31b9403b9e4211d3c67b00deaea4248888ffd38cde760101b711ebf708bed219

General

Target

7126c9397a8722cc200418bf96388720_NeikiAnalytics.exe
Size

57KB
MD5

7126c9397a8722cc200418bf96388720
SHA1

ca9ffd03d75f05d14c72aa0b6204e977620f3e08
SHA256

31b9403b9e4211d3c67b00deaea4248888ffd38cde760101b711ebf708bed219
SHA512

bd9767a79e1ce76e698a1615af521c722c163dd496ddbc78800c6619f3300da3d72d46985c20008e6fad3a4d02d4a56674356c6d580c616d5bb9e957ba5184ac
SSDEEP

768:kBT37CPKKIm0CAbLg++PJHJzIWD+dVdCYgck5sIZFlzc3/Sg2bTgT7v2r:CTWn1++PJHJXA/OsIZfzc3/QbU/+

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (4846) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2028-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-3906287020-2915474608-1755617787-1000\desktop.ini.tmp	upx
C:\Program Files\7-Zip\7-zip.dll.tmp	upx
behavioral2/memory/2028-1018-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

7126c9397a8722cc200418bf96388720_NeikiAnalytics.exe

description	ioc	process
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsym.ttf.tmp	7126c9397a8722cc200418bf96388720_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\System\msadc\msadce.dll.tmp	7126c9397a8722cc200418bf96388720_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\System\msadc\msaddsr.dll.tmp	7126c9397a8722cc200418bf96388720_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Memory.dll.tmp	7126c9397a8722cc200418bf96388720_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.Linq.dll.tmp	7126c9397a8722cc200418bf96388720_NeikiAnalytics.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_elf.dll.tmp	7126c9397a8722cc200418bf96388720_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif.tmp	7126c9397a8722cc200418bf96388720_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription1-pl.xrm-ms.tmp	7126c9397a8722cc200418bf96388720_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationProvider.resources.dll.tmp	7126c9397a8722cc200418bf96388720_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\deployJava1.dll.tmp	7126c9397a8722cc200418bf96388720_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-ul-oob.xrm-ms.tmp	7126c9397a8722cc200418bf96388720_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Office 2007 - 2010.eftx.tmp	7126c9397a8722cc200418bf96388720_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.tr-tr.dll.tmp	7126c9397a8722cc200418bf96388720_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\tipresx.dll.mui.tmp	7126c9397a8722cc200418bf96388720_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XmlSerializer.dll.tmp	7126c9397a8722cc200418bf96388720_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\WindowsFormsIntegration.resources.dll.tmp	7126c9397a8722cc200418bf96388720_NeikiAnalytics.exe
File created	C:\Program Files\ExitConnect.xps.tmp	7126c9397a8722cc200418bf96388720_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-convert-l1-1-0.dll.tmp	7126c9397a8722cc200418bf96388720_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\lib\plugin.jar.tmp	7126c9397a8722cc200418bf96388720_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16EnterpriseVL_Bypass30-ppd.xrm-ms.tmp	7126c9397a8722cc200418bf96388720_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-140.png.tmp	7126c9397a8722cc200418bf96388720_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019DemoR_BypassTrial180-ppd.xrm-ms.tmp	7126c9397a8722cc200418bf96388720_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL108.XML.tmp	7126c9397a8722cc200418bf96388720_NeikiAnalytics.exe
File created	C:\Program Files\7-Zip\Lang\tg.txt.tmp	7126c9397a8722cc200418bf96388720_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml.tmp	7126c9397a8722cc200418bf96388720_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\System\Ole DB\oledbjvs.inc.tmp	7126c9397a8722cc200418bf96388720_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-utility-l1-1-0.dll.tmp	7126c9397a8722cc200418bf96388720_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.Xml.dll.tmp	7126c9397a8722cc200418bf96388720_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\LASER.WAV.tmp	7126c9397a8722cc200418bf96388720_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL058.XML.tmp	7126c9397a8722cc200418bf96388720_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\AUDIOSEARCHLTS.DLL.tmp	7126c9397a8722cc200418bf96388720_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-file-l1-2-0.dll.tmp	7126c9397a8722cc200418bf96388720_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.StackTrace.dll.tmp	7126c9397a8722cc200418bf96388720_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\PresentationFramework.resources.dll.tmp	7126c9397a8722cc200418bf96388720_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-synch-l1-1-0.dll.tmp	7126c9397a8722cc200418bf96388720_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-conio-l1-1-0.dll.tmp	7126c9397a8722cc200418bf96388720_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\calendars.properties.tmp	7126c9397a8722cc200418bf96388720_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\ZeroByteFile.tmp	7126c9397a8722cc200418bf96388720_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FilterModule.dll.tmp	7126c9397a8722cc200418bf96388720_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\ODBCMESSAGES.XML.tmp	7126c9397a8722cc200418bf96388720_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsfin.xml.tmp	7126c9397a8722cc200418bf96388720_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Formats.Tar.dll.tmp	7126c9397a8722cc200418bf96388720_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\WindowsFormsIntegration.resources.dll.tmp	7126c9397a8722cc200418bf96388720_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\glass.dll.tmp	7126c9397a8722cc200418bf96388720_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\gstreamer.md.tmp	7126c9397a8722cc200418bf96388720_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_es.properties.tmp	7126c9397a8722cc200418bf96388720_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Grace-ppd.xrm-ms.tmp	7126c9397a8722cc200418bf96388720_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_KMS_Client-ppd.xrm-ms.tmp	7126c9397a8722cc200418bf96388720_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdaosp.dll.tmp	7126c9397a8722cc200418bf96388720_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Extensions.dll.tmp	7126c9397a8722cc200418bf96388720_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.Encoding.dll.tmp	7126c9397a8722cc200418bf96388720_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\PresentationUI.resources.dll.tmp	7126c9397a8722cc200418bf96388720_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\bin\idlj.exe.tmp	7126c9397a8722cc200418bf96388720_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightDemiBold.ttf.tmp	7126c9397a8722cc200418bf96388720_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-pl.xrm-ms.tmp	7126c9397a8722cc200418bf96388720_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_KMS_Client-ul-oob.xrm-ms.tmp	7126c9397a8722cc200418bf96388720_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-ul-phn.xrm-ms.tmp	7126c9397a8722cc200418bf96388720_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Channels.dll.tmp	7126c9397a8722cc200418bf96388720_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Buffers.dll.tmp	7126c9397a8722cc200418bf96388720_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\Microsoft.VisualBasic.Forms.resources.dll.tmp	7126c9397a8722cc200418bf96388720_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\PresentationCore.resources.dll.tmp	7126c9397a8722cc200418bf96388720_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Configuration.ConfigurationManager.dll.tmp	7126c9397a8722cc200418bf96388720_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_de.properties.tmp	7126c9397a8722cc200418bf96388720_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-ul-oob.xrm-ms.tmp	7126c9397a8722cc200418bf96388720_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\7126c9397a8722cc200418bf96388720_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7126c9397a8722cc200418bf96388720_NeikiAnalytics.exe"
1⤵
- Drops file in Program Files directory
PID:2028

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3906287020-2915474608-1755617787-1000\desktop.ini.tmp
Filesize
57KB

MD5
78ffc68731823abfbddb3f3725286e6d

SHA1
c2f9c9badcee96e161e77ccc589b3a38332f506b

SHA256
472c3258f963d7fec509a2b3f0ccb175b3f3317187acd301e19566d384b1fe70

SHA512
c3514c50b4fbb4c5cb2876a6db242d8558bfe3481486e84147e6c3de3042dd3bb267366f049189d5e0c3947bf5293f692aefb767efcf08d5dfb6d34180a4c8dd

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp
Filesize
156KB

MD5
122c0549ef61be39ae87df2df500a001

SHA1
9745aade8c83fc7ec27b9e3071f8c4564ed03970

SHA256
1b200d9218c3640d579cccf73b37137508c35d424b1ab0f2f7fbf4fcbbbe3ca4

SHA512
5c390f4364579a426bee94146367357ea5fb15a8b81797157d6de14db234cf632011330dca0e53e7eb609d8af8bc020d93acc06ed2e25da88e01bd876df20a15

Download Submit
memory/2028-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2028-1018-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing