84f2118e39d46a4c6e2a6e185ff9d8f31503ee2c45bce5d0e6512badc1181b56

General

Target

50dfcba383f929643a1ca3a66cb71dd0_NeikiAnalytics.exe
Size

71KB
MD5

50dfcba383f929643a1ca3a66cb71dd0
SHA1

6ffa3bc281cd55ab198257767ddde1a4a3a25cef
SHA256

84f2118e39d46a4c6e2a6e185ff9d8f31503ee2c45bce5d0e6512badc1181b56
SHA512

5558d327efc51f6b99d5d24bf53c1c603dfe59e3fada67269613e2fdfc2ee7aa446d6712ea503a8926eb5d9af6add471cc96895ba17b61ae8098a24aae12a189
SSDEEP

1536:67Zf/FAxTWY1++PJHJXA/OsIZfzc3/Q8xJJMJJ0:+nyiQSo+

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (5176) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/836-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini.tmp	upx
C:\Program Files\7-Zip\7-zip.dll.tmp	upx
behavioral2/memory/836-1947-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

50dfcba383f929643a1ca3a66cb71dd0_NeikiAnalytics.exe

description	ioc	process
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-80.png.tmp	50dfcba383f929643a1ca3a66cb71dd0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\ShapeCollector.exe.mui.tmp	50dfcba383f929643a1ca3a66cb71dd0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\relaxngcc.md.tmp	50dfcba383f929643a1ca3a66cb71dd0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml.tmp	50dfcba383f929643a1ca3a66cb71dd0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Integration\Integrator.exe.tmp	50dfcba383f929643a1ca3a66cb71dd0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ul-phn.xrm-ms.tmp	50dfcba383f929643a1ca3a66cb71dd0_NeikiAnalytics.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\ro.pak.tmp	50dfcba383f929643a1ca3a66cb71dd0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-pl.xrm-ms.tmp	50dfcba383f929643a1ca3a66cb71dd0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_Subscription-ul-oob.xrm-ms.tmp	50dfcba383f929643a1ca3a66cb71dd0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ul-oob.xrm-ms.tmp	50dfcba383f929643a1ca3a66cb71dd0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\System\ado\msado26.tlb.tmp	50dfcba383f929643a1ca3a66cb71dd0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Claims.dll.tmp	50dfcba383f929643a1ca3a66cb71dd0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\ReachFramework.resources.dll.tmp	50dfcba383f929643a1ca3a66cb71dd0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-ppd.xrm-ms.tmp	50dfcba383f929643a1ca3a66cb71dd0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\GostTitle.XSL.tmp	50dfcba383f929643a1ca3a66cb71dd0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\amazonredshiftodbc_sb64.dll.tmp	50dfcba383f929643a1ca3a66cb71dd0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ro-RO\tipresx.dll.mui.tmp	50dfcba383f929643a1ca3a66cb71dd0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.NetworkInformation.dll.tmp	50dfcba383f929643a1ca3a66cb71dd0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-ppd.xrm-ms.tmp	50dfcba383f929643a1ca3a66cb71dd0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Grace-ppd.xrm-ms.tmp	50dfcba383f929643a1ca3a66cb71dd0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\centered.dotx.tmp	50dfcba383f929643a1ca3a66cb71dd0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\msgrammar8.dll.tmp	50dfcba383f929643a1ca3a66cb71dd0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\jopt-simple.md.tmp	50dfcba383f929643a1ca3a66cb71dd0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-ul-oob.xrm-ms.tmp	50dfcba383f929643a1ca3a66cb71dd0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Grace-ul-oob.xrm-ms.tmp	50dfcba383f929643a1ca3a66cb71dd0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\blacklist.tmp	50dfcba383f929643a1ca3a66cb71dd0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-ul-oob.xrm-ms.tmp	50dfcba383f929643a1ca3a66cb71dd0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp	50dfcba383f929643a1ca3a66cb71dd0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-ul-oob.xrm-ms.tmp	50dfcba383f929643a1ca3a66cb71dd0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\System\ado\msado25.tlb.tmp	50dfcba383f929643a1ca3a66cb71dd0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Security.Permissions.dll.tmp	50dfcba383f929643a1ca3a66cb71dd0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\UIAutomationProvider.resources.dll.tmp	50dfcba383f929643a1ca3a66cb71dd0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.StackTrace.dll.tmp	50dfcba383f929643a1ca3a66cb71dd0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Forms.Design.resources.dll.tmp	50dfcba383f929643a1ca3a66cb71dd0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-ppd.xrm-ms.tmp	50dfcba383f929643a1ca3a66cb71dd0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Client\msvcr120.dll.tmp	50dfcba383f929643a1ca3a66cb71dd0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\AdjacencyLetter.dotx.tmp	50dfcba383f929643a1ca3a66cb71dd0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientARMRefer_eula.txt.tmp	50dfcba383f929643a1ca3a66cb71dd0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvSubsystemController.dll.tmp	50dfcba383f929643a1ca3a66cb71dd0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.VisualBasic.dll.tmp	50dfcba383f929643a1ca3a66cb71dd0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp	50dfcba383f929643a1ca3a66cb71dd0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\PresentationFramework.resources.dll.tmp	50dfcba383f929643a1ca3a66cb71dd0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\lib\tools.jar.tmp	50dfcba383f929643a1ca3a66cb71dd0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ppd.xrm-ms.tmp	50dfcba383f929643a1ca3a66cb71dd0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-pl.xrm-ms.tmp	50dfcba383f929643a1ca3a66cb71dd0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Windows.dll.tmp	50dfcba383f929643a1ca3a66cb71dd0_NeikiAnalytics.exe
File created	C:\Program Files\7-Zip\Lang\it.txt.tmp	50dfcba383f929643a1ca3a66cb71dd0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ServiceProcess.dll.tmp	50dfcba383f929643a1ca3a66cb71dd0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Drawing.Design.dll.tmp	50dfcba383f929643a1ca3a66cb71dd0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Forms.resources.dll.tmp	50dfcba383f929643a1ca3a66cb71dd0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\PresentationUI.resources.dll.tmp	50dfcba383f929643a1ca3a66cb71dd0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTrial-ppd.xrm-ms.tmp	50dfcba383f929643a1ca3a66cb71dd0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019DemoR_BypassTrial180-ppd.xrm-ms.tmp	50dfcba383f929643a1ca3a66cb71dd0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-pl.xrm-ms.tmp	50dfcba383f929643a1ca3a66cb71dd0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Grace-ppd.xrm-ms.tmp	50dfcba383f929643a1ca3a66cb71dd0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-localization-l1-2-0.dll.tmp	50dfcba383f929643a1ca3a66cb71dd0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.AccessControl.dll.tmp	50dfcba383f929643a1ca3a66cb71dd0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Drawing.Design.dll.tmp	50dfcba383f929643a1ca3a66cb71dd0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\UIAutomationClientSideProviders.resources.dll.tmp	50dfcba383f929643a1ca3a66cb71dd0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-ul-phn.xrm-ms.tmp	50dfcba383f929643a1ca3a66cb71dd0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\System\ado\it-IT\msader15.dll.mui.tmp	50dfcba383f929643a1ca3a66cb71dd0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clrjit.dll.tmp	50dfcba383f929643a1ca3a66cb71dd0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Xaml.resources.dll.tmp	50dfcba383f929643a1ca3a66cb71dd0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.c.tmp	50dfcba383f929643a1ca3a66cb71dd0_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\50dfcba383f929643a1ca3a66cb71dd0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\50dfcba383f929643a1ca3a66cb71dd0_NeikiAnalytics.exe"
1⤵
- Drops file in Program Files directory
PID:836

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini.tmp

Filesize
71KB

MD5
69909c15b644a6f8568ef67398546fdf

SHA1
32537258c8bc87b5b4ad48f7cfb10b4182feb2d3

SHA256
dd0c687229a1142218e43cde2caf51e2e1f14f677a9b9a98b5e402ecc75b5787

SHA512
e685d5a0e3270bd0318e83b6d5a9b07835d04b1984594a329309e074b68001fd4fd2cef24a38d7a49a9db9867ab880af9938eef36dfa1c858c714b8bbf7d74ec

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
170KB

MD5
70a3fb14d7ace5982517aa0f515ef649

SHA1
14a566243b2eae08e3a84eed5378d7c45302be8a

SHA256
82cfc9743bf5866375eb152a4bf216c5cef074d4b1b4fae968499c29bc7acf4a

SHA512
d1325676d88f9f567be5131417f077b686b822d19e2edea883aeaaa5de3a4654111743b2d5f0c5a9362f10ee658224f5b9dbc12b3037af4ed2b53b7c2e3effce

Download Submit
memory/836-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/836-1947-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing