d04e3ffbb999069b45a44ed7c2141998ba4d04473fe427f399ee01eb6b97eb4f

General

Target

6f22e00d6112070c3f18dc872e33af30_NeikiAnalytics.exe
Size

102KB
MD5

6f22e00d6112070c3f18dc872e33af30
SHA1

5087c24bfe1a60dd4e9396dafbdcdcd0fe276a66
SHA256

d04e3ffbb999069b45a44ed7c2141998ba4d04473fe427f399ee01eb6b97eb4f
SHA512

24233190ddb260578885f857a2018b72289ead0d473a8abe72d4e3df40c22a82ff9ce64dae5d6466e26f0372241d262a3fa07c89a8fc6ed43d8cc597b6e8e8bd
SSDEEP

1536:Isz1++PJHJXFAIuZAIuekc9zBfA1OjBWgOI3uicwa+shcBEN2iqxtdSCow8hf2bv:hfAIuZAIuYSMjoqtMHfhf2bv

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (5014) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3840-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-2804150937-2146708401-419095071-1000\desktop.ini.tmp	upx
C:\Program Files\7-Zip\7-zip.dll.tmp	upx
behavioral2/memory/3840-1090-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

6f22e00d6112070c3f18dc872e33af30_NeikiAnalytics.exe

description	ioc	process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.InteropServices.JavaScript.dll.tmp	6f22e00d6112070c3f18dc872e33af30_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial1-ul-oob.xrm-ms.tmp	6f22e00d6112070c3f18dc872e33af30_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\UIAutomationTypes.resources.dll.tmp	6f22e00d6112070c3f18dc872e33af30_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationCore.dll.tmp	6f22e00d6112070c3f18dc872e33af30_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-ul-phn.xrm-ms.tmp	6f22e00d6112070c3f18dc872e33af30_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-ppd.xrm-ms.tmp	6f22e00d6112070c3f18dc872e33af30_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\ReportingServicesNativeClient.dll.tmp	6f22e00d6112070c3f18dc872e33af30_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest4-ul-oob.xrm-ms.tmp	6f22e00d6112070c3f18dc872e33af30_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsymsl.ttf.tmp	6f22e00d6112070c3f18dc872e33af30_NeikiAnalytics.exe
File created	C:\Program Files\7-Zip\7zG.exe.tmp	6f22e00d6112070c3f18dc872e33af30_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\IpsMigrationPlugin.dll.tmp	6f22e00d6112070c3f18dc872e33af30_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe.tmp	6f22e00d6112070c3f18dc872e33af30_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Windows.Forms.Primitives.resources.dll.tmp	6f22e00d6112070c3f18dc872e33af30_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_zh_TW.properties.tmp	6f22e00d6112070c3f18dc872e33af30_NeikiAnalytics.exe
File created	C:\Program Files\7-Zip\Lang\sq.txt.tmp	6f22e00d6112070c3f18dc872e33af30_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.dll.tmp	6f22e00d6112070c3f18dc872e33af30_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Forms.Primitives.resources.dll.tmp	6f22e00d6112070c3f18dc872e33af30_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_KMS_Client-ul-oob.xrm-ms.tmp	6f22e00d6112070c3f18dc872e33af30_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.ReportDesign.Forms.dll.tmp	6f22e00d6112070c3f18dc872e33af30_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN095.XML.tmp	6f22e00d6112070c3f18dc872e33af30_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Drawing.Primitives.dll.tmp	6f22e00d6112070c3f18dc872e33af30_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-processenvironment-l1-1-0.dll.tmp	6f22e00d6112070c3f18dc872e33af30_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\cmm\LINEAR_RGB.pf.tmp	6f22e00d6112070c3f18dc872e33af30_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\splash.gif.tmp	6f22e00d6112070c3f18dc872e33af30_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\LyncBasic_Eula.txt.tmp	6f22e00d6112070c3f18dc872e33af30_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\SELFCERT.EXE.tmp	6f22e00d6112070c3f18dc872e33af30_NeikiAnalytics.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\gu.pak.tmp	6f22e00d6112070c3f18dc872e33af30_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-processthreads-l1-1-1.dll.tmp	6f22e00d6112070c3f18dc872e33af30_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial.xml.tmp	6f22e00d6112070c3f18dc872e33af30_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_F_COL.HXK.tmp	6f22e00d6112070c3f18dc872e33af30_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	6f22e00d6112070c3f18dc872e33af30_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationClientSideProviders.resources.dll.tmp	6f22e00d6112070c3f18dc872e33af30_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\xmlresolver.md.tmp	6f22e00d6112070c3f18dc872e33af30_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-ul-phn.xrm-ms.tmp	6f22e00d6112070c3f18dc872e33af30_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_KMS_Client_AE-ul.xrm-ms.tmp	6f22e00d6112070c3f18dc872e33af30_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ppd.xrm-ms.tmp	6f22e00d6112070c3f18dc872e33af30_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.dll.tmp	6f22e00d6112070c3f18dc872e33af30_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\clretwrc.dll.tmp	6f22e00d6112070c3f18dc872e33af30_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-ppd.xrm-ms.tmp	6f22e00d6112070c3f18dc872e33af30_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_Subscription-ul-oob.xrm-ms.tmp	6f22e00d6112070c3f18dc872e33af30_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\POWERPNT.VisualElementsManifest.xml.tmp	6f22e00d6112070c3f18dc872e33af30_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\keypadbase.xml.tmp	6f22e00d6112070c3f18dc872e33af30_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Globalization.Calendars.dll.tmp	6f22e00d6112070c3f18dc872e33af30_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebProxy.dll.tmp	6f22e00d6112070c3f18dc872e33af30_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Resources.Reader.dll.tmp	6f22e00d6112070c3f18dc872e33af30_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\excelcnv.exe.manifest.tmp	6f22e00d6112070c3f18dc872e33af30_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_WHATSNEW.XML.tmp	6f22e00d6112070c3f18dc872e33af30_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\lv\msipc.dll.mui.tmp	6f22e00d6112070c3f18dc872e33af30_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL058.XML.tmp	6f22e00d6112070c3f18dc872e33af30_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\System\msadc\adcjavas.inc.tmp	6f22e00d6112070c3f18dc872e33af30_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\invalid32x32.gif.tmp	6f22e00d6112070c3f18dc872e33af30_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-pl.xrm-ms.tmp	6f22e00d6112070c3f18dc872e33af30_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-ul-phn.xrm-ms.tmp	6f22e00d6112070c3f18dc872e33af30_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-pl.xrm-ms.tmp	6f22e00d6112070c3f18dc872e33af30_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Forms.Design.resources.dll.tmp	6f22e00d6112070c3f18dc872e33af30_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Corbel.xml.tmp	6f22e00d6112070c3f18dc872e33af30_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Private.Xml.dll.tmp	6f22e00d6112070c3f18dc872e33af30_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\jcup.md.tmp	6f22e00d6112070c3f18dc872e33af30_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-ppd.xrm-ms.tmp	6f22e00d6112070c3f18dc872e33af30_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.AdHoc.Excel.Client.Entry.Interfaces.dll.tmp	6f22e00d6112070c3f18dc872e33af30_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-stdio-l1-1-0.dll.tmp	6f22e00d6112070c3f18dc872e33af30_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\UIAutomationClient.resources.dll.tmp	6f22e00d6112070c3f18dc872e33af30_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\java.dll.tmp	6f22e00d6112070c3f18dc872e33af30_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial-pl.xrm-ms.tmp	6f22e00d6112070c3f18dc872e33af30_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\6f22e00d6112070c3f18dc872e33af30_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6f22e00d6112070c3f18dc872e33af30_NeikiAnalytics.exe"
1⤵
- Drops file in Program Files directory
PID:3840

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2804150937-2146708401-419095071-1000\desktop.ini.tmp
Filesize
103KB

MD5
143a7b3a69594d0c35a75c9487eb47c3

SHA1
4a4428b5f9990098d3f9563bc79113667a401fbe

SHA256
61853913cf46118b5f5988870b7eaa4ede2bf47053e4ba11fcec10fe8aa3f6b1

SHA512
38bc62b1a4c5c8406bdc4b7a7f89bda2efdc8960600be1f863e2d9c5df66f83d1c55ef767b800bfd6f51a23812b57d76472cc31d6f8ae0fb78616b55789e3103

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp
Filesize
201KB

MD5
6c45a9ce565f8e5d22707a9b4520cc90

SHA1
20be85b6c480588d1daa6acb0a86d44908991e0f

SHA256
85415113b7181eb9d35884dd4b0c146e7a1cb45dadc91d8dd40e7d47cd33f55f

SHA512
6a8c3b7d31406a703a8cf046467ec664a67adc2f193e7f374c9dcec1f7758ac36c6634888ffa91accdd23f6dbdc5f9c4e42ca9b7bec06a4144b196de779e80d8

Download Submit
memory/3840-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3840-1090-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing