3de00c6063b520ae1ac9c91fd22734a1e3361c1006f08c18d03b32eddc69ae6d

General

Target

6fcdf5b5566ecd59a02ccf9aa5668e60_NeikiAnalytics.exe
Size

165KB
MD5

6fcdf5b5566ecd59a02ccf9aa5668e60
SHA1

c1e8d803b091757c34ca561867c63cb158a18fc0
SHA256

3de00c6063b520ae1ac9c91fd22734a1e3361c1006f08c18d03b32eddc69ae6d
SHA512

b6474b543c412594e11bfc933cbb4836e4abbed5b7d6af557def246d699a705fa0758289053ef9d60e36738961ae4c23e455b123d5d21662776633d47b3a08ad
SSDEEP

3072:KQSo1EZGtKgZGtK/PgtU1wAIuZAIuXwFwtdG:KQSo1EZGtKgZGtK/CAIuZAIuW

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (4650) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1588-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-1337824034-2731376981-3755436523-1000\desktop.ini.tmp	upx
C:\Program Files\7-Zip\7-zip.dll.tmp	upx
behavioral2/memory/1588-804-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

6fcdf5b5566ecd59a02ccf9aa5668e60_NeikiAnalytics.exe

description	ioc	process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Forms.Primitives.resources.dll.tmp	6fcdf5b5566ecd59a02ccf9aa5668e60_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationTypes.resources.dll.tmp	6fcdf5b5566ecd59a02ccf9aa5668e60_NeikiAnalytics.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\ml.pak.tmp	6fcdf5b5566ecd59a02ccf9aa5668e60_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-localization-l1-2-0.dll.tmp	6fcdf5b5566ecd59a02ccf9aa5668e60_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_PrepidBypass-ppd.xrm-ms.tmp	6fcdf5b5566ecd59a02ccf9aa5668e60_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.SapBwProvider.dll.tmp	6fcdf5b5566ecd59a02ccf9aa5668e60_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Debug.dll.tmp	6fcdf5b5566ecd59a02ccf9aa5668e60_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\System.Windows.Forms.Design.resources.dll.tmp	6fcdf5b5566ecd59a02ccf9aa5668e60_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Controls.Ribbon.resources.dll.tmp	6fcdf5b5566ecd59a02ccf9aa5668e60_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTest-ppd.xrm-ms.tmp	6fcdf5b5566ecd59a02ccf9aa5668e60_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Grace-ppd.xrm-ms.tmp	6fcdf5b5566ecd59a02ccf9aa5668e60_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.ReportingServices.QueryDesigners.Extensions.dll.tmp	6fcdf5b5566ecd59a02ccf9aa5668e60_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\flavormap.properties.tmp	6fcdf5b5566ecd59a02ccf9aa5668e60_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\lib\cmm\GRAY.pf.tmp	6fcdf5b5566ecd59a02ccf9aa5668e60_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PPT_WHATSNEW.XML.tmp	6fcdf5b5566ecd59a02ccf9aa5668e60_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\ReachFramework.resources.dll.tmp	6fcdf5b5566ecd59a02ccf9aa5668e60_NeikiAnalytics.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\VisualElements\LogoBeta.png.tmp	6fcdf5b5566ecd59a02ccf9aa5668e60_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\lcms.dll.tmp	6fcdf5b5566ecd59a02ccf9aa5668e60_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-heap-l1-1-0.dll.tmp	6fcdf5b5566ecd59a02ccf9aa5668e60_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.RsClient.dll.tmp	6fcdf5b5566ecd59a02ccf9aa5668e60_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ro\msipc.dll.mui.tmp	6fcdf5b5566ecd59a02ccf9aa5668e60_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\rtscom.dll.mui.tmp	6fcdf5b5566ecd59a02ccf9aa5668e60_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\PresentationCore.resources.dll.tmp	6fcdf5b5566ecd59a02ccf9aa5668e60_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Forms.Primitives.resources.dll.tmp	6fcdf5b5566ecd59a02ccf9aa5668e60_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Client\ucrtbase.dll.tmp	6fcdf5b5566ecd59a02ccf9aa5668e60_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription2-pl.xrm-ms.tmp	6fcdf5b5566ecd59a02ccf9aa5668e60_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\PresentationCore.resources.dll.tmp	6fcdf5b5566ecd59a02ccf9aa5668e60_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\WindowsBase.resources.dll.tmp	6fcdf5b5566ecd59a02ccf9aa5668e60_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\localedata.jar.tmp	6fcdf5b5566ecd59a02ccf9aa5668e60_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-ul-phn.xrm-ms.tmp	6fcdf5b5566ecd59a02ccf9aa5668e60_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Timer.dll.tmp	6fcdf5b5566ecd59a02ccf9aa5668e60_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.dll.tmp	6fcdf5b5566ecd59a02ccf9aa5668e60_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationTypes.resources.dll.tmp	6fcdf5b5566ecd59a02ccf9aa5668e60_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\ReachFramework.resources.dll.tmp	6fcdf5b5566ecd59a02ccf9aa5668e60_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaTypewriterRegular.ttf.tmp	6fcdf5b5566ecd59a02ccf9aa5668e60_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest4-pl.xrm-ms.tmp	6fcdf5b5566ecd59a02ccf9aa5668e60_NeikiAnalytics.exe
File created	C:\Program Files\7-Zip\Lang\uk.txt.tmp	6fcdf5b5566ecd59a02ccf9aa5668e60_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\tipresx.dll.mui.tmp	6fcdf5b5566ecd59a02ccf9aa5668e60_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.StackTrace.dll.tmp	6fcdf5b5566ecd59a02ccf9aa5668e60_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\casual.dotx.tmp	6fcdf5b5566ecd59a02ccf9aa5668e60_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.Uri.dll.tmp	6fcdf5b5566ecd59a02ccf9aa5668e60_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-pl.xrm-ms.tmp	6fcdf5b5566ecd59a02ccf9aa5668e60_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Grace-ul-oob.xrm-ms.tmp	6fcdf5b5566ecd59a02ccf9aa5668e60_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.Win32.Registry.dll.tmp	6fcdf5b5566ecd59a02ccf9aa5668e60_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\giflib.md.tmp	6fcdf5b5566ecd59a02ccf9aa5668e60_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_EnterpriseSub_Bypass30-ul-oob.xrm-ms.tmp	6fcdf5b5566ecd59a02ccf9aa5668e60_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ru\msipc.dll.mui.tmp	6fcdf5b5566ecd59a02ccf9aa5668e60_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Principal.Windows.dll.tmp	6fcdf5b5566ecd59a02ccf9aa5668e60_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\ReachFramework.resources.dll.tmp	6fcdf5b5566ecd59a02ccf9aa5668e60_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	6fcdf5b5566ecd59a02ccf9aa5668e60_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.VisualStudio.OLE.Interop.dll.tmp	6fcdf5b5566ecd59a02ccf9aa5668e60_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ko-kr.xml.tmp	6fcdf5b5566ecd59a02ccf9aa5668e60_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\WindowsBase.dll.tmp	6fcdf5b5566ecd59a02ccf9aa5668e60_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Windows.Controls.Ribbon.resources.dll.tmp	6fcdf5b5566ecd59a02ccf9aa5668e60_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\jopt-simple.md.tmp	6fcdf5b5566ecd59a02ccf9aa5668e60_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ppd.xrm-ms.tmp	6fcdf5b5566ecd59a02ccf9aa5668e60_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-ppd.xrm-ms.tmp	6fcdf5b5566ecd59a02ccf9aa5668e60_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CHART.DLL.tmp	6fcdf5b5566ecd59a02ccf9aa5668e60_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipstr.xml.tmp	6fcdf5b5566ecd59a02ccf9aa5668e60_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerView.PowerView.x-none.msi.16.x-none.xml.tmp	6fcdf5b5566ecd59a02ccf9aa5668e60_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Grace-ul-oob.xrm-ms.tmp	6fcdf5b5566ecd59a02ccf9aa5668e60_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ppd.xrm-ms.tmp	6fcdf5b5566ecd59a02ccf9aa5668e60_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTest-ul-oob.xrm-ms.tmp	6fcdf5b5566ecd59a02ccf9aa5668e60_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Forms.Primitives.resources.dll.tmp	6fcdf5b5566ecd59a02ccf9aa5668e60_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\6fcdf5b5566ecd59a02ccf9aa5668e60_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6fcdf5b5566ecd59a02ccf9aa5668e60_NeikiAnalytics.exe"
1⤵
- Drops file in Program Files directory
PID:1588

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1337824034-2731376981-3755436523-1000\desktop.ini.tmp
Filesize
166KB

MD5
ad303af3c032c1ffc3d5295bb1b756d5

SHA1
63404fd3a32b9179f2a5ca770d1b94801385926e

SHA256
d7cefc013ddd75d2f1918cb06119e5cb086dd0148eab12a6bd3ce4a5cc0f9aac

SHA512
45f2988e42b4875f9d4e8d57fb187cc99071f7c8245a4582f52ee6533a3488bb2a3e683138ba3e3ec300a8d1111c783916fb231924015fc9c651f72bf1d99e9f

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp
Filesize
264KB

MD5
eef35c03c06df97a1e9b4145aff63847

SHA1
8325bd8e41c312820b3abaa8531ce9ad95e8e6db

SHA256
ca9ad3b9f7eaee0819123dc5de33a0a15635d67719710bdb04feb97c8c8995ea

SHA512
381ac19367575ef8cd219baef3ceb14b3d9126a8f01844e868061029cbe71f542f0b22d6057b2ca373b5e1c772cf9189810102265e370d70e2a45f681902b64e

Download Submit
memory/1588-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1588-804-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing