0d915dddbbecb3362fadf9a3834011096294767752021a13b0d145a8b3da5294

General

Target

13fcf923e536aa8367288a21507710f0_NeikiAnalytics.exe
Size

64KB
MD5

13fcf923e536aa8367288a21507710f0
SHA1

47d2f886769cea08a4d5cdc7dbbfac94254f9b5f
SHA256

0d915dddbbecb3362fadf9a3834011096294767752021a13b0d145a8b3da5294
SHA512

af6e27bcd86813f43d935527b259d0e2a52cc6189b82faf687d5ae19a7500858bd360bffd415f03cf4694d43e36ff1a05b9690bd44e311a17eb5376ee5bdc3ed
SSDEEP

1536:67Zf/FAxTWY1++PJHJXA/OsIZfzc3/Q8c9H:+nyiQSoB

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (5131) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4928-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-711569230-3659488422-571408806-1000\desktop.ini.tmp	upx
C:\Program Files\7-Zip\7-zip.dll.tmp	upx
behavioral2/memory/4928-1828-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

13fcf923e536aa8367288a21507710f0_NeikiAnalytics.exe

description	ioc	process
File created	C:\Program Files\Microsoft Office\root\Office16\NL7MODELS000C.dll.tmp	13fcf923e536aa8367288a21507710f0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSSP7ES.LEX.tmp	13fcf923e536aa8367288a21507710f0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Forms.Primitives.resources.dll.tmp	13fcf923e536aa8367288a21507710f0_NeikiAnalytics.exe
File created	C:\Program Files\Google\Chrome\Application\master_preferences.tmp	13fcf923e536aa8367288a21507710f0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-pl.xrm-ms.tmp	13fcf923e536aa8367288a21507710f0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_Subscription-ul-oob.xrm-ms.tmp	13fcf923e536aa8367288a21507710f0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.RsClient.dll.tmp	13fcf923e536aa8367288a21507710f0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-140.png.tmp	13fcf923e536aa8367288a21507710f0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\oskclearuibase.xml.tmp	13fcf923e536aa8367288a21507710f0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ul-phn.xrm-ms.tmp	13fcf923e536aa8367288a21507710f0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-ul-phn.xrm-ms.tmp	13fcf923e536aa8367288a21507710f0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-ul-oob.xrm-ms.tmp	13fcf923e536aa8367288a21507710f0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\TipRes.dll.mui.tmp	13fcf923e536aa8367288a21507710f0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-ppd.xrm-ms.tmp	13fcf923e536aa8367288a21507710f0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\WindowsFormsIntegration.resources.dll.tmp	13fcf923e536aa8367288a21507710f0_NeikiAnalytics.exe
File created	C:\Program Files\Internet Explorer\ja-JP\iexplore.exe.mui.tmp	13fcf923e536aa8367288a21507710f0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\access-bridge-64.jar.tmp	13fcf923e536aa8367288a21507710f0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_Subscription-pl.xrm-ms.tmp	13fcf923e536aa8367288a21507710f0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-console-l1-2-0.dll.tmp	13fcf923e536aa8367288a21507710f0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.CoreLib.dll.tmp	13fcf923e536aa8367288a21507710f0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.InteropServices.JavaScript.dll.tmp	13fcf923e536aa8367288a21507710f0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Collections.Immutable.dll.tmp	13fcf923e536aa8367288a21507710f0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-ul-phn.xrm-ms.tmp	13fcf923e536aa8367288a21507710f0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-ppd.xrm-ms.tmp	13fcf923e536aa8367288a21507710f0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ul-oob.xrm-ms.tmp	13fcf923e536aa8367288a21507710f0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EntityPickerIntl.dll.tmp	13fcf923e536aa8367288a21507710f0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\XLLEX.DLL.tmp	13fcf923e536aa8367288a21507710f0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.NETCore.App.runtimeconfig.json.tmp	13fcf923e536aa8367288a21507710f0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Input.Manipulations.resources.dll.tmp	13fcf923e536aa8367288a21507710f0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-datetime-l1-1-0.dll.tmp	13fcf923e536aa8367288a21507710f0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml.tmp	13fcf923e536aa8367288a21507710f0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ru-ru.dll.tmp	13fcf923e536aa8367288a21507710f0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ObjectModel.dll.tmp	13fcf923e536aa8367288a21507710f0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\attach.dll.tmp	13fcf923e536aa8367288a21507710f0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\otkloadr_x64.dll.tmp	13fcf923e536aa8367288a21507710f0_NeikiAnalytics.exe
File created	C:\Program Files\7-Zip\Lang\va.txt.tmp	13fcf923e536aa8367288a21507710f0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemDrawing.dll.tmp	13fcf923e536aa8367288a21507710f0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\include\classfile_constants.h.tmp	13fcf923e536aa8367288a21507710f0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-synch-l1-2-0.dll.tmp	13fcf923e536aa8367288a21507710f0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\ShapeCollector.exe.mui.tmp	13fcf923e536aa8367288a21507710f0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremDemoR_BypassTrial365-ul-oob.xrm-ms.tmp	13fcf923e536aa8367288a21507710f0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-ppd.xrm-ms.tmp	13fcf923e536aa8367288a21507710f0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	13fcf923e536aa8367288a21507710f0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\System.Windows.Forms.Design.resources.dll.tmp	13fcf923e536aa8367288a21507710f0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_Grace-ppd.xrm-ms.tmp	13fcf923e536aa8367288a21507710f0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Trial-pl.xrm-ms.tmp	13fcf923e536aa8367288a21507710f0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.vsto.tmp	13fcf923e536aa8367288a21507710f0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.SapBwProvider.dll.tmp	13fcf923e536aa8367288a21507710f0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\AugLoop\third-party-notices.txt.tmp	13fcf923e536aa8367288a21507710f0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\GostName.XSL.tmp	13fcf923e536aa8367288a21507710f0_NeikiAnalytics.exe
File created	C:\Program Files\7-Zip\7z.sfx.tmp	13fcf923e536aa8367288a21507710f0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\PresentationCore.resources.dll.tmp	13fcf923e536aa8367288a21507710f0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\sunmscapi.dll.tmp	13fcf923e536aa8367288a21507710f0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-ppd.xrm-ms.tmp	13fcf923e536aa8367288a21507710f0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\System\Ole DB\oledbvbs.inc.tmp	13fcf923e536aa8367288a21507710f0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.TypeExtensions.dll.tmp	13fcf923e536aa8367288a21507710f0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Grace-ul-oob.xrm-ms.tmp	13fcf923e536aa8367288a21507710f0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-pl.xrm-ms.tmp	13fcf923e536aa8367288a21507710f0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.SqlServer.Configuration.SString.dll.tmp	13fcf923e536aa8367288a21507710f0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	13fcf923e536aa8367288a21507710f0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.Immutable.dll.tmp	13fcf923e536aa8367288a21507710f0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.FileSystem.dll.tmp	13fcf923e536aa8367288a21507710f0_NeikiAnalytics.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\eventlog_provider.dll.tmp	13fcf923e536aa8367288a21507710f0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-ul-oob.xrm-ms.tmp	13fcf923e536aa8367288a21507710f0_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\13fcf923e536aa8367288a21507710f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\13fcf923e536aa8367288a21507710f0_NeikiAnalytics.exe"
1⤵
- Drops file in Program Files directory
PID:4928

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-711569230-3659488422-571408806-1000\desktop.ini.tmp
Filesize
64KB

MD5
f903d3c8d6b7fca9c8879d5f8d4ea7dd

SHA1
5300bd378e472b1b290162c4818de47f3f5e78aa

SHA256
514e095055f748522272e60d85ec4627cf4c93fefad85826c4ca58891609b734

SHA512
d9b6180726af2f52fb54820517f540900d3e8d2b274ba96e2ec0cc6d2d4548aa15adb8e170f2a16b8040dc0f6f6ddfd9efbf342ae3e2777a4a5ea30b4c079979

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp
Filesize
163KB

MD5
dbd54387f6267f2e411c5d87e8759938

SHA1
3535c6f518ec4bf66b2706775c3c245904d6e5aa

SHA256
3e5a5a5ab13f2af76cf3bc0501b7ce8260485a8befa9251a1aea3746e7585b85

SHA512
3906580c89bd7cf88eaecc14aca1f198cb0ab700e25c001f0f5282f72926356e85698d3a2d10fcf253fc33032d5dc3ba8a29d3e54f6eb838332a1f5fe81ef187

Download Submit
memory/4928-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4928-1828-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing