f4811bf8b8f3d31cbb7d53b408248ef904ae7445ff14f3ea622285e98d26d622

General

Target

cf1d604f10b53ec3dc9579566f858da0_NeikiAnalytics.exe
Size

199KB
MD5

cf1d604f10b53ec3dc9579566f858da0
SHA1

c704424dd5c7fde15621f445fd096c5ae5ad7644
SHA256

f4811bf8b8f3d31cbb7d53b408248ef904ae7445ff14f3ea622285e98d26d622
SHA512

13d9eb894aa597aa014c946e0ee5cc7de1ff9634e3a6ab636042f07f8cf204cb9835d81f8efbe55838eedc0447dbe24a63be8076cd053298e6b2a26d49306469
SSDEEP

3072:fnyiQSolxjO5HSSLq9zobS2NRhn88P6u3hQulwq:KiQSom5HJLq9h2Nv8JuReq

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (4302) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2932-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini.tmp	upx
C:\Program Files\7-Zip\7-zip.dll.tmp	upx
behavioral2/memory/2932-1492-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

cf1d604f10b53ec3dc9579566f858da0_NeikiAnalytics.exe

description	ioc	process
File created	C:\Program Files\Microsoft Office\root\Integration\C2RIntLoc.en-us.16.msi.tmp	cf1d604f10b53ec3dc9579566f858da0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Author2XML.XSL.tmp	cf1d604f10b53ec3dc9579566f858da0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mraut.dll.tmp	cf1d604f10b53ec3dc9579566f858da0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Drawing.Design.dll.tmp	cf1d604f10b53ec3dc9579566f858da0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Windows.Forms.Design.resources.dll.tmp	cf1d604f10b53ec3dc9579566f858da0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\US_export_policy.jar.tmp	cf1d604f10b53ec3dc9579566f858da0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	cf1d604f10b53ec3dc9579566f858da0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Luna.dll.tmp	cf1d604f10b53ec3dc9579566f858da0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11cryptotoken.md.tmp	cf1d604f10b53ec3dc9579566f858da0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Grace-ppd.xrm-ms.tmp	cf1d604f10b53ec3dc9579566f858da0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientLangPack2019_eula.txt.tmp	cf1d604f10b53ec3dc9579566f858da0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_CopyDrop32x32.gif.tmp	cf1d604f10b53ec3dc9579566f858da0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-synch-l1-2-0.dll.tmp	cf1d604f10b53ec3dc9579566f858da0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Subtle Solids.eftx.tmp	cf1d604f10b53ec3dc9579566f858da0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-pl.xrm-ms.tmp	cf1d604f10b53ec3dc9579566f858da0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp120.dll.tmp	cf1d604f10b53ec3dc9579566f858da0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe.tmp	cf1d604f10b53ec3dc9579566f858da0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Encoding.Extensions.dll.tmp	cf1d604f10b53ec3dc9579566f858da0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\WindowsFormsIntegration.resources.dll.tmp	cf1d604f10b53ec3dc9579566f858da0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Xaml.resources.dll.tmp	cf1d604f10b53ec3dc9579566f858da0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_Grace-ppd.xrm-ms.tmp	cf1d604f10b53ec3dc9579566f858da0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Web.dll.tmp	cf1d604f10b53ec3dc9579566f858da0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.en-us.xml.tmp	cf1d604f10b53ec3dc9579566f858da0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Grace-ul-oob.xrm-ms.tmp	cf1d604f10b53ec3dc9579566f858da0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsymb.ttf.tmp	cf1d604f10b53ec3dc9579566f858da0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientEventLogMessages.man.tmp	cf1d604f10b53ec3dc9579566f858da0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.NETCore.App.deps.json.tmp	cf1d604f10b53ec3dc9579566f858da0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-ul-oob.xrm-ms.tmp	cf1d604f10b53ec3dc9579566f858da0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Forms.Design.resources.dll.tmp	cf1d604f10b53ec3dc9579566f858da0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.AeroLite.dll.tmp	cf1d604f10b53ec3dc9579566f858da0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-pl.xrm-ms.tmp	cf1d604f10b53ec3dc9579566f858da0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-ppd.xrm-ms.tmp	cf1d604f10b53ec3dc9579566f858da0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-pl.xrm-ms.tmp	cf1d604f10b53ec3dc9579566f858da0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\System\wab32res.dll.tmp	cf1d604f10b53ec3dc9579566f858da0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationCore.dll.tmp	cf1d604f10b53ec3dc9579566f858da0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-datetime-l1-1-0.dll.tmp	cf1d604f10b53ec3dc9579566f858da0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\lib\orb.idl.tmp	cf1d604f10b53ec3dc9579566f858da0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\bin\verify.dll.tmp	cf1d604f10b53ec3dc9579566f858da0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Accessibility.dll.tmp	cf1d604f10b53ec3dc9579566f858da0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-timezone-l1-1-0.dll.tmp	cf1d604f10b53ec3dc9579566f858da0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-ul-phn.xrm-ms.tmp	cf1d604f10b53ec3dc9579566f858da0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-ul-oob.xrm-ms.tmp	cf1d604f10b53ec3dc9579566f858da0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.DiaSymReader.Native.amd64.dll.tmp	cf1d604f10b53ec3dc9579566f858da0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Windows.Forms.resources.dll.tmp	cf1d604f10b53ec3dc9579566f858da0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Configuration.ConfigurationManager.dll.tmp	cf1d604f10b53ec3dc9579566f858da0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\bin\wsdetect.dll.tmp	cf1d604f10b53ec3dc9579566f858da0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-pl.xrm-ms.tmp	cf1d604f10b53ec3dc9579566f858da0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.NETCore.App.runtimeconfig.json.tmp	cf1d604f10b53ec3dc9579566f858da0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jsdt.dll.tmp	cf1d604f10b53ec3dc9579566f858da0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\bin\awt.dll.tmp	cf1d604f10b53ec3dc9579566f858da0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Trial-ppd.xrm-ms.tmp	cf1d604f10b53ec3dc9579566f858da0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Quic.dll.tmp	cf1d604f10b53ec3dc9579566f858da0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Overlapped.dll.tmp	cf1d604f10b53ec3dc9579566f858da0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\jcup.md.tmp	cf1d604f10b53ec3dc9579566f858da0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ul-oob.xrm-ms.tmp	cf1d604f10b53ec3dc9579566f858da0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHLEX.DAT.tmp	cf1d604f10b53ec3dc9579566f858da0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\PresentationFramework.resources.dll.tmp	cf1d604f10b53ec3dc9579566f858da0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\UIAutomationClient.dll.tmp	cf1d604f10b53ec3dc9579566f858da0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\icu.md.tmp	cf1d604f10b53ec3dc9579566f858da0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-pl.xrm-ms.tmp	cf1d604f10b53ec3dc9579566f858da0_NeikiAnalytics.exe
File created	C:\Program Files\7-Zip\Lang\sa.txt.tmp	cf1d604f10b53ec3dc9579566f858da0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\System\ado\fr-FR\msader15.dll.mui.tmp	cf1d604f10b53ec3dc9579566f858da0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Windows.Controls.Ribbon.resources.dll.tmp	cf1d604f10b53ec3dc9579566f858da0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\UIAutomationClientSideProviders.dll.tmp	cf1d604f10b53ec3dc9579566f858da0_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\cf1d604f10b53ec3dc9579566f858da0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\cf1d604f10b53ec3dc9579566f858da0_NeikiAnalytics.exe"
1⤵
- Drops file in Program Files directory
PID:2932

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini.tmp
Filesize
200KB

MD5
e4bd736a5769a641ea199adae3597007

SHA1
3fbeee6934c3f3b41408c15e86f2e2f16407e1d4

SHA256
36815df43aa900135ffa4ff58d782640f153a70a4bc247fb0242ccd035d9a130

SHA512
ec69564846672fcc8bcb7b163bb57dd2116b44472271df4764329b0bc4bd89ca23d5d3aca9e77c6e5ad6c5c52d4f4514fe18787e0295eb16bef1ad91b1092bcf

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp
Filesize
299KB

MD5
4cdc13e41d9ed7cc1c8a6ebb0cfb156d

SHA1
124f862710dcbab11fe6f29c771882e1484cb043

SHA256
9190a4329adfe1682e0141ace0d5a0e8a9af632b2dc44b3f6193351f1c283d76

SHA512
a618985784a1c6caa1476b7b8f53cfc658de804f8eb86f291806300131bd587b998d096cc6828ab5d9d4f43c6dd73ec4643e5fe83904c6aa745f963357df8cb5

Download Submit
memory/2932-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2932-1492-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing