cc54defc823313284908dad1aec788e47af495aa2fc17a0ea8d7b199d7b7aed7

General

Target

01f6e51fcf7519ab1fdef65c54bc04b0_NeikiAnalytics.exe
Size

2.6MB
MD5

01f6e51fcf7519ab1fdef65c54bc04b0
SHA1

1dd9a6500f909863191b07d59d2f0be5188d4774
SHA256

cc54defc823313284908dad1aec788e47af495aa2fc17a0ea8d7b199d7b7aed7
SHA512

e64a3f96d1cb4a079c9ba77a1f5e31f7e7af8aed982f4bfb2f97815e0423ff6376bad5e67199fedeed86673efb166c10435f8544feef998060f9e96618a5794a
SSDEEP

49152:AhpSlUqOChhzcnxAm2zbkwKfDVlSsq5+7myQI9SSerNBgm:g3CQ3iTKvS1+CRI92h

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (1175) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3004-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-1181767204-2009306918-3718769404-1000\desktop.ini.tmp	upx
C:\Program Files\7-Zip\7-zip.chm.tmp	upx
behavioral2/memory/3004-434-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

01f6e51fcf7519ab1fdef65c54bc04b0_NeikiAnalytics.exe

description	ioc	process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.AccessControl.dll.tmp	01f6e51fcf7519ab1fdef65c54bc04b0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.InteropServices.dll.tmp	01f6e51fcf7519ab1fdef65c54bc04b0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ucrtbase.dll.tmp	01f6e51fcf7519ab1fdef65c54bc04b0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig-office.xrm-ms.tmp	01f6e51fcf7519ab1fdef65c54bc04b0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Numerics.Vectors.dll.tmp	01f6e51fcf7519ab1fdef65c54bc04b0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.DataContractSerialization.dll.tmp	01f6e51fcf7519ab1fdef65c54bc04b0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.Json.dll.tmp	01f6e51fcf7519ab1fdef65c54bc04b0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.Linq.dll.tmp	01f6e51fcf7519ab1fdef65c54bc04b0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.OpenSsl.dll.tmp	01f6e51fcf7519ab1fdef65c54bc04b0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.InteropServices.dll.tmp	01f6e51fcf7519ab1fdef65c54bc04b0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Thread.dll.tmp	01f6e51fcf7519ab1fdef65c54bc04b0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\UIAutomationClient.resources.dll.tmp	01f6e51fcf7519ab1fdef65c54bc04b0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\TipTsf.dll.mui.tmp	01f6e51fcf7519ab1fdef65c54bc04b0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\msinfo32.exe.mui.tmp	01f6e51fcf7519ab1fdef65c54bc04b0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-private-l1-1-0.dll.tmp	01f6e51fcf7519ab1fdef65c54bc04b0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.Xml.dll.tmp	01f6e51fcf7519ab1fdef65c54bc04b0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\WindowsBase.resources.dll.tmp	01f6e51fcf7519ab1fdef65c54bc04b0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.ReaderWriter.dll.tmp	01f6e51fcf7519ab1fdef65c54bc04b0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ar-SA\tipresx.dll.mui.tmp	01f6e51fcf7519ab1fdef65c54bc04b0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad.xml.tmp	01f6e51fcf7519ab1fdef65c54bc04b0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-environment-l1-1-0.dll.tmp	01f6e51fcf7519ab1fdef65c54bc04b0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Data.dll.tmp	01f6e51fcf7519ab1fdef65c54bc04b0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.HttpListener.dll.tmp	01f6e51fcf7519ab1fdef65c54bc04b0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Mail.dll.tmp	01f6e51fcf7519ab1fdef65c54bc04b0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-memory-l1-1-0.dll.tmp	01f6e51fcf7519ab1fdef65c54bc04b0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Forms.Design.resources.dll.tmp	01f6e51fcf7519ab1fdef65c54bc04b0_NeikiAnalytics.exe
File created	C:\Program Files\7-Zip\descript.ion.tmp	01f6e51fcf7519ab1fdef65c54bc04b0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\StreamServer.dll.tmp	01f6e51fcf7519ab1fdef65c54bc04b0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml.tmp	01f6e51fcf7519ab1fdef65c54bc04b0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsar.xml.tmp	01f6e51fcf7519ab1fdef65c54bc04b0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsita.xml.tmp	01f6e51fcf7519ab1fdef65c54bc04b0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\System\msadc\msdarem.dll.tmp	01f6e51fcf7519ab1fdef65c54bc04b0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.AeroLite.dll.tmp	01f6e51fcf7519ab1fdef65c54bc04b0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Forms.Design.dll.tmp	01f6e51fcf7519ab1fdef65c54bc04b0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Forms.Primitives.resources.dll.tmp	01f6e51fcf7519ab1fdef65c54bc04b0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-conio-l1-1-0.dll.tmp	01f6e51fcf7519ab1fdef65c54bc04b0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lt-lt.dll.tmp	01f6e51fcf7519ab1fdef65c54bc04b0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.tr-tr.dll.tmp	01f6e51fcf7519ab1fdef65c54bc04b0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\System\ado\msador28.tlb.tmp	01f6e51fcf7519ab1fdef65c54bc04b0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.StackTrace.dll.tmp	01f6e51fcf7519ab1fdef65c54bc04b0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.dll.tmp	01f6e51fcf7519ab1fdef65c54bc04b0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-handle-l1-1-0.dll.tmp	01f6e51fcf7519ab1fdef65c54bc04b0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Requests.dll.tmp	01f6e51fcf7519ab1fdef65c54bc04b0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Emit.ILGeneration.dll.tmp	01f6e51fcf7519ab1fdef65c54bc04b0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.InteropServices.RuntimeInformation.dll.tmp	01f6e51fcf7519ab1fdef65c54bc04b0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\WindowsFormsIntegration.resources.dll.tmp	01f6e51fcf7519ab1fdef65c54bc04b0_NeikiAnalytics.exe
File created	C:\Program Files\7-Zip\Lang\mr.txt.tmp	01f6e51fcf7519ab1fdef65c54bc04b0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Resources.Writer.dll.tmp	01f6e51fcf7519ab1fdef65c54bc04b0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.Native.dll.tmp	01f6e51fcf7519ab1fdef65c54bc04b0_NeikiAnalytics.exe
File created	C:\Program Files\7-Zip\Lang\be.txt.tmp	01f6e51fcf7519ab1fdef65c54bc04b0_NeikiAnalytics.exe
File created	C:\Program Files\7-Zip\Lang\fy.txt.tmp	01f6e51fcf7519ab1fdef65c54bc04b0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscordaccore.dll.tmp	01f6e51fcf7519ab1fdef65c54bc04b0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XPath.dll.tmp	01f6e51fcf7519ab1fdef65c54bc04b0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\WindowsBase.resources.dll.tmp	01f6e51fcf7519ab1fdef65c54bc04b0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Aero.dll.tmp	01f6e51fcf7519ab1fdef65c54bc04b0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscordbi.dll.tmp	01f6e51fcf7519ab1fdef65c54bc04b0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.Primitives.dll.tmp	01f6e51fcf7519ab1fdef65c54bc04b0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.Encoding.dll.tmp	01f6e51fcf7519ab1fdef65c54bc04b0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\Microsoft.VisualBasic.Forms.resources.dll.tmp	01f6e51fcf7519ab1fdef65c54bc04b0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientCapabilities.json.tmp	01f6e51fcf7519ab1fdef65c54bc04b0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\rtscom.dll.mui.tmp	01f6e51fcf7519ab1fdef65c54bc04b0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\micaut.dll.tmp	01f6e51fcf7519ab1fdef65c54bc04b0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Emit.Lightweight.dll.tmp	01f6e51fcf7519ab1fdef65c54bc04b0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Primitives.dll.tmp	01f6e51fcf7519ab1fdef65c54bc04b0_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\01f6e51fcf7519ab1fdef65c54bc04b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\01f6e51fcf7519ab1fdef65c54bc04b0_NeikiAnalytics.exe"
1⤵
- Drops file in Program Files directory
PID:3004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3900,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=4100 /prefetch:8
1⤵
PID:1696

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1181767204-2009306918-3718769404-1000\desktop.ini.tmp
Filesize
2.6MB

MD5
6f210d46f657c7b50876242170caf720

SHA1
652fa2aeaca3aaa00341e4bd8b87316782e9a8a2

SHA256
4150c4765d149be1a9abfd01712f9a1dd4128e156feada41a0b7a3e13939baeb

SHA512
311f929ae6a3d88cff2ae0b29d980ca21931e9667c2f4f45f1bf2026b3c8571d7f41cdf05ca61e5079f2f002e5eaaecf14828683326d849151856e73738b3612

Download Submit
C:\Program Files\7-Zip\7-zip.chm.tmp
Filesize
2.7MB

MD5
5b47724be5abc8007dda81d1c9e33d81

SHA1
712f69368d1f4c0a8e81dc691d267bec430b293d

SHA256
f01a6aa2a2dfbe4e6411207935e04fe9b434d254e6c0c066a2d781fc07327356

SHA512
51b23e691c53162fdd82758661ed70656ed4fc87c36444b9a66f81d9b00b37759eb29dd076bb5dc3e2d7c1542da56e4a248902c6332cf2ff7c0dcaae860dd189

Download Submit
memory/3004-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3004-434-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing