bd372a946d1d5578abc82c5f89befd32f71c397cf1b1740b2a84c10840a4de89

General

Target

79d848342f32b0eda759da7fa64dcbd0_NeikiAnalytics.exe
Size

80KB
MD5

79d848342f32b0eda759da7fa64dcbd0
SHA1

716bacf6ce7494e276afc800e16606a686370208
SHA256

bd372a946d1d5578abc82c5f89befd32f71c397cf1b1740b2a84c10840a4de89
SHA512

58aa10bd60b71a11dc85fee0145e6606707af2b3b202a91dab3d9dc05cb83eda52e577ea4605f66a5c310077e32b921ad82136a3c135b8e146b8cf9625533b18
SSDEEP

1536:67Zf/FAxTWY1++PJHJXA/OsIZfzc3/QbU/A:+nyiQSobU/A

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (4871) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4168-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-1181767204-2009306918-3718769404-1000\desktop.ini.tmp	upx
C:\Program Files\7-Zip\7-zip.chm.tmp	upx
behavioral2/memory/4168-1808-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

79d848342f32b0eda759da7fa64dcbd0_NeikiAnalytics.exe

description	ioc	process
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\InkObj.dll.mui.tmp	79d848342f32b0eda759da7fa64dcbd0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\WindowsFormsIntegration.resources.dll.tmp	79d848342f32b0eda759da7fa64dcbd0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\PresentationUI.resources.dll.tmp	79d848342f32b0eda759da7fa64dcbd0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\PresentationUI.resources.dll.tmp	79d848342f32b0eda759da7fa64dcbd0_NeikiAnalytics.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\hu.pak.tmp	79d848342f32b0eda759da7fa64dcbd0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Diagnostics.EventLog.dll.tmp	79d848342f32b0eda759da7fa64dcbd0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\lib\classlist.tmp	79d848342f32b0eda759da7fa64dcbd0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\[email protected]	79d848342f32b0eda759da7fa64dcbd0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Grace-ul-oob.xrm-ms.tmp	79d848342f32b0eda759da7fa64dcbd0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-ppd.xrm-ms.tmp	79d848342f32b0eda759da7fa64dcbd0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\bin\java.exe.tmp	79d848342f32b0eda759da7fa64dcbd0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ul-oob.xrm-ms.tmp	79d848342f32b0eda759da7fa64dcbd0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial3-ul-oob.xrm-ms.tmp	79d848342f32b0eda759da7fa64dcbd0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTest-ppd.xrm-ms.tmp	79d848342f32b0eda759da7fa64dcbd0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHKEY.DAT.tmp	79d848342f32b0eda759da7fa64dcbd0_NeikiAnalytics.exe
File created	C:\Program Files\7-Zip\Lang\sl.txt.tmp	79d848342f32b0eda759da7fa64dcbd0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsfra.xml.tmp	79d848342f32b0eda759da7fa64dcbd0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\System\fr-FR\wab32res.dll.mui.tmp	79d848342f32b0eda759da7fa64dcbd0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msadcer.dll.mui.tmp	79d848342f32b0eda759da7fa64dcbd0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Mail.dll.tmp	79d848342f32b0eda759da7fa64dcbd0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\management\jmxremote.access.tmp	79d848342f32b0eda759da7fa64dcbd0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-pl.xrm-ms.tmp	79d848342f32b0eda759da7fa64dcbd0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelInterProviderRanker.bin.tmp	79d848342f32b0eda759da7fa64dcbd0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\TabTip.exe.mui.tmp	79d848342f32b0eda759da7fa64dcbd0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\LICENSE.txt.tmp	79d848342f32b0eda759da7fa64dcbd0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\UIAutomationClient.resources.dll.tmp	79d848342f32b0eda759da7fa64dcbd0_NeikiAnalytics.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\gu.pak.tmp	79d848342f32b0eda759da7fa64dcbd0_NeikiAnalytics.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\vk_swiftshader_icd.json.tmp	79d848342f32b0eda759da7fa64dcbd0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\jcup.md.tmp	79d848342f32b0eda759da7fa64dcbd0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-pl.xrm-ms.tmp	79d848342f32b0eda759da7fa64dcbd0_NeikiAnalytics.exe
File created	C:\Program Files\7-Zip\Lang\pa-in.txt.tmp	79d848342f32b0eda759da7fa64dcbd0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Principal.Windows.dll.tmp	79d848342f32b0eda759da7fa64dcbd0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\java.dll.tmp	79d848342f32b0eda759da7fa64dcbd0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\management-agent.jar.tmp	79d848342f32b0eda759da7fa64dcbd0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PDFREFLOW.EXE.tmp	79d848342f32b0eda759da7fa64dcbd0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Grace-ul-oob.xrm-ms.tmp	79d848342f32b0eda759da7fa64dcbd0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\BI-Report.png.tmp	79d848342f32b0eda759da7fa64dcbd0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.Linq.dll.tmp	79d848342f32b0eda759da7fa64dcbd0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\PresentationUI.resources.dll.tmp	79d848342f32b0eda759da7fa64dcbd0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Forms.Primitives.resources.dll.tmp	79d848342f32b0eda759da7fa64dcbd0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\plugin.jar.tmp	79d848342f32b0eda759da7fa64dcbd0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntimeR_PrepidBypass-ppd.xrm-ms.tmp	79d848342f32b0eda759da7fa64dcbd0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-100.png.tmp	79d848342f32b0eda759da7fa64dcbd0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll.tmp	79d848342f32b0eda759da7fa64dcbd0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\TabIpsps.dll.tmp	79d848342f32b0eda759da7fa64dcbd0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\System\ado\msado20.tlb.tmp	79d848342f32b0eda759da7fa64dcbd0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msaddsr.dll.mui.tmp	79d848342f32b0eda759da7fa64dcbd0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Buffers.dll.tmp	79d848342f32b0eda759da7fa64dcbd0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\Microsoft.VisualBasic.Forms.resources.dll.tmp	79d848342f32b0eda759da7fa64dcbd0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Diagnostics.EventLog.Messages.dll.tmp	79d848342f32b0eda759da7fa64dcbd0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\bin\serialver.exe.tmp	79d848342f32b0eda759da7fa64dcbd0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-util-l1-1-0.dll.tmp	79d848342f32b0eda759da7fa64dcbd0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial Black-Arial.xml.tmp	79d848342f32b0eda759da7fa64dcbd0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN044.XML.tmp	79d848342f32b0eda759da7fa64dcbd0_NeikiAnalytics.exe
File created	C:\Program Files\7-Zip\Lang\pt.txt.tmp	79d848342f32b0eda759da7fa64dcbd0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\msdasqlr.dll.mui.tmp	79d848342f32b0eda759da7fa64dcbd0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ObjectModel.dll.tmp	79d848342f32b0eda759da7fa64dcbd0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Forms.Design.resources.dll.tmp	79d848342f32b0eda759da7fa64dcbd0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_ko.properties.tmp	79d848342f32b0eda759da7fa64dcbd0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-file-l2-1-0.dll.tmp	79d848342f32b0eda759da7fa64dcbd0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ppd.xrm-ms.tmp	79d848342f32b0eda759da7fa64dcbd0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-180.png.tmp	79d848342f32b0eda759da7fa64dcbd0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.StackTrace.dll.tmp	79d848342f32b0eda759da7fa64dcbd0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.VisualBasic.Core.dll.tmp	79d848342f32b0eda759da7fa64dcbd0_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\79d848342f32b0eda759da7fa64dcbd0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\79d848342f32b0eda759da7fa64dcbd0_NeikiAnalytics.exe"
1⤵
- Drops file in Program Files directory
PID:4168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3804,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=4004 /prefetch:8
1⤵
PID:4812

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1181767204-2009306918-3718769404-1000\desktop.ini.tmp
Filesize
80KB

MD5
144c1d72ca6f0f5dc94a8aab28814de9

SHA1
4b8a9fb7d1505bff8007f7e17c288a410e4304a9

SHA256
cf9d15e4169030bf31e99dc942e3647d1445b5b2dee8b14d53309c58688517a5

SHA512
6ef637c950240a2eefe6c78599f1d570fe33fbb17a1a9257e2e0f14c2be56b0d64916c67c7cd3da1f96eb53aebc639f9191d9422453e58594b45fe02c757e067

Download Submit
C:\Program Files\7-Zip\7-zip.chm.tmp
Filesize
192KB

MD5
32ea27c87b8011cb757074a42ac1efe9

SHA1
6868f46a1c1c954915495ee3d11c562d81a07937

SHA256
bebe0fac51dacc09e3b8659c52c5123f7267663733d821100e66aa3027251214

SHA512
4a31533d39e6a96b394d93786d40430076ad07e7fc19d5ca2e0054ffa0f9ea2f4ce201ebf6ff7b2e808c72cec515d1accf17438f894be4c1ea7e060dedf76da6

Download Submit
memory/4168-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4168-1808-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing