af6f228e74b7a09c9a6d2cc48e5d0fe69ff1db16154699cc2ee9f74b3be3d974

General

Target

a1903136a42bffd55b51d1c260e038c0_NeikiAnalytics.exe
Size

40KB
MD5

a1903136a42bffd55b51d1c260e038c0
SHA1

0548edf16967861e18b454ef9ee547ce4c258e67
SHA256

af6f228e74b7a09c9a6d2cc48e5d0fe69ff1db16154699cc2ee9f74b3be3d974
SHA512

969f825e7c70a76724bcfe2b344067a3ba0f41dd8249bab08eba0965b84af829489b60d46c86c3b2e2a14774551da3141ff213b30cca1f1d2ab8b6ebfd0364df
SSDEEP

768:kBT37CPKKIm0CAbLg++PJHJzIWD+dVdCYgck5sIZFlzc3/Sg2aDM9uA9DM9uAF5:CTWn1++PJHJXA/OsIZfzc3/Q85

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (4678) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4056-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-1162180587-977231257-2194346871-1000\desktop.ini.tmp	upx
C:\Program Files\7-Zip\7-zip.dll.tmp	upx
behavioral2/memory/4056-758-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

a1903136a42bffd55b51d1c260e038c0_NeikiAnalytics.exe

description	ioc	process
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\TrebuchetMs.xml.tmp	a1903136a42bffd55b51d1c260e038c0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-ul-phn.xrm-ms.tmp	a1903136a42bffd55b51d1c260e038c0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\TabTip.exe.mui.tmp	a1903136a42bffd55b51d1c260e038c0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\host\fxr\6.0.27\hostfxr.dll.tmp	a1903136a42bffd55b51d1c260e038c0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Controls.Ribbon.resources.dll.tmp	a1903136a42bffd55b51d1c260e038c0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ul-phn.xrm-ms.tmp	a1903136a42bffd55b51d1c260e038c0_NeikiAnalytics.exe
File created	C:\Program Files\desktop.ini.tmp	a1903136a42bffd55b51d1c260e038c0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Input.Manipulations.resources.dll.tmp	a1903136a42bffd55b51d1c260e038c0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-pl.xrm-ms.tmp	a1903136a42bffd55b51d1c260e038c0_NeikiAnalytics.exe
File created	C:\Program Files\7-Zip\Lang\pa-in.txt.tmp	a1903136a42bffd55b51d1c260e038c0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ValueTuple.dll.tmp	a1903136a42bffd55b51d1c260e038c0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\ReachFramework.resources.dll.tmp	a1903136a42bffd55b51d1c260e038c0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\SUCTION.WAV.tmp	a1903136a42bffd55b51d1c260e038c0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.XLS.tmp	a1903136a42bffd55b51d1c260e038c0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Document.XmlSerializers.dll.tmp	a1903136a42bffd55b51d1c260e038c0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.DataWarehouse.Interfaces.DLL.tmp	a1903136a42bffd55b51d1c260e038c0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Controls.Ribbon.resources.dll.tmp	a1903136a42bffd55b51d1c260e038c0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\System.Windows.Input.Manipulations.resources.dll.tmp	a1903136a42bffd55b51d1c260e038c0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ViewOnly_ZeroGrace-ppd.xrm-ms.tmp	a1903136a42bffd55b51d1c260e038c0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ul-oob.xrm-ms.tmp	a1903136a42bffd55b51d1c260e038c0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Trial-ul-oob.xrm-ms.tmp	a1903136a42bffd55b51d1c260e038c0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-ul-phn.xrm-ms.tmp	a1903136a42bffd55b51d1c260e038c0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\InkObj.dll.tmp	a1903136a42bffd55b51d1c260e038c0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msadcer.dll.mui.tmp	a1903136a42bffd55b51d1c260e038c0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\UIAutomationClientSideProviders.resources.dll.tmp	a1903136a42bffd55b51d1c260e038c0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\mip.exe.mui.tmp	a1903136a42bffd55b51d1c260e038c0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ObjectModel.dll.tmp	a1903136a42bffd55b51d1c260e038c0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ppd.xrm-ms.tmp	a1903136a42bffd55b51d1c260e038c0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.tmp	a1903136a42bffd55b51d1c260e038c0_NeikiAnalytics.exe
File created	C:\Program Files\7-Zip\7-zip.dll.tmp	a1903136a42bffd55b51d1c260e038c0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\WindowsFormsIntegration.resources.dll.tmp	a1903136a42bffd55b51d1c260e038c0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Windows.Forms.Primitives.resources.dll.tmp	a1903136a42bffd55b51d1c260e038c0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-ppd.xrm-ms.tmp	a1903136a42bffd55b51d1c260e038c0_NeikiAnalytics.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\optimization_guide_internal.dll.tmp	a1903136a42bffd55b51d1c260e038c0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\javafx-src.zip.tmp	a1903136a42bffd55b51d1c260e038c0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-ul-oob.xrm-ms.tmp	a1903136a42bffd55b51d1c260e038c0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XmlDocument.dll.tmp	a1903136a42bffd55b51d1c260e038c0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Input.Manipulations.resources.dll.tmp	a1903136a42bffd55b51d1c260e038c0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\UIAutomationClientSideProviders.resources.dll.tmp	a1903136a42bffd55b51d1c260e038c0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Drawing.Common.dll.tmp	a1903136a42bffd55b51d1c260e038c0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Banded Edge.eftx.tmp	a1903136a42bffd55b51d1c260e038c0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16EnterpriseVL_Bypass30-ppd.xrm-ms.tmp	a1903136a42bffd55b51d1c260e038c0_NeikiAnalytics.exe
File created	C:\Program Files\Internet Explorer\ExtExport.exe.tmp	a1903136a42bffd55b51d1c260e038c0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightItalic.ttf.tmp	a1903136a42bffd55b51d1c260e038c0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-ul-phn.xrm-ms.tmp	a1903136a42bffd55b51d1c260e038c0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sql70.xsl.tmp	a1903136a42bffd55b51d1c260e038c0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-heap-l1-1-0.dll.tmp	a1903136a42bffd55b51d1c260e038c0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Numerics.dll.tmp	a1903136a42bffd55b51d1c260e038c0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\WindowsFormsIntegration.resources.dll.tmp	a1903136a42bffd55b51d1c260e038c0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\sound.properties.tmp	a1903136a42bffd55b51d1c260e038c0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_KMS_Client_AE-ul.xrm-ms.tmp	a1903136a42bffd55b51d1c260e038c0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\GKWord.dll.tmp	a1903136a42bffd55b51d1c260e038c0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest5-ul-oob.xrm-ms.tmp	a1903136a42bffd55b51d1c260e038c0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-ppd.xrm-ms.tmp	a1903136a42bffd55b51d1c260e038c0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\AppvIsvSubsystems64.dll.tmp	a1903136a42bffd55b51d1c260e038c0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-pl.xrm-ms.tmp	a1903136a42bffd55b51d1c260e038c0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-ul-oob.xrm-ms.tmp	a1903136a42bffd55b51d1c260e038c0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Resources.Writer.dll.tmp	a1903136a42bffd55b51d1c260e038c0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Input.Manipulations.resources.dll.tmp	a1903136a42bffd55b51d1c260e038c0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-localization-l1-2-0.dll.tmp	a1903136a42bffd55b51d1c260e038c0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\dt_socket.dll.tmp	a1903136a42bffd55b51d1c260e038c0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\glib-lite.dll.tmp	a1903136a42bffd55b51d1c260e038c0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_KMS_Client_AE-ul.xrm-ms.tmp	a1903136a42bffd55b51d1c260e038c0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTrial-pl.xrm-ms.tmp	a1903136a42bffd55b51d1c260e038c0_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\a1903136a42bffd55b51d1c260e038c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a1903136a42bffd55b51d1c260e038c0_NeikiAnalytics.exe"
1⤵
- Drops file in Program Files directory
PID:4056

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1162180587-977231257-2194346871-1000\desktop.ini.tmp
Filesize
40KB

MD5
4d83d90920a8123cb5b480eabd99ec34

SHA1
426d1756dcef893a2c79a27f5f0de89c7b7a3b9c

SHA256
f0ceb5c25151b67159920d2d530886fbd9c0f77eb20505ebb27bbab10d35bab2

SHA512
399f26735f3def66ffdfbd704729429822c0322f31641b7e4a702659894eb1ce815a1987b09fb73c4e306ccef05bf5df6e8cda3c1d8a5d80b16e272929e28340

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp
Filesize
139KB

MD5
bad2cacfed64aa1abe9c2eb4b55ec7dd

SHA1
b16d258d943b3ccf28923f9948dea6dec7bafcd4

SHA256
bba46fb9dbbddcbda1fc3a52378accf29972804a663749e1a9919b596faa1705

SHA512
c66539a865cdb26f48b8bd16d80aeff1796446efb32a0859c94ac3cdb9af70a213533ec771526e0ff7eb5e2627bf0d6ee58307ec443e14b100abe7922aaa072e

Download Submit
memory/4056-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4056-758-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing