0e6bc29b814021e40b06c16b703ba8852e677f6e529ab81f27c1309d6ec29b65

General

Target

4fded5239363b119a9a65348573ca630_NeikiAnalytics.exe
Size

74KB
MD5

4fded5239363b119a9a65348573ca630
SHA1

c44eace8f4431dd1574377f745f86194d42541cf
SHA256

0e6bc29b814021e40b06c16b703ba8852e677f6e529ab81f27c1309d6ec29b65
SHA512

8211e9d376d3aee9c7392ccc6e456ddb4faaf8b5b21762505b96ea15df13891d93cfa4032dd5fd7830d121c0dd22de5503ace01478a1d801c0f241ed7e51ee7b
SSDEEP

1536:V7Zf/FAxTWY1++PJHJXA/OsIZfzc3/Q8yil:fnyiQSo0

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (4868) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/900-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-540404634-651139247-2967210625-1000\desktop.ini.tmp	upx
C:\Program Files\7-Zip\7-zip.dll.tmp	upx
behavioral2/memory/900-1802-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

4fded5239363b119a9a65348573ca630_NeikiAnalytics.exe

description	ioc	process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-memory-l1-1-0.dll.tmp	4fded5239363b119a9a65348573ca630_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\cmm\LINEAR_RGB.pf.tmp	4fded5239363b119a9a65348573ca630_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Trial-pl.xrm-ms.tmp	4fded5239363b119a9a65348573ca630_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-180.png.tmp	4fded5239363b119a9a65348573ca630_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-CA\tipresx.dll.mui.tmp	4fded5239363b119a9a65348573ca630_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Linq.Expressions.dll.tmp	4fded5239363b119a9a65348573ca630_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ppd.xrm-ms.tmp	4fded5239363b119a9a65348573ca630_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\EXCELPLUGINSHELL.DLL.tmp	4fded5239363b119a9a65348573ca630_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\coreclr.dll.tmp	4fded5239363b119a9a65348573ca630_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.Brotli.dll.tmp	4fded5239363b119a9a65348573ca630_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\public_suffix.md.tmp	4fded5239363b119a9a65348573ca630_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Debug.dll.tmp	4fded5239363b119a9a65348573ca630_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Globalization.dll.tmp	4fded5239363b119a9a65348573ca630_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\UIAutomationClientSideProviders.resources.dll.tmp	4fded5239363b119a9a65348573ca630_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest-ppd.xrm-ms.tmp	4fded5239363b119a9a65348573ca630_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\APPLAUSE.WAV.tmp	4fded5239363b119a9a65348573ca630_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOUC.EXE.tmp	4fded5239363b119a9a65348573ca630_NeikiAnalytics.exe
File created	C:\Program Files\7-Zip\Lang\tg.txt.tmp	4fded5239363b119a9a65348573ca630_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mraut.dll.tmp	4fded5239363b119a9a65348573ca630_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Diagnostics.PerformanceCounter.dll.tmp	4fded5239363b119a9a65348573ca630_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ul-phn.xrm-ms.tmp	4fded5239363b119a9a65348573ca630_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Document.XmlSerializers.dll.tmp	4fded5239363b119a9a65348573ca630_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-ul-oob.xrm-ms.tmp	4fded5239363b119a9a65348573ca630_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Grace-ppd.xrm-ms.tmp	4fded5239363b119a9a65348573ca630_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\ISO690Nmerical.XSL.tmp	4fded5239363b119a9a65348573ca630_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\tr\msipc.dll.mui.tmp	4fded5239363b119a9a65348573ca630_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\WindowsBase.dll.tmp	4fded5239363b119a9a65348573ca630_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-pl.xrm-ms.tmp	4fded5239363b119a9a65348573ca630_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-ul-oob.xrm-ms.tmp	4fded5239363b119a9a65348573ca630_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.MashupEngine.dll.tmp	4fded5239363b119a9a65348573ca630_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert.xml.tmp	4fded5239363b119a9a65348573ca630_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\TipTsf.dll.mui.tmp	4fded5239363b119a9a65348573ca630_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.NETCore.App.deps.json.tmp	4fded5239363b119a9a65348573ca630_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Tasks.Extensions.dll.tmp	4fded5239363b119a9a65348573ca630_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntry2019R_PrepidBypass-ul-oob.xrm-ms.tmp	4fded5239363b119a9a65348573ca630_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL010.XML.tmp	4fded5239363b119a9a65348573ca630_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.DataWarehouse.Interfaces.DLL.tmp	4fded5239363b119a9a65348573ca630_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-140.png.tmp	4fded5239363b119a9a65348573ca630_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Input.Manipulations.dll.tmp	4fded5239363b119a9a65348573ca630_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javap.exe.tmp	4fded5239363b119a9a65348573ca630_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-string-l1-1-0.dll.tmp	4fded5239363b119a9a65348573ca630_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ul-oob.xrm-ms.tmp	4fded5239363b119a9a65348573ca630_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-ul-oob.xrm-ms.tmp	4fded5239363b119a9a65348573ca630_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial2-pl.xrm-ms.tmp	4fded5239363b119a9a65348573ca630_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.NonGeneric.dll.tmp	4fded5239363b119a9a65348573ca630_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.DiaSymReader.Native.amd64.dll.tmp	4fded5239363b119a9a65348573ca630_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\PresentationCore.resources.dll.tmp	4fded5239363b119a9a65348573ca630_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	4fded5239363b119a9a65348573ca630_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\PROCDB.XLAM.tmp	4fded5239363b119a9a65348573ca630_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN086.XML.tmp	4fded5239363b119a9a65348573ca630_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\AUDIOSEARCHLTS.DLL.tmp	4fded5239363b119a9a65348573ca630_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\vcruntime140_1.dll.tmp	4fded5239363b119a9a65348573ca630_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\management\management.properties.tmp	4fded5239363b119a9a65348573ca630_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ul-oob.xrm-ms.tmp	4fded5239363b119a9a65348573ca630_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-140.png.tmp	4fded5239363b119a9a65348573ca630_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.reportviewer.winforms.dll.tmp	4fded5239363b119a9a65348573ca630_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\NL7MODELS0009.dll.tmp	4fded5239363b119a9a65348573ca630_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Linq.Queryable.dll.tmp	4fded5239363b119a9a65348573ca630_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\PresentationFramework.resources.dll.tmp	4fded5239363b119a9a65348573ca630_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\bin\decora_sse.dll.tmp	4fded5239363b119a9a65348573ca630_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\bin\jawt.dll.tmp	4fded5239363b119a9a65348573ca630_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\lib\flavormap.properties.tmp	4fded5239363b119a9a65348573ca630_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-ul-oob.xrm-ms.tmp	4fded5239363b119a9a65348573ca630_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Resources.ResourceManager.dll.tmp	4fded5239363b119a9a65348573ca630_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\4fded5239363b119a9a65348573ca630_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4fded5239363b119a9a65348573ca630_NeikiAnalytics.exe"
1⤵
- Drops file in Program Files directory
PID:900

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-540404634-651139247-2967210625-1000\desktop.ini.tmp
Filesize
75KB

MD5
4fd4ab3251abda4c704bd78200030085

SHA1
043ebd6d32ae33bdf872b3cb76b9bb1c362002ed

SHA256
445d2ccccc19cfdca0143d6043d75cdfd737408e38c5c459abab96b1f792158e

SHA512
88ab73d4de64bc98c0b45a9a0160332606204b3189fc1c17b5bcb18b5ed3bf8904e090c1b836744dc4c004dadf3f7531e62eeff5cd9082df5a28dcbd370a9a65

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp
Filesize
173KB

MD5
fd84a4e0ad8c5c20a10d0bcaa70f7c6c

SHA1
357287a1614f858711cfa179ebae2e2517a203a7

SHA256
639ae43568998efdd90f8b676285a497b02b8ecf00f1b9ef2ce6940de2633a41

SHA512
c43722d1b3aa1cbb1e32eb403f8eca78f292b0f55b114cd8089e509453214c6573ab0dee68564981d2f0b3cf6c10b5426980324e3c81a8b1c8a509f827c51376

Download Submit
memory/900-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/900-1802-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing