6466008f4d5b3f986058342915109fc34175479c5cef260f807bcbbfaf090941

General

Target

76583e1cdbd91e7875edb4f0dff10160_NeikiAnalytics.exe
Size

108KB
MD5

76583e1cdbd91e7875edb4f0dff10160
SHA1

777b030b8093f607b4a30e544a076322356a9f9b
SHA256

6466008f4d5b3f986058342915109fc34175479c5cef260f807bcbbfaf090941
SHA512

77ce49369bdf000c31c13313bc54614890f929952d4091e7ae2c3120b0578d675e38b45386b4611189e69fcb4fc4f35ac6283cca28864caaa81faed46cc6ce0c
SSDEEP

1536:Isz1++PJHJXFAIuZAIuekc9zBfA1OjBWgOI3uicwa+shcBEN2iqxtdSCow8hfS/B:hfAIuZAIuYSMjoqtMHfhfqnB

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (4845) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/5028-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-1181767204-2009306918-3718769404-1000\desktop.ini.tmp	upx
C:\Program Files\7-Zip\7-zip.chm.tmp	upx
behavioral2/memory/5028-904-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

76583e1cdbd91e7875edb4f0dff10160_NeikiAnalytics.exe

description	ioc	process
File created	C:\Program Files\Internet Explorer\iediagcmd.exe.tmp	76583e1cdbd91e7875edb4f0dff10160_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTest-ul-oob.xrm-ms.tmp	76583e1cdbd91e7875edb4f0dff10160_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-ul-oob.xrm-ms.tmp	76583e1cdbd91e7875edb4f0dff10160_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\wxpr.dll.tmp	76583e1cdbd91e7875edb4f0dff10160_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\BI-Report.png.tmp	76583e1cdbd91e7875edb4f0dff10160_NeikiAnalytics.exe
File created	C:\Program Files\7-Zip\Lang\es.txt.tmp	76583e1cdbd91e7875edb4f0dff10160_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.zh-tw.dll.tmp	76583e1cdbd91e7875edb4f0dff10160_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Tools.dll.tmp	76583e1cdbd91e7875edb4f0dff10160_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-ul-oob.xrm-ms.tmp	76583e1cdbd91e7875edb4f0dff10160_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-ul-phn.xrm-ms.tmp	76583e1cdbd91e7875edb4f0dff10160_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.dll.tmp	76583e1cdbd91e7875edb4f0dff10160_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\hprof.dll.tmp	76583e1cdbd91e7875edb4f0dff10160_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-ul-phn.xrm-ms.tmp	76583e1cdbd91e7875edb4f0dff10160_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Sockets.dll.tmp	76583e1cdbd91e7875edb4f0dff10160_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\PresentationFramework.resources.dll.tmp	76583e1cdbd91e7875edb4f0dff10160_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Grace-ul-oob.xrm-ms.tmp	76583e1cdbd91e7875edb4f0dff10160_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ul-oob.xrm-ms.tmp	76583e1cdbd91e7875edb4f0dff10160_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_Subscription-ppd.xrm-ms.tmp	76583e1cdbd91e7875edb4f0dff10160_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-100.png.tmp	76583e1cdbd91e7875edb4f0dff10160_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OneNote\prnSendToOneNote.cat.tmp	76583e1cdbd91e7875edb4f0dff10160_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_altgr.xml.tmp	76583e1cdbd91e7875edb4f0dff10160_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscorrc.dll.tmp	76583e1cdbd91e7875edb4f0dff10160_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\ReachFramework.resources.dll.tmp	76583e1cdbd91e7875edb4f0dff10160_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\ReachFramework.resources.dll.tmp	76583e1cdbd91e7875edb4f0dff10160_NeikiAnalytics.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\sl.pak.tmp	76583e1cdbd91e7875edb4f0dff10160_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\javafx.properties.tmp	76583e1cdbd91e7875edb4f0dff10160_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-ul-oob.xrm-ms.tmp	76583e1cdbd91e7875edb4f0dff10160_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-80.png.tmp	76583e1cdbd91e7875edb4f0dff10160_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TipTsf.dll.mui.tmp	76583e1cdbd91e7875edb4f0dff10160_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ja-jp-sym.xml.tmp	76583e1cdbd91e7875edb4f0dff10160_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\ucrtbase.dll.tmp	76583e1cdbd91e7875edb4f0dff10160_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\UIAutomationClient.resources.dll.tmp	76583e1cdbd91e7875edb4f0dff10160_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\PresentationCore.resources.dll.tmp	76583e1cdbd91e7875edb4f0dff10160_NeikiAnalytics.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\pl.pak.tmp	76583e1cdbd91e7875edb4f0dff10160_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Subscription-pl.xrm-ms.tmp	76583e1cdbd91e7875edb4f0dff10160_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOSREC.EXE.tmp	76583e1cdbd91e7875edb4f0dff10160_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msdaprsr.dll.mui.tmp	76583e1cdbd91e7875edb4f0dff10160_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Principal.dll.tmp	76583e1cdbd91e7875edb4f0dff10160_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Http.Json.dll.tmp	76583e1cdbd91e7875edb4f0dff10160_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-ul-phn.xrm-ms.tmp	76583e1cdbd91e7875edb4f0dff10160_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL116.XML.tmp	76583e1cdbd91e7875edb4f0dff10160_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Input.Manipulations.resources.dll.tmp	76583e1cdbd91e7875edb4f0dff10160_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\vcruntime140.dll.tmp	76583e1cdbd91e7875edb4f0dff10160_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml.tmp	76583e1cdbd91e7875edb4f0dff10160_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Diagnostics.EventLog.dll.tmp	76583e1cdbd91e7875edb4f0dff10160_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL048.XML.tmp	76583e1cdbd91e7875edb4f0dff10160_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\ReachFramework.resources.dll.tmp	76583e1cdbd91e7875edb4f0dff10160_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\xmlresolver.md.tmp	76583e1cdbd91e7875edb4f0dff10160_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\ecc.md.tmp	76583e1cdbd91e7875edb4f0dff10160_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\sunjce_provider.jar.tmp	76583e1cdbd91e7875edb4f0dff10160_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-pl.xrm-ms.tmp	76583e1cdbd91e7875edb4f0dff10160_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTrial-ppd.xrm-ms.tmp	76583e1cdbd91e7875edb4f0dff10160_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-convert-l1-1-0.dll.tmp	76583e1cdbd91e7875edb4f0dff10160_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.et-ee.dll.tmp	76583e1cdbd91e7875edb4f0dff10160_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.Immutable.dll.tmp	76583e1cdbd91e7875edb4f0dff10160_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-pl.xrm-ms.tmp	76583e1cdbd91e7875edb4f0dff10160_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\linessimple.dotx.tmp	76583e1cdbd91e7875edb4f0dff10160_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_K_COL.HXK.tmp	76583e1cdbd91e7875edb4f0dff10160_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-80.png.tmp	76583e1cdbd91e7875edb4f0dff10160_NeikiAnalytics.exe
File created	C:\Program Files\7-Zip\Lang\si.txt.tmp	76583e1cdbd91e7875edb4f0dff10160_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msadcor.dll.mui.tmp	76583e1cdbd91e7875edb4f0dff10160_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.AccessControl.dll.tmp	76583e1cdbd91e7875edb4f0dff10160_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest2-ppd.xrm-ms.tmp	76583e1cdbd91e7875edb4f0dff10160_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_COL.HXT.tmp	76583e1cdbd91e7875edb4f0dff10160_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\76583e1cdbd91e7875edb4f0dff10160_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\76583e1cdbd91e7875edb4f0dff10160_NeikiAnalytics.exe"
1⤵
- Drops file in Program Files directory
PID:5028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3416,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=4088 /prefetch:8
1⤵
PID:4200

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1181767204-2009306918-3718769404-1000\desktop.ini.tmp

Filesize
109KB

MD5
8c2d8821ecc75366cc2ed5691f5cdfad

SHA1
9148b3b595018ce112f15287fd8e80de013ca5db

SHA256
13c67579233262459b52345198ef7ca7985bbef9b47c09f9ab4ba74e3a537dc7

SHA512
32aa693980cd74c1d79ac3bece7941a2eb650bedc1f4a7b1fcb3726b66fad644fd761676967fa01771c7f937c1c5069a23e3f443c5e9c74a87832b0a137b1fc5

Download Submit
C:\Program Files\7-Zip\7-zip.chm.tmp

Filesize
221KB

MD5
c23a52d568fbfbe3bcf348f780551b62

SHA1
462246115027afa2c923fe30f55eb4f4d2617814

SHA256
badcbf9c2812c8c900e0b9825464c877d935a78db74f3465e96f567b8083895c

SHA512
7f11c59f960a009d90ada97c59d3cbca66b64e4286d27707fa8b1d690d53613035034814e8df9b2583fa138e094feb8d48e38f84b770f184c0989e0a4848ed9f

Download Submit
memory/5028-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/5028-904-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing