6fe9f91eb021d319ed3bd320fe6409cc60281af87b7b797a9d01defa207cabe5

General

Target

347cb6099f2c8457a1a8dff4f3bc3960_NeikiAnalytics.exe
Size

52KB
MD5

347cb6099f2c8457a1a8dff4f3bc3960
SHA1

be4df16b13f796e8232add826144ee1d925951a6
SHA256

6fe9f91eb021d319ed3bd320fe6409cc60281af87b7b797a9d01defa207cabe5
SHA512

0601e72fb0396c8c0bd7edfaf7727a699c285f59e2ac2164cfcb950a774f0ce56e3aa85af45f05d951b3d486474b46a2670a1af2c07527d5fa725a5a87ce66f5
SSDEEP

768:kBT37CPKKIm0CAbLg++PJHJzIWD+dVdCYgck5sIZFlzc3/Sg2aDM9uA9DM9uAFFr:CTWn1++PJHJXA/OsIZfzc3/Q8yiemx

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (5199) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1432-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-1181767204-2009306918-3718769404-1000\desktop.ini.tmp	upx
C:\Program Files\7-Zip\7-zip.chm.tmp	upx
behavioral2/memory/1432-1096-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

347cb6099f2c8457a1a8dff4f3bc3960_NeikiAnalytics.exe

description	ioc	process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-runtime-l1-1-0.dll.tmp	347cb6099f2c8457a1a8dff4f3bc3960_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Private.Uri.dll.tmp	347cb6099f2c8457a1a8dff4f3bc3960_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\dom.md.tmp	347cb6099f2c8457a1a8dff4f3bc3960_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-ul-oob.xrm-ms.tmp	347cb6099f2c8457a1a8dff4f3bc3960_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\msinfo32.exe.mui.tmp	347cb6099f2c8457a1a8dff4f3bc3960_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\WindowsBase.resources.dll.tmp	347cb6099f2c8457a1a8dff4f3bc3960_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\bin\java.exe.tmp	347cb6099f2c8457a1a8dff4f3bc3960_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\NAME.DLL.tmp	347cb6099f2c8457a1a8dff4f3bc3960_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\SFMESSAGES.XML.tmp	347cb6099f2c8457a1a8dff4f3bc3960_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-180.png.tmp	347cb6099f2c8457a1a8dff4f3bc3960_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\System\Ole DB\oledb32r.dll.tmp	347cb6099f2c8457a1a8dff4f3bc3960_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\UIAutomationProvider.resources.dll.tmp	347cb6099f2c8457a1a8dff4f3bc3960_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.onenotemui.msi.16.en-us.xml.tmp	347cb6099f2c8457a1a8dff4f3bc3960_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-pl.xrm-ms.tmp	347cb6099f2c8457a1a8dff4f3bc3960_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	347cb6099f2c8457a1a8dff4f3bc3960_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.VisualStudio.Tools.Applications.Runtime.dll.tmp	347cb6099f2c8457a1a8dff4f3bc3960_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelCombinedFloatieModel.bin.tmp	347cb6099f2c8457a1a8dff4f3bc3960_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	347cb6099f2c8457a1a8dff4f3bc3960_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.CompilerServices.VisualC.dll.tmp	347cb6099f2c8457a1a8dff4f3bc3960_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Extensions.dll.tmp	347cb6099f2c8457a1a8dff4f3bc3960_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.Win32.SystemEvents.dll.tmp	347cb6099f2c8457a1a8dff4f3bc3960_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\UIAutomationClientSideProviders.resources.dll.tmp	347cb6099f2c8457a1a8dff4f3bc3960_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\lib\javaws.jar.tmp	347cb6099f2c8457a1a8dff4f3bc3960_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Xaml.resources.dll.tmp	347cb6099f2c8457a1a8dff4f3bc3960_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fontconfig.properties.src.tmp	347cb6099f2c8457a1a8dff4f3bc3960_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-ul-oob.xrm-ms.tmp	347cb6099f2c8457a1a8dff4f3bc3960_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Grace-ul-oob.xrm-ms.tmp	347cb6099f2c8457a1a8dff4f3bc3960_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Forms.Primitives.resources.dll.tmp	347cb6099f2c8457a1a8dff4f3bc3960_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.c.tmp	347cb6099f2c8457a1a8dff4f3bc3960_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\jfxrt.jar.tmp	347cb6099f2c8457a1a8dff4f3bc3960_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\AppvIsvSubsystems64.dll.tmp	347cb6099f2c8457a1a8dff4f3bc3960_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\rsod\dcfmui.msi.16.en-us.boot.tree.dat.tmp	347cb6099f2c8457a1a8dff4f3bc3960_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.DiaSymReader.Native.amd64.dll.tmp	347cb6099f2c8457a1a8dff4f3bc3960_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-ul-oob.xrm-ms.tmp	347cb6099f2c8457a1a8dff4f3bc3960_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Trial-ul-oob.xrm-ms.tmp	347cb6099f2c8457a1a8dff4f3bc3960_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSWORD.OLB.tmp	347cb6099f2c8457a1a8dff4f3bc3960_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\plugin.jar.tmp	347cb6099f2c8457a1a8dff4f3bc3960_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp	347cb6099f2c8457a1a8dff4f3bc3960_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\REFEDIT.DLL.tmp	347cb6099f2c8457a1a8dff4f3bc3960_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\ReachFramework.resources.dll.tmp	347cb6099f2c8457a1a8dff4f3bc3960_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Forms.Primitives.resources.dll.tmp	347cb6099f2c8457a1a8dff4f3bc3960_NeikiAnalytics.exe
File created	C:\Program Files\Internet Explorer\SIGNUP\install.ins.tmp	347cb6099f2c8457a1a8dff4f3bc3960_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javaws.exe.tmp	347cb6099f2c8457a1a8dff4f3bc3960_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe.tmp	347cb6099f2c8457a1a8dff4f3bc3960_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.NETCore.App.runtimeconfig.json.tmp	347cb6099f2c8457a1a8dff4f3bc3960_NeikiAnalytics.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\uk.pak.tmp	347cb6099f2c8457a1a8dff4f3bc3960_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Grace-ul-oob.xrm-ms.tmp	347cb6099f2c8457a1a8dff4f3bc3960_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp	347cb6099f2c8457a1a8dff4f3bc3960_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\protocolhandler.exe.tmp	347cb6099f2c8457a1a8dff4f3bc3960_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\TipRes.dll.mui.tmp	347cb6099f2c8457a1a8dff4f3bc3960_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\ReachFramework.resources.dll.tmp	347cb6099f2c8457a1a8dff4f3bc3960_NeikiAnalytics.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\bn.pak.tmp	347cb6099f2c8457a1a8dff4f3bc3960_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_KMS_Client-ppd.xrm-ms.tmp	347cb6099f2c8457a1a8dff4f3bc3960_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.Edm.NetFX35.dll.tmp	347cb6099f2c8457a1a8dff4f3bc3960_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.AdHoc.Excel.Client.Entry.Interfaces.dll.tmp	347cb6099f2c8457a1a8dff4f3bc3960_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE.tmp	347cb6099f2c8457a1a8dff4f3bc3960_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\UIAutomationClientSideProviders.resources.dll.tmp	347cb6099f2c8457a1a8dff4f3bc3960_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\vcruntime140.dll.tmp	347cb6099f2c8457a1a8dff4f3bc3960_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\lib\jce.jar.tmp	347cb6099f2c8457a1a8dff4f3bc3960_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml.tmp	347cb6099f2c8457a1a8dff4f3bc3960_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_Subscription-pl.xrm-ms.tmp	347cb6099f2c8457a1a8dff4f3bc3960_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\URLREDIR.DLL.tmp	347cb6099f2c8457a1a8dff4f3bc3960_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Trial-pl.xrm-ms.tmp	347cb6099f2c8457a1a8dff4f3bc3960_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\micaut.dll.mui.tmp	347cb6099f2c8457a1a8dff4f3bc3960_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\347cb6099f2c8457a1a8dff4f3bc3960_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\347cb6099f2c8457a1a8dff4f3bc3960_NeikiAnalytics.exe"
1⤵
- Drops file in Program Files directory
PID:1432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4288,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=4160 /prefetch:8
1⤵
PID:4008

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1181767204-2009306918-3718769404-1000\desktop.ini.tmp
Filesize
52KB

MD5
56b4c89fc66b3dd0b901f75d4d77771f

SHA1
ef0e638f9772538d1f88ad115a0b6246fa43682d

SHA256
0548e4b282f07a1f5ca12b593bebbce84722bb94913e9c9e99d4b99243ae2bba

SHA512
5e30c03f1f64702e1337e9bf4b2ed0586f711bada59bc41c1b62bfddd1f9447be061baaf49069d4d975749b36bff92ee5b83f684f9f77c130e1f5951686ebf55

Download Submit
C:\Program Files\7-Zip\7-zip.chm.tmp
Filesize
165KB

MD5
f4e69ff4279f773c8ad3bcc1925f161a

SHA1
e07f08cf25665bfde9f7ddc8aa4aa5afa91fc074

SHA256
13c7e8ea0076d6480076ae10bf895f46d0922eb724b6839945aea149ad029ddb

SHA512
21fa615088cde809b53929c5426f8cacc69e80b98e747b26798075d3b01e28c45236710d2a60c4cd1816f318ae379dc01c0f88782fe28da9b29b45a4ad220ce7

Download Submit
memory/1432-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1432-1096-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing