d35e4e7e9b4842c9c62c2642d3afeb95f656f0a2b048930de95fefaf957eabd0

General

Target

36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
Size

74KB
MD5

36d44c4fcbe4113ce4f5037bbb444400
SHA1

0f88a4ecb0da163fb9f3d029bbbd54ab7da8097b
SHA256

d35e4e7e9b4842c9c62c2642d3afeb95f656f0a2b048930de95fefaf957eabd0
SHA512

d254029af7d8eafc3101a2a5989d80ccd75f4fc8235348b13c2fff2e88b7d4e9349bda8b7b4b6eeb3541ac4009f47b67a6fcce6fbef0a8c80de1d43779fbd0c4
SSDEEP

1536:67Zf/FAxTWY1++PJHJXA/OsIZfzc3/Q8yi0:+nyiQSoF

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (5108) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3196-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-540404634-651139247-2967210625-1000\desktop.ini.tmp	upx
C:\Program Files\7-Zip\7-zip.dll.tmp	upx
behavioral2/memory/3196-1892-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe

description	ioc	process
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-stdio-l1-1-0.dll.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-ul-phn.xrm-ms.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial4-pl.xrm-ms.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\msotelemetryintl.dll.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsymsl.ttf.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\PresentationFramework.resources.dll.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_KMS_Client-ul-oob.xrm-ms.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\7-Zip\Lang\nl.txt.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\7-Zip\Uninstall.exe.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Configuration.dll.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Windows.Forms.Design.resources.dll.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Controls.Ribbon.dll.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTest-pl.xrm-ms.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Trial-ul-oob.xrm-ms.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.Interfaces.dll.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Extensions.dll.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Numerics.dll.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Windows.Controls.Ribbon.resources.dll.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\libpng.md.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-heap-l1-1-0.dll.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sql2000.xsl.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\7-Zip\7z.sfx.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hu-HU\tipresx.dll.mui.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\lib\jfxswt.jar.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.bg-bg.dll.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\lib\cmm\PYCC.pf.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial-ul-oob.xrm-ms.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\pl\msipc.dll.mui.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\rsod\officemui.msi.16.en-us.tree.dat.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\bin\j2pcsc.dll.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-ppd.xrm-ms.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-pl.xrm-ms.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-100.png.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL026.XML.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Trial-ppd.xrm-ms.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\ODBCMESSAGES.XML.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OsfTaskengine.dll.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONDIRECTX.DLL.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Library\SOLVER\SOLVER32.DLL.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\7-Zip\Lang\ext.txt.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\bin\ssv.dll.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-ppd.xrm-ms.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-pl.xrm-ms.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Localytics.dll.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelGlyph.16.GrayF.png.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\ApothecaryResume.dotx.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\rtscom.dll.mui.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdatl3.dll.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javah.exe.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ul-oob.xrm-ms.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_Subscription-ul-oob.xrm-ms.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-ul-phn.xrm-ms.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-140.png.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\PresentationUI.resources.dll.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\UIAutomationClientSideProviders.resources.dll.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\bin\msvcp140.dll.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019DemoR_BypassTrial180-ppd.xrm-ms.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial-ppd.xrm-ms.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\msinfo32.exe.mui.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\t2k.dll.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OneNote\prnSendToOneNote.cat.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-private-l1-1-0.dll.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe.tmp	36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\36d44c4fcbe4113ce4f5037bbb444400_NeikiAnalytics.exe"
1⤵
- Drops file in Program Files directory
PID:3196

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-540404634-651139247-2967210625-1000\desktop.ini.tmp
Filesize
75KB

MD5
840df6a42889e194eaa6c06e48dfed6e

SHA1
04f1399541cdbe2446075fd1f2b0b13b6a379e8f

SHA256
c9436853ef88c143fc536a58ad7640378bd98d6ad933481f9e2a77d714ed397f

SHA512
07c129049a8cdf223e8a89bd02e6f654556131559efe81a50c3553b0b44b251e8dd1e83eb527b01aa015650079b3deb1d4ae3a11737b050d2c09bbb1815adc1f

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp
Filesize
174KB

MD5
2797f02456764e5c5c4ea3d5efa236ac

SHA1
1ec2dc95393b468180b75989be952c37a31b1f9d

SHA256
740e4b654c00110b415c525cb19b068b127f2044eac1dfb38a3123344ceeea4d

SHA512
5f75383835ca1edba1cd8d8064015840b549614e3f2427daa7231a9546998ad4758a9219fe830bfd67f1105c41ed4c3ca73b212fc8a74d25dfa95c58a29aec8c

Download Submit
memory/3196-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3196-1892-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing