf

General

Target

44cf3d6a0dd2d109dca13ade9f440ac0_NeikiAnalytics.exe
Size

233KB
MD5

44cf3d6a0dd2d109dca13ade9f440ac0
SHA1

9c08fa245c5d236f352bdd0bfafca091c7e9fa34
SHA256

7e3acd00f381e0bd2ddb873f98ab0468b1837f2107cbfbe60c6210a604ebacdf
SHA512

c5af94893c102b9de19a57b21e292db04c3369d34049454834aa8af0817a75ea5fab8e80ba1de0693411ede8ead6ce71eb4a6304bdb09edc8586b98ae36fd3d5
SSDEEP

3072:+nymCAIuZAIuYSMjoqtMHfhfFfAIuZAIuYSMjoqtMHfhfk:JmCAIuZAIuDMVtM//fAIuZAIuDMVtM/m

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (4571) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/516-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-3558294865-3673844354-2255444939-1000\desktop.ini.tmp	upx
C:\Program Files\7-Zip\7-zip.dll.tmp	upx
behavioral2/memory/516-1480-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

44cf3d6a0dd2d109dca13ade9f440ac0_NeikiAnalytics.exe

description	ioc	process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\UIAutomationClientSideProviders.resources.dll.tmp	44cf3d6a0dd2d109dca13ade9f440ac0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe.tmp	44cf3d6a0dd2d109dca13ade9f440ac0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	44cf3d6a0dd2d109dca13ade9f440ac0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Input.Manipulations.resources.dll.tmp	44cf3d6a0dd2d109dca13ade9f440ac0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Controls.Ribbon.resources.dll.tmp	44cf3d6a0dd2d109dca13ade9f440ac0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	44cf3d6a0dd2d109dca13ade9f440ac0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-ppd.xrm-ms.tmp	44cf3d6a0dd2d109dca13ade9f440ac0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.BackEnd.dll.tmp	44cf3d6a0dd2d109dca13ade9f440ac0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.TextWriterTraceListener.dll.tmp	44cf3d6a0dd2d109dca13ade9f440ac0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Thread.dll.tmp	44cf3d6a0dd2d109dca13ade9f440ac0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe.tmp	44cf3d6a0dd2d109dca13ade9f440ac0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-80.png.tmp	44cf3d6a0dd2d109dca13ade9f440ac0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\tipresx.dll.mui.tmp	44cf3d6a0dd2d109dca13ade9f440ac0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationCore.dll.tmp	44cf3d6a0dd2d109dca13ade9f440ac0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe.tmp	44cf3d6a0dd2d109dca13ade9f440ac0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_CopyDrop32x32.gif.tmp	44cf3d6a0dd2d109dca13ade9f440ac0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-ppd.xrm-ms.tmp	44cf3d6a0dd2d109dca13ade9f440ac0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	44cf3d6a0dd2d109dca13ade9f440ac0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-multibyte-l1-1-0.dll.tmp	44cf3d6a0dd2d109dca13ade9f440ac0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-ppd.xrm-ms.tmp	44cf3d6a0dd2d109dca13ade9f440ac0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Buffers.dll.tmp	44cf3d6a0dd2d109dca13ade9f440ac0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Globalization.Extensions.dll.tmp	44cf3d6a0dd2d109dca13ade9f440ac0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemCore.dll.tmp	44cf3d6a0dd2d109dca13ade9f440ac0_NeikiAnalytics.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\es-419.pak.tmp	44cf3d6a0dd2d109dca13ade9f440ac0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-localization-l1-2-0.dll.tmp	44cf3d6a0dd2d109dca13ade9f440ac0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-utility-l1-1-0.dll.tmp	44cf3d6a0dd2d109dca13ade9f440ac0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Ion.thmx.tmp	44cf3d6a0dd2d109dca13ade9f440ac0_NeikiAnalytics.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\VisualElements\LogoBeta.png.tmp	44cf3d6a0dd2d109dca13ade9f440ac0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\cryptix.md.tmp	44cf3d6a0dd2d109dca13ade9f440ac0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.PowerBI.AdomdClient.dll.tmp	44cf3d6a0dd2d109dca13ade9f440ac0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\bin\klist.exe.tmp	44cf3d6a0dd2d109dca13ade9f440ac0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-ul-oob.xrm-ms.tmp	44cf3d6a0dd2d109dca13ade9f440ac0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-ul-oob.xrm-ms.tmp	44cf3d6a0dd2d109dca13ade9f440ac0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Xaml.resources.dll.tmp	44cf3d6a0dd2d109dca13ade9f440ac0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.Win32.Registry.AccessControl.dll.tmp	44cf3d6a0dd2d109dca13ade9f440ac0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-locale-l1-1-0.dll.tmp	44cf3d6a0dd2d109dca13ade9f440ac0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-ul-oob.xrm-ms.tmp	44cf3d6a0dd2d109dca13ade9f440ac0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-ul-oob.xrm-ms.tmp	44cf3d6a0dd2d109dca13ade9f440ac0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\Default.dotx.tmp	44cf3d6a0dd2d109dca13ade9f440ac0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sl-si.dll.tmp	44cf3d6a0dd2d109dca13ade9f440ac0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\lib\cmm\PYCC.pf.tmp	44cf3d6a0dd2d109dca13ade9f440ac0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-math-l1-1-0.dll.tmp	44cf3d6a0dd2d109dca13ade9f440ac0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.tr-tr.dll.tmp	44cf3d6a0dd2d109dca13ade9f440ac0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-debug-l1-1-0.dll.tmp	44cf3d6a0dd2d109dca13ade9f440ac0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemData.dll.tmp	44cf3d6a0dd2d109dca13ade9f440ac0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-ul-phn.xrm-ms.tmp	44cf3d6a0dd2d109dca13ade9f440ac0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\IEContentService.exe.tmp	44cf3d6a0dd2d109dca13ade9f440ac0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\VC\msdia90.dll.tmp	44cf3d6a0dd2d109dca13ade9f440ac0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-interlocked-l1-1-0.dll.tmp	44cf3d6a0dd2d109dca13ade9f440ac0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemXmlLinq.dll.tmp	44cf3d6a0dd2d109dca13ade9f440ac0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe.tmp	44cf3d6a0dd2d109dca13ade9f440ac0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial.xml.tmp	44cf3d6a0dd2d109dca13ade9f440ac0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.proofing.msi.16.en-us.xml.tmp	44cf3d6a0dd2d109dca13ade9f440ac0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqlxmlx.dll.tmp	44cf3d6a0dd2d109dca13ade9f440ac0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\lib\tools.jar.tmp	44cf3d6a0dd2d109dca13ade9f440ac0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\icu.md.tmp	44cf3d6a0dd2d109dca13ade9f440ac0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Trial-ul-oob.xrm-ms.tmp	44cf3d6a0dd2d109dca13ade9f440ac0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_Subscription-ul-oob.xrm-ms.tmp	44cf3d6a0dd2d109dca13ade9f440ac0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.Immutable.dll.tmp	44cf3d6a0dd2d109dca13ade9f440ac0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\ReachFramework.resources.dll.tmp	44cf3d6a0dd2d109dca13ade9f440ac0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-conio-l1-1-0.dll.tmp	44cf3d6a0dd2d109dca13ade9f440ac0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT-Rockwell.xml.tmp	44cf3d6a0dd2d109dca13ade9f440ac0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-pl.xrm-ms.tmp	44cf3d6a0dd2d109dca13ade9f440ac0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CSS7DATA000A.DLL.tmp	44cf3d6a0dd2d109dca13ade9f440ac0_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\44cf3d6a0dd2d109dca13ade9f440ac0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\44cf3d6a0dd2d109dca13ade9f440ac0_NeikiAnalytics.exe"
1⤵
- Drops file in Program Files directory
PID:516

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3558294865-3673844354-2255444939-1000\desktop.ini.tmp

Filesize
234KB

MD5
d6f83f3e0aa6568df2bba2d03d7be4e4

SHA1
2aab502f9c63ac63686a504c5b4693ea2bee3d8f

SHA256
f5b1d67d086c2fef118f1acfaa1372ebeabf9505327e193160132f322e009dd3

SHA512
4e589b289ee7b4193c91e709667b47211b8dd62e3360b7a5f71b526f6bb72061a7180da56e2e2a2b79c2d866ffd6518419422e76b62e2c9791b3a954c7bb7fb9

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
333KB

MD5
f75443687a0f508e8937fef870671ac0

SHA1
91e66c708279aa184c518520d5fb87dceef1b07e

SHA256
fd6c6964b6cd43cf03e714f073a46608bea986fa19404cbb7ed5494d2cb5042f

SHA512
9564ed085541c48fbc17e7aa111bcc5a59a46953bbb61e75cbb8e70941e8132de1d8e1e7ab00b3cefe257b790c0332e17f503df7a4e486149ed3375a8fae1dcc

Download Submit
memory/516-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/516-1480-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing