d670a53ff7b6e7a2ab02d7298f9057f768c630a657c86aefe4479026518dd0a1

General

Target

7e04b84da398f973a13bbd9af13cdca0_NeikiAnalytics.exe
Size

71KB
MD5

7e04b84da398f973a13bbd9af13cdca0
SHA1

1506a1a789bab08652b787dac9dfa0df3ebdd7ab
SHA256

d670a53ff7b6e7a2ab02d7298f9057f768c630a657c86aefe4479026518dd0a1
SHA512

e800e85d173a2c9a3b1693d77f06cbfdb4f259ffebbee0de74f74b4643b345383afdb563183a8f831e64f88fba732f940785a03cf1c1e78514a45765731a0077
SSDEEP

1536:67Zf/FAxTWY1++PJHJXA/OsIZfzc3/Q8xJJMJJo:+nyiQSom

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (5188) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1284-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-2804150937-2146708401-419095071-1000\desktop.ini.tmp	upx
C:\Program Files\7-Zip\7-zip.dll.exe	upx
behavioral2/memory/1284-1886-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

7e04b84da398f973a13bbd9af13cdca0_NeikiAnalytics.exe

description	ioc	process
File created	C:\Program Files\7-Zip\Lang\ro.txt.tmp	7e04b84da398f973a13bbd9af13cdca0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Timer.dll.tmp	7e04b84da398f973a13bbd9af13cdca0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Forms.Design.resources.dll.tmp	7e04b84da398f973a13bbd9af13cdca0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\sunec.jar.tmp	7e04b84da398f973a13bbd9af13cdca0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sv\msipc.dll.mui.tmp	7e04b84da398f973a13bbd9af13cdca0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-runtime-l1-1-0.dll.tmp	7e04b84da398f973a13bbd9af13cdca0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\UIAutomationClientSideProviders.resources.dll.tmp	7e04b84da398f973a13bbd9af13cdca0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Forms.resources.dll.tmp	7e04b84da398f973a13bbd9af13cdca0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ul-phn.xrm-ms.tmp	7e04b84da398f973a13bbd9af13cdca0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ONBttnIE.dll.tmp	7e04b84da398f973a13bbd9af13cdca0_NeikiAnalytics.exe
File created	C:\Program Files\7-Zip\Lang\ku.txt.tmp	7e04b84da398f973a13bbd9af13cdca0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\th-TH\tipresx.dll.mui.tmp	7e04b84da398f973a13bbd9af13cdca0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Pipes.AccessControl.dll.tmp	7e04b84da398f973a13bbd9af13cdca0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\bin\orbd.exe.tmp	7e04b84da398f973a13bbd9af13cdca0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial4-pl.xrm-ms.tmp	7e04b84da398f973a13bbd9af13cdca0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\TITLE.XSL.tmp	7e04b84da398f973a13bbd9af13cdca0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\GKExcel.dll.tmp	7e04b84da398f973a13bbd9af13cdca0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL058.XML.tmp	7e04b84da398f973a13bbd9af13cdca0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.Win32.Primitives.dll.tmp	7e04b84da398f973a13bbd9af13cdca0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Windows.Forms.Design.resources.dll.tmp	7e04b84da398f973a13bbd9af13cdca0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Windows.Forms.Design.resources.dll.tmp	7e04b84da398f973a13bbd9af13cdca0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\ReachFramework.resources.dll.tmp	7e04b84da398f973a13bbd9af13cdca0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Subscription-ppd.xrm-ms.tmp	7e04b84da398f973a13bbd9af13cdca0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessVDI2019_eula.txt.tmp	7e04b84da398f973a13bbd9af13cdca0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ServiceModel.Web.dll.tmp	7e04b84da398f973a13bbd9af13cdca0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Windows.Input.Manipulations.resources.dll.tmp	7e04b84da398f973a13bbd9af13cdca0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-handle-l1-1-0.dll.tmp	7e04b84da398f973a13bbd9af13cdca0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\psfont.properties.ja.tmp	7e04b84da398f973a13bbd9af13cdca0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\bin\glib-lite.dll.tmp	7e04b84da398f973a13bbd9af13cdca0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml.tmp	7e04b84da398f973a13bbd9af13cdca0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Grace-ppd.xrm-ms.tmp	7e04b84da398f973a13bbd9af13cdca0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-pl.xrm-ms.tmp	7e04b84da398f973a13bbd9af13cdca0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\TabTip.exe.mui.tmp	7e04b84da398f973a13bbd9af13cdca0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\System\ado\msador15.dll.tmp	7e04b84da398f973a13bbd9af13cdca0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\WindowsFormsIntegration.resources.dll.tmp	7e04b84da398f973a13bbd9af13cdca0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\UIAutomationTypes.resources.dll.tmp	7e04b84da398f973a13bbd9af13cdca0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe.tmp	7e04b84da398f973a13bbd9af13cdca0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ul-oob.xrm-ms.tmp	7e04b84da398f973a13bbd9af13cdca0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Trial-pl.xrm-ms.tmp	7e04b84da398f973a13bbd9af13cdca0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\index.win32.bundle.tmp	7e04b84da398f973a13bbd9af13cdca0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\assets\images\assets_picker-account-addPerson-48.png.tmp	7e04b84da398f973a13bbd9af13cdca0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\EssentialResume.dotx.tmp	7e04b84da398f973a13bbd9af13cdca0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ANTQUABI.TTF.tmp	7e04b84da398f973a13bbd9af13cdca0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp	7e04b84da398f973a13bbd9af13cdca0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msvcr120.dll.tmp	7e04b84da398f973a13bbd9af13cdca0_NeikiAnalytics.exe
File created	C:\Program Files\BackupRestart.odp.tmp	7e04b84da398f973a13bbd9af13cdca0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.WindowsDesktop.App.deps.json.tmp	7e04b84da398f973a13bbd9af13cdca0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\Microsoft.VisualBasic.Forms.resources.dll.tmp	7e04b84da398f973a13bbd9af13cdca0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\include\classfile_constants.h.tmp	7e04b84da398f973a13bbd9af13cdca0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\ssv.dll.tmp	7e04b84da398f973a13bbd9af13cdca0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe.tmp	7e04b84da398f973a13bbd9af13cdca0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\msth8EN.LEX.tmp	7e04b84da398f973a13bbd9af13cdca0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msaddsr.dll.mui.tmp	7e04b84da398f973a13bbd9af13cdca0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Controls.Ribbon.resources.dll.tmp	7e04b84da398f973a13bbd9af13cdca0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Constantia-Franklin Gothic Book.xml.tmp	7e04b84da398f973a13bbd9af13cdca0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-ul-oob.xrm-ms.tmp	7e04b84da398f973a13bbd9af13cdca0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART11.BDR.tmp	7e04b84da398f973a13bbd9af13cdca0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7EN.LEX.tmp	7e04b84da398f973a13bbd9af13cdca0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\mshwLatin.dll.mui.tmp	7e04b84da398f973a13bbd9af13cdca0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\ReachFramework.resources.dll.tmp	7e04b84da398f973a13bbd9af13cdca0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial1-pl.xrm-ms.tmp	7e04b84da398f973a13bbd9af13cdca0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-ul-oob.xrm-ms.tmp	7e04b84da398f973a13bbd9af13cdca0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_COL.HXC.tmp	7e04b84da398f973a13bbd9af13cdca0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Dallas.OAuthClient.dll.tmp	7e04b84da398f973a13bbd9af13cdca0_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\7e04b84da398f973a13bbd9af13cdca0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7e04b84da398f973a13bbd9af13cdca0_NeikiAnalytics.exe"
1⤵
- Drops file in Program Files directory
PID:1284

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2804150937-2146708401-419095071-1000\desktop.ini.tmp
Filesize
72KB

MD5
b117ee89c3dd6cd4a056b924d2a36a1b

SHA1
74031e75d7d5ae461f6bab3293f4c3ed919c7267

SHA256
97df35e6d48e1e7afce0875ea3ce3056250363a28eb339a41e21a435aed9365a

SHA512
16d58e50c61e6098b2e90b9ce89d3738b9acb1e11ad5deb1c2d520b921e135fe412aa059ff96e4a2580ee9c197b749d06c5660c855deb6d985956812d703bad0

Download Submit
C:\Program Files\7-Zip\7-zip.dll.exe
Filesize
170KB

MD5
17eaa089d386fa34a14de4f26b34a058

SHA1
1729f8453156218d7b42f6b546c3ff20133ecf29

SHA256
8a683578852020b5a0a65f2df612db618d624eb8602175df820d8aeb2279e439

SHA512
8c9ed244acbae1195f21d2ca5e25c022177f8d2204cf9ea31824cce25cf81592713b5042ee4dd785044cf44cb9cd21eb6d64f65b96a334bb099f904e64fe9aee

Download Submit
memory/1284-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1284-1886-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing