873879199719b780363a734ee09b3531c5812cc6c3ac8cf282beab823d04da8b

General

Target

208e464f4da4bb8e629e359b863577e0_NeikiAnalytics.exe
Size

61KB
MD5

208e464f4da4bb8e629e359b863577e0
SHA1

61b7362a24400de1ab51ea0d3819c7c319465b15
SHA256

873879199719b780363a734ee09b3531c5812cc6c3ac8cf282beab823d04da8b
SHA512

be4e2a93ef6891df2f70ead1518feb8f7e6e48039a8cc9248d95593edb6aa0a706340cbe9f98b07677d20f96ef9374b961be1cffc0e1e37f79fc6c34f2399c21
SSDEEP

1536:67Zf/FAxTWY1++PJHJXA/OsIZBX5WX5oOf:+nyi4Mj

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (5198) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/5112-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-1181767204-2009306918-3718769404-1000\desktop.ini.tmp	upx
C:\Program Files\7-Zip\7-zip.chm.tmp	upx
behavioral2/memory/5112-1956-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

208e464f4da4bb8e629e359b863577e0_NeikiAnalytics.exe

description	ioc	process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Csp.dll.tmp	208e464f4da4bb8e629e359b863577e0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\lib\jvm.hprof.txt.tmp	208e464f4da4bb8e629e359b863577e0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.Concurrent.dll.tmp	208e464f4da4bb8e629e359b863577e0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\PresentationFramework.resources.dll.tmp	208e464f4da4bb8e629e359b863577e0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\PresentationFramework.resources.dll.tmp	208e464f4da4bb8e629e359b863577e0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\jce.jar.tmp	208e464f4da4bb8e629e359b863577e0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTrial-ppd.xrm-ms.tmp	208e464f4da4bb8e629e359b863577e0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-pl.xrm-ms.tmp	208e464f4da4bb8e629e359b863577e0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	208e464f4da4bb8e629e359b863577e0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	208e464f4da4bb8e629e359b863577e0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsesp.xml.tmp	208e464f4da4bb8e629e359b863577e0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TipRes.dll.mui.tmp	208e464f4da4bb8e629e359b863577e0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\PresentationUI.resources.dll.tmp	208e464f4da4bb8e629e359b863577e0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\UIAutomationClientSideProviders.resources.dll.tmp	208e464f4da4bb8e629e359b863577e0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\resource.dll.tmp	208e464f4da4bb8e629e359b863577e0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\System\ado\it-IT\msader15.dll.mui.tmp	208e464f4da4bb8e629e359b863577e0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\PresentationCore.resources.dll.tmp	208e464f4da4bb8e629e359b863577e0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\UIAutomationTypes.resources.dll.tmp	208e464f4da4bb8e629e359b863577e0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.AeroLite.dll.tmp	208e464f4da4bb8e629e359b863577e0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\bin\prism_sw.dll.tmp	208e464f4da4bb8e629e359b863577e0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-xstate-l2-1-0.dll.tmp	208e464f4da4bb8e629e359b863577e0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_KMS_Client-ppd.xrm-ms.tmp	208e464f4da4bb8e629e359b863577e0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-180.png.tmp	208e464f4da4bb8e629e359b863577e0_NeikiAnalytics.exe
File created	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe.tmp	208e464f4da4bb8e629e359b863577e0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-processenvironment-l1-1-0.dll.tmp	208e464f4da4bb8e629e359b863577e0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_LinkDrop32x32.gif.tmp	208e464f4da4bb8e629e359b863577e0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\pkcs11cryptotoken.md.tmp	208e464f4da4bb8e629e359b863577e0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ViewOnly_ZeroGrace-ul-oob.xrm-ms.tmp	208e464f4da4bb8e629e359b863577e0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTest-ppd.xrm-ms.tmp	208e464f4da4bb8e629e359b863577e0_NeikiAnalytics.exe
File created	C:\Program Files\7-Zip\History.txt.tmp	208e464f4da4bb8e629e359b863577e0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-timezone-l1-1-0.dll.tmp	208e464f4da4bb8e629e359b863577e0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE.tmp	208e464f4da4bb8e629e359b863577e0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial3-ppd.xrm-ms.tmp	208e464f4da4bb8e629e359b863577e0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE.tmp	208e464f4da4bb8e629e359b863577e0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\ChronologicalResume.dotx.tmp	208e464f4da4bb8e629e359b863577e0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-synch-l1-2-0.dll.tmp	208e464f4da4bb8e629e359b863577e0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RHeartbeatConfig.xml.tmp	208e464f4da4bb8e629e359b863577e0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-file-l2-1-0.dll.tmp	208e464f4da4bb8e629e359b863577e0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ul-oob.xrm-ms.tmp	208e464f4da4bb8e629e359b863577e0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-ul-oob.xrm-ms.tmp	208e464f4da4bb8e629e359b863577e0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Author2XML.XSL.tmp	208e464f4da4bb8e629e359b863577e0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Xaml.resources.dll.tmp	208e464f4da4bb8e629e359b863577e0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-profile-l1-1-0.dll.tmp	208e464f4da4bb8e629e359b863577e0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-string-l1-1-0.dll.tmp	208e464f4da4bb8e629e359b863577e0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe.tmp	208e464f4da4bb8e629e359b863577e0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Violet.xml.tmp	208e464f4da4bb8e629e359b863577e0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-bridge-office.xrm-ms.tmp	208e464f4da4bb8e629e359b863577e0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-ppd.xrm-ms.tmp	208e464f4da4bb8e629e359b863577e0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\mshwLatin.dll.mui.tmp	208e464f4da4bb8e629e359b863577e0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\sqlxmlx.rll.mui.tmp	208e464f4da4bb8e629e359b863577e0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\WindowsBase.resources.dll.tmp	208e464f4da4bb8e629e359b863577e0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\bin\glib-lite.dll.tmp	208e464f4da4bb8e629e359b863577e0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription4-ul-oob.xrm-ms.tmp	208e464f4da4bb8e629e359b863577e0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.VisualBasic.dll.tmp	208e464f4da4bb8e629e359b863577e0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\WindowsBase.dll.tmp	208e464f4da4bb8e629e359b863577e0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\meta-index.tmp	208e464f4da4bb8e629e359b863577e0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-ul-oob.xrm-ms.tmp	208e464f4da4bb8e629e359b863577e0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GOTHICBI.TTF.tmp	208e464f4da4bb8e629e359b863577e0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\InputPersonalization.exe.mui.tmp	208e464f4da4bb8e629e359b863577e0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Luna.dll.tmp	208e464f4da4bb8e629e359b863577e0_NeikiAnalytics.exe
File created	C:\Program Files\Internet Explorer\en-US\iexplore.exe.mui.tmp	208e464f4da4bb8e629e359b863577e0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_ko.properties.tmp	208e464f4da4bb8e629e359b863577e0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\bcel.md.tmp	208e464f4da4bb8e629e359b863577e0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\bin\jfxmedia.dll.tmp	208e464f4da4bb8e629e359b863577e0_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\208e464f4da4bb8e629e359b863577e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\208e464f4da4bb8e629e359b863577e0_NeikiAnalytics.exe"
1⤵
- Drops file in Program Files directory
PID:5112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4088,i,11266875042087428226,16669718873272757238,262144 --variations-seed-version --mojo-platform-channel-handle=4092 /prefetch:8
1⤵
PID:5060

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1181767204-2009306918-3718769404-1000\desktop.ini.tmp
Filesize
61KB

MD5
39006200df1969f117cdc073bfc45068

SHA1
2ef1635aa00b50f132c457c332d7b09c7793fad4

SHA256
c084688bb79aca34462cdf830c4cc5571ec66f938f9d7ce4a9fc1dc6eb0abeff

SHA512
ccaf3dc3b643ee92c6cfe1b60ccbb176712d453d06686cfa44d6e1cc43b99ae129dfc0b1d52fc6fc3686a1e49b6dfc91252188fa98e8858d36737dff84bc451b

Download Submit
C:\Program Files\7-Zip\7-zip.chm.tmp
Filesize
173KB

MD5
dee40adde7122e67e4f812b849a6d04e

SHA1
bf2bbfceeb4a84552ed5143a38d1091a8c9723fe

SHA256
550e0cfc9f2a81dc9c48cc8b0bc1aed5809e3fcf1cb034dedaf064927697a988

SHA512
a0ebcb6527fb867929e97df32bc308d2f757885feefac73762505f62b9a9b6349d1e00b6a5358676799abac8125dcea8345d01acc884b6982ed3c8d2731f1326

Download Submit
memory/5112-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/5112-1956-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing