17d9298ffa8f60105810df7a4d07d40a1359e4d52ad57f525873d5ab55bed48f

General

Target

6f89d151140c69ef3c3b2fc2a12c4be0_NeikiAnalytics.exe
Size

101KB
MD5

6f89d151140c69ef3c3b2fc2a12c4be0
SHA1

aadba4131f312d482fcb6c6666e35b00274c012e
SHA256

17d9298ffa8f60105810df7a4d07d40a1359e4d52ad57f525873d5ab55bed48f
SHA512

5656cd1b8884c887029d6efb1577878ff7c22d398a805145439ad9b467e82c4fad2e78b8d0618a6f92822cf5836d734dbaeb159db2186fdf25aa354b66fda22c
SSDEEP

1536:Isz1++PJHJXFAIuZAIuekc9zBfA1OjBWgOI3uicwa+shcBEN2iqxtdSCow8hf5SP:hfAIuZAIuYSMjoqtMHfhf5SskD

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (4839) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/884-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-1337824034-2731376981-3755436523-1000\desktop.ini.tmp	upx
C:\Program Files\7-Zip\7-zip.dll.tmp	upx
behavioral2/memory/884-910-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

6f89d151140c69ef3c3b2fc2a12c4be0_NeikiAnalytics.exe

description	ioc	process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.Native.dll.tmp	6f89d151140c69ef3c3b2fc2a12c4be0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Forms.Design.resources.dll.tmp	6f89d151140c69ef3c3b2fc2a12c4be0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\US_export_policy.jar.tmp	6f89d151140c69ef3c3b2fc2a12c4be0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXPTOOWS.DLL.tmp	6f89d151140c69ef3c3b2fc2a12c4be0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\TURABIAN.XSL.tmp	6f89d151140c69ef3c3b2fc2a12c4be0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\VOLTAGE.WAV.tmp	6f89d151140c69ef3c3b2fc2a12c4be0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\da\msipc.dll.mui.tmp	6f89d151140c69ef3c3b2fc2a12c4be0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\msinfo32.exe.mui.tmp	6f89d151140c69ef3c3b2fc2a12c4be0_NeikiAnalytics.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\ko.pak.tmp	6f89d151140c69ef3c3b2fc2a12c4be0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Trial-pl.xrm-ms.tmp	6f89d151140c69ef3c3b2fc2a12c4be0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-pl.xrm-ms.tmp	6f89d151140c69ef3c3b2fc2a12c4be0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-runtime-l1-1-0.dll.tmp	6f89d151140c69ef3c3b2fc2a12c4be0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-100.png.tmp	6f89d151140c69ef3c3b2fc2a12c4be0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\WindowsFormsIntegration.resources.dll.tmp	6f89d151140c69ef3c3b2fc2a12c4be0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.FileVersionInfo.dll.tmp	6f89d151140c69ef3c3b2fc2a12c4be0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.Encoding.Extensions.dll.tmp	6f89d151140c69ef3c3b2fc2a12c4be0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\ReachFramework.resources.dll.tmp	6f89d151140c69ef3c3b2fc2a12c4be0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javac.exe.tmp	6f89d151140c69ef3c3b2fc2a12c4be0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-ppd.xrm-ms.tmp	6f89d151140c69ef3c3b2fc2a12c4be0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OFFSYML.TTF.tmp	6f89d151140c69ef3c3b2fc2a12c4be0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PDFREFLOW.EXE.tmp	6f89d151140c69ef3c3b2fc2a12c4be0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ar-SA\tipresx.dll.mui.tmp	6f89d151140c69ef3c3b2fc2a12c4be0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-math-l1-1-0.dll.tmp	6f89d151140c69ef3c3b2fc2a12c4be0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-ul-phn.xrm-ms.tmp	6f89d151140c69ef3c3b2fc2a12c4be0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_KMS_Client-ppd.xrm-ms.tmp	6f89d151140c69ef3c3b2fc2a12c4be0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\flat_officeFontsPreview.ttf.tmp	6f89d151140c69ef3c3b2fc2a12c4be0_NeikiAnalytics.exe
File created	C:\Program Files\7-Zip\Lang\ku-ckb.txt.tmp	6f89d151140c69ef3c3b2fc2a12c4be0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\PresentationUI.resources.dll.tmp	6f89d151140c69ef3c3b2fc2a12c4be0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\net.dll.tmp	6f89d151140c69ef3c3b2fc2a12c4be0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Packaging.dll.tmp	6f89d151140c69ef3c3b2fc2a12c4be0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\IEContentService.exe.tmp	6f89d151140c69ef3c3b2fc2a12c4be0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\ANALYS32.XLL.tmp	6f89d151140c69ef3c3b2fc2a12c4be0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL109.XML.tmp	6f89d151140c69ef3c3b2fc2a12c4be0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.es-es.dll.tmp	6f89d151140c69ef3c3b2fc2a12c4be0_NeikiAnalytics.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\zh-TW.pak.tmp	6f89d151140c69ef3c3b2fc2a12c4be0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\npt.dll.tmp	6f89d151140c69ef3c3b2fc2a12c4be0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\nashorn.jar.tmp	6f89d151140c69ef3c3b2fc2a12c4be0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-ul-phn.xrm-ms.tmp	6f89d151140c69ef3c3b2fc2a12c4be0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\UIAutomationProvider.resources.dll.tmp	6f89d151140c69ef3c3b2fc2a12c4be0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\UIAutomationClient.resources.dll.tmp	6f89d151140c69ef3c3b2fc2a12c4be0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\PresentationFramework.resources.dll.tmp	6f89d151140c69ef3c3b2fc2a12c4be0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Custom.propdesc.tmp	6f89d151140c69ef3c3b2fc2a12c4be0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.dll.tmp	6f89d151140c69ef3c3b2fc2a12c4be0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\bin\msvcp140.dll.tmp	6f89d151140c69ef3c3b2fc2a12c4be0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O17EnterpriseVL_Bypass30-ppd.xrm-ms.tmp	6f89d151140c69ef3c3b2fc2a12c4be0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\officeappguardwin32.exe.tmp	6f89d151140c69ef3c3b2fc2a12c4be0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jp2ssv.dll.tmp	6f89d151140c69ef3c3b2fc2a12c4be0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\oledb32r.dll.mui.tmp	6f89d151140c69ef3c3b2fc2a12c4be0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Mail.dll.tmp	6f89d151140c69ef3c3b2fc2a12c4be0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Tasks.Parallel.dll.tmp	6f89d151140c69ef3c3b2fc2a12c4be0_NeikiAnalytics.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\nb.pak.tmp	6f89d151140c69ef3c3b2fc2a12c4be0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\lib\management\management.properties.tmp	6f89d151140c69ef3c3b2fc2a12c4be0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-pl.xrm-ms.tmp	6f89d151140c69ef3c3b2fc2a12c4be0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOMessageProvider.dll.tmp	6f89d151140c69ef3c3b2fc2a12c4be0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Forms.Design.resources.dll.tmp	6f89d151140c69ef3c3b2fc2a12c4be0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Forms.resources.dll.tmp	6f89d151140c69ef3c3b2fc2a12c4be0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Windows.Forms.Primitives.resources.dll.tmp	6f89d151140c69ef3c3b2fc2a12c4be0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-memory-l1-1-0.dll.tmp	6f89d151140c69ef3c3b2fc2a12c4be0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\lib\amd64\jvm.cfg.tmp	6f89d151140c69ef3c3b2fc2a12c4be0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-ppd.xrm-ms.tmp	6f89d151140c69ef3c3b2fc2a12c4be0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-pl.xrm-ms.tmp	6f89d151140c69ef3c3b2fc2a12c4be0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XmlSerializer.dll.tmp	6f89d151140c69ef3c3b2fc2a12c4be0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-80.png.tmp	6f89d151140c69ef3c3b2fc2a12c4be0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sql120.xsl.tmp	6f89d151140c69ef3c3b2fc2a12c4be0_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\6f89d151140c69ef3c3b2fc2a12c4be0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6f89d151140c69ef3c3b2fc2a12c4be0_NeikiAnalytics.exe"
1⤵
- Drops file in Program Files directory
PID:884

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1337824034-2731376981-3755436523-1000\desktop.ini.tmp
Filesize
101KB

MD5
45029d6e6a99724ea9b8b97997186d27

SHA1
38c5dabd65576a98fe824325e863ccfecb07f14f

SHA256
1fbbc0aa4b19d0895a1fc1580d8530494bb3441f62c960ad26a9b2e31d81e3ac

SHA512
8ff63148a8f58a3d9dd609735fbeee56a1c090db00ca453308a1867ca80e94d120ec3115f1423cdd450aaac96c23dcf286b17a8a5743114922a3b7ed47caa395

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp
Filesize
200KB

MD5
760721e5cfa5427af432bb59f4762d76

SHA1
c467327ac56992c5b1d08b253c354e888c3863e6

SHA256
c9b20d29002f5cde5908ddc58cb0eaffc223711165c676e37034039b02886c51

SHA512
208af79c6d5e9ec22f3424225d2cb926f69f9af223e558186c0b5549a5987c5cd3773ecf05a008fc6618392427f7ba76898a860bfb12d313423f4900bc75853d

Download Submit
memory/884-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/884-910-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing