d35e4e7e9b4842c9c62c2642d3afeb95f656f0a2b048930de95fefaf957eabd0

General

Target

36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
Size

74KB
MD5

36d44c4fcbe4113ce4f5037bbb444400
SHA1

0f88a4ecb0da163fb9f3d029bbbd54ab7da8097b
SHA256

d35e4e7e9b4842c9c62c2642d3afeb95f656f0a2b048930de95fefaf957eabd0
SHA512

d254029af7d8eafc3101a2a5989d80ccd75f4fc8235348b13c2fff2e88b7d4e9349bda8b7b4b6eeb3541ac4009f47b67a6fcce6fbef0a8c80de1d43779fbd0c4
SSDEEP

1536:67Zf/FAxTWY1++PJHJXA/OsIZfzc3/Q8yi0:+nyiQSoF

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (3733) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2824-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-2737914667-933161113-3798636211-1000\desktop.ini.tmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp	upx
behavioral1/memory/2824-656-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe

description	ioc	process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-services_zh_CN.jar.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Management.Instrumentation.dll.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\back.png.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_divider_right.png.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols.xml.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_ko_KR.jar.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Merida.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_classic_winxp.css.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre7\bin\sunec.dll.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Paris.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libspatialaudio_plugin.dll.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\currency.html.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\MSTTSLoc.dll.mui.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jfr.dll.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\eclipse_1665.dll.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\VSTOInstallerUI.dll.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\System\ado\msadomd.dll.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\spu\libmosaic_plugin.dll.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\gadget.xml.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationUp_SelectionSubpicture.png.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.text_3.9.1.v20140827-1810.jar.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui_3.106.0.v20140812-1751.jar.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libpuzzle_plugin.dll.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\settings.html.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\highlight.png.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\am.pak.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\vlc.mo.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_s.png.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\mip.exe.mui.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Davis.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Mozilla Firefox\ipcclientcerts.dll.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\WindowsBase.resources.dll.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre7\lib\fonts\LucidaBrightDemiItalic.ttf.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Funafuti.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\gadget.xml.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_left_hover.png.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_snow.png.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InkObj.dll.mui.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-previous-over-select.png.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\prism-d3d.dll.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre7\lib\zi\Atlantic\Stanley.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Engine.dll.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libtospdif_plugin.dll.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libsmf_plugin.dll.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\VideoLAN\VLC\skins\default.vlt.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\TipRes.dll.mui.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.commands.nl_ja_4.4.0.v20140623020002.jar.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-openide-execution.xml_hidden.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\3difr.x3d.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre7\lib\deploy\messages_de.properties.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Games\Hearts\ja-JP\Hearts.exe.mui.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-private-l1-1-0.dll.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_m.png.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kolkata.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.IdentityModel.Selectors.dll.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Windows Media Player\Media Renderer\DMR_120.jpg.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\feedbck2.gif.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-templates.xml_hidden.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Miquelon.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_WMC_LogoText.png.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe"
1⤵
- Drops file in Program Files directory
PID:2824

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2737914667-933161113-3798636211-1000\desktop.ini.tmp
Filesize
75KB

MD5
072458fc28b0ddf303a0914186ed3d52

SHA1
53d0508fff18d52ef7a1a8b578263ce9f1c4cb08

SHA256
0daec3f918ad81f6e5293b20aaba09d464b160c7ee81ee1442e30cd459250a33

SHA512
bdfa8ebb3d65d4171a207c0ecc60b2a44cbf24c484be7f606b62e63cd462771af53d10faf5a66e7cabd74b0540364f87c285f3a30c55e377b76ea0ee85a3efc1

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp
Filesize
84KB

MD5
a9dea2e92eccbc6a80afd3c39df89522

SHA1
f0ed79a76e97853f36925c532983618b5c2ea284

SHA256
15919660bf2678c9b42953a8d9ff9b85bf47f43b1ad3f7c2f6332f171caaeb26

SHA512
d184d33db5da05af8bec9d207da1cf5445cc36333612108b51ee7d6e17d3b697c4b28991739d0443a203196b59e45f82cac84e8492531c3e55ff892061069db8

Download Submit
memory/2824-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2824-656-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing