adb1ca3c3ea9c5b398b5e98c2496cfd80a9ebb44295a48bc5edfed10e0d43693

General

Target

4908cc86f2e5897f7d07677e85718980_NeikiAnalytics.exe
Size

74KB
MD5

4908cc86f2e5897f7d07677e85718980
SHA1

1317961d4582479135f275a715de4027881b7f3d
SHA256

adb1ca3c3ea9c5b398b5e98c2496cfd80a9ebb44295a48bc5edfed10e0d43693
SHA512

fa60e2fe04ed70205bd49e2cc4c6b26a9b157a0f3ee212cb21b69267141c2b686b511485b6bf9ef168b58d0b2972f11c8c777c0f150eb50c1bdb267d0d94c112
SSDEEP

1536:67Zf/FAxTWY1++PJHJXA/OsIZfzc3/Q8yiY:+nyiQSoJ

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (5035) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2656-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-4018855536-2201274732-320770143-1000\desktop.ini.tmp	upx
C:\Program Files\7-Zip\7-zip.dll.tmp	upx
behavioral2/memory/2656-1844-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

4908cc86f2e5897f7d07677e85718980_NeikiAnalytics.exe

description	ioc	process
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_KMS_Client-ppd.xrm-ms.tmp	4908cc86f2e5897f7d07677e85718980_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-pl.xrm-ms.tmp	4908cc86f2e5897f7d07677e85718980_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.Authorization.dll.tmp	4908cc86f2e5897f7d07677e85718980_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Forms.Design.resources.dll.tmp	4908cc86f2e5897f7d07677e85718980_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\PresentationCore.resources.dll.tmp	4908cc86f2e5897f7d07677e85718980_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-console-l1-2-0.dll.tmp	4908cc86f2e5897f7d07677e85718980_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Franklin Gothic.xml.tmp	4908cc86f2e5897f7d07677e85718980_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Trial-ul-oob.xrm-ms.tmp	4908cc86f2e5897f7d07677e85718980_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.ZipFile.dll.tmp	4908cc86f2e5897f7d07677e85718980_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription-ul-oob.xrm-ms.tmp	4908cc86f2e5897f7d07677e85718980_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.reportviewer.winforms.dll.tmp	4908cc86f2e5897f7d07677e85718980_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelFloatieXLEditTextModel.bin.tmp	4908cc86f2e5897f7d07677e85718980_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_KMS_Automation-ul.xrm-ms.tmp	4908cc86f2e5897f7d07677e85718980_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.BackEnd.dll.tmp	4908cc86f2e5897f7d07677e85718980_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msotdaddin.dll.tmp	4908cc86f2e5897f7d07677e85718980_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\System\Ole DB\oledbvbs.inc.tmp	4908cc86f2e5897f7d07677e85718980_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe.tmp	4908cc86f2e5897f7d07677e85718980_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\JavaAccessBridge-64.dll.tmp	4908cc86f2e5897f7d07677e85718980_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jli.dll.tmp	4908cc86f2e5897f7d07677e85718980_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-synch-l1-1-0.dll.tmp	4908cc86f2e5897f7d07677e85718980_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OneNote\prnSendToOneNote_win7.cat.tmp	4908cc86f2e5897f7d07677e85718980_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-ppd.xrm-ms.tmp	4908cc86f2e5897f7d07677e85718980_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	4908cc86f2e5897f7d07677e85718980_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Forms.Design.resources.dll.tmp	4908cc86f2e5897f7d07677e85718980_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\glib.md.tmp	4908cc86f2e5897f7d07677e85718980_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\lcms.md.tmp	4908cc86f2e5897f7d07677e85718980_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\lib\orb.idl.tmp	4908cc86f2e5897f7d07677e85718980_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Smokey Glass.eftx.tmp	4908cc86f2e5897f7d07677e85718980_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe.tmp	4908cc86f2e5897f7d07677e85718980_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-ppd.xrm-ms.tmp	4908cc86f2e5897f7d07677e85718980_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-ul-oob.xrm-ms.tmp	4908cc86f2e5897f7d07677e85718980_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CSS7DATA000A.DLL.tmp	4908cc86f2e5897f7d07677e85718980_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL065.XML.tmp	4908cc86f2e5897f7d07677e85718980_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.VisualBasic.Forms.dll.tmp	4908cc86f2e5897f7d07677e85718980_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\bin\jsound.dll.tmp	4908cc86f2e5897f7d07677e85718980_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	4908cc86f2e5897f7d07677e85718980_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-pl.xrm-ms.tmp	4908cc86f2e5897f7d07677e85718980_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CSS7DATA000C.DLL.tmp	4908cc86f2e5897f7d07677e85718980_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	4908cc86f2e5897f7d07677e85718980_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\msquic.dll.tmp	4908cc86f2e5897f7d07677e85718980_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\lib\tools.jar.tmp	4908cc86f2e5897f7d07677e85718980_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifestLoc.16.en-us.xml.tmp	4908cc86f2e5897f7d07677e85718980_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial2-ppd.xrm-ms.tmp	4908cc86f2e5897f7d07677e85718980_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp	4908cc86f2e5897f7d07677e85718980_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\System\ado\msado27.tlb.tmp	4908cc86f2e5897f7d07677e85718980_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_KMS_Client-ul.xrm-ms.tmp	4908cc86f2e5897f7d07677e85718980_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16EnterpriseVL_Bypass30-ppd.xrm-ms.tmp	4908cc86f2e5897f7d07677e85718980_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ospintl.dll.tmp	4908cc86f2e5897f7d07677e85718980_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\tipresx.dll.mui.tmp	4908cc86f2e5897f7d07677e85718980_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOLoaderUI.dll.tmp	4908cc86f2e5897f7d07677e85718980_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial-pl.xrm-ms.tmp	4908cc86f2e5897f7d07677e85718980_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	4908cc86f2e5897f7d07677e85718980_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\PresentationCore.resources.dll.tmp	4908cc86f2e5897f7d07677e85718980_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Trial-pl.xrm-ms.tmp	4908cc86f2e5897f7d07677e85718980_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.ReportingServices.QueryDesigners.dll.tmp	4908cc86f2e5897f7d07677e85718980_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\PUSH.WAV.tmp	4908cc86f2e5897f7d07677e85718980_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\sunmscapi.dll.tmp	4908cc86f2e5897f7d07677e85718980_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-100.png.tmp	4908cc86f2e5897f7d07677e85718980_NeikiAnalytics.exe
File created	C:\Program Files\7-Zip\Lang\lij.txt.tmp	4908cc86f2e5897f7d07677e85718980_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\System\msadc\msadds.dll.tmp	4908cc86f2e5897f7d07677e85718980_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.dll.tmp	4908cc86f2e5897f7d07677e85718980_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.Primitives.dll.tmp	4908cc86f2e5897f7d07677e85718980_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ServiceProcess.dll.tmp	4908cc86f2e5897f7d07677e85718980_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.dll.tmp	4908cc86f2e5897f7d07677e85718980_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\4908cc86f2e5897f7d07677e85718980_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4908cc86f2e5897f7d07677e85718980_NeikiAnalytics.exe"
1⤵
- Drops file in Program Files directory
PID:2656

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4018855536-2201274732-320770143-1000\desktop.ini.tmp

Filesize
75KB

MD5
571c35ea3708c9a349dbddb68b11625d

SHA1
9b5765a46f3ef13dc7d57febf8e0041309e69f70

SHA256
eeb1f2f87397a9437ce9724454ef00909050d9ec55e86f72ce90a48d5ec6cd12

SHA512
f2014e4eca4316d50ebeae8df51ac4b3c1b73b4140968b8c0350be352255320cd903ef80d56d7e11ebda22ac69156a14d53b95a39cc019c235bd8ae8ac2ee189

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
173KB

MD5
dd75c44b556cc42084f5acdd0d251c3b

SHA1
0abc60f030811b1bef7980800e59a018f6e0c932

SHA256
38261c39d3771fdfca46235ab1f175b6d8eb66df116a1df6aee64dece7dc1684

SHA512
55731f4f316a8e276caa407c6aec968430e916d11a77e100a0eb560c6a4b00cd5caa3abc2345e85b0b6b55e63489f4c1fd8c9715712be70aca98944978524d9d

Download Submit
memory/2656-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2656-1844-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing