2b623b725cb043efedd41d70f3941b8bdda49d4c26ea0a404f842a526abf5608

General

Target

cecdae45573a357ca8193d2399fe3810_NeikiAnalytics.exe
Size

59KB
MD5

cecdae45573a357ca8193d2399fe3810
SHA1

bb296cd66f69c14f965f1d840ee583f72aa8c831
SHA256

2b623b725cb043efedd41d70f3941b8bdda49d4c26ea0a404f842a526abf5608
SHA512

59494b52e27912bfcf524ce44c7f2001a46f409970e89098c1aa49c4aac862db3dd20e4c9ab59416f6c5df9327eb3463763e58089153baffda747c497e12fad1
SSDEEP

768:kBT37CPKKIm0CAbLg++PJHJzIWD+dVdCYgck5sIZFlzc3/Sg2aDM9uA9DM9uAFFJ:CTWn1++PJHJXA/OsIZfzc3/Q8yi0azU2

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (1294) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3292-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini.tmp	upx
C:\libsmartscreen.dll.tmp	upx
behavioral2/memory/3292-228-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

cecdae45573a357ca8193d2399fe3810_NeikiAnalytics.exe

description	ioc	process
File created	C:\Program Files\7-Zip\descript.ion.tmp	cecdae45573a357ca8193d2399fe3810_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Drawing.dll.tmp	cecdae45573a357ca8193d2399fe3810_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Formats.Asn1.dll.tmp	cecdae45573a357ca8193d2399fe3810_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ja\Microsoft.VisualBasic.Forms.resources.dll.tmp	cecdae45573a357ca8193d2399fe3810_NeikiAnalytics.exe
File created	C:\Program Files\7-Zip\Lang\ko.txt.tmp	cecdae45573a357ca8193d2399fe3810_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msdaremr.dll.mui.tmp	cecdae45573a357ca8193d2399fe3810_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\pt-BR\System.Windows.Forms.resources.dll.tmp	cecdae45573a357ca8193d2399fe3810_NeikiAnalytics.exe
File created	C:\Program Files\7-Zip\Lang\ba.txt.tmp	cecdae45573a357ca8193d2399fe3810_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipscsy.xml.tmp	cecdae45573a357ca8193d2399fe3810_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsptg.xml.tmp	cecdae45573a357ca8193d2399fe3810_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\System\ado\msadomd28.tlb.tmp	cecdae45573a357ca8193d2399fe3810_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\Microsoft.WindowsDesktop.App.deps.json.tmp	cecdae45573a357ca8193d2399fe3810_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-string-l1-1-0.dll.tmp	cecdae45573a357ca8193d2399fe3810_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\System\ado\msado21.tlb.tmp	cecdae45573a357ca8193d2399fe3810_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Diagnostics.Debug.dll.tmp	cecdae45573a357ca8193d2399fe3810_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Xml.Linq.dll.tmp	cecdae45573a357ca8193d2399fe3810_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ja\WindowsBase.resources.dll.tmp	cecdae45573a357ca8193d2399fe3810_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.nl-nl.dll.tmp	cecdae45573a357ca8193d2399fe3810_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\StreamServer.dll.tmp	cecdae45573a357ca8193d2399fe3810_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig-office.xrm-ms.tmp	cecdae45573a357ca8193d2399fe3810_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Diagnostics.TraceSource.dll.tmp	cecdae45573a357ca8193d2399fe3810_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Runtime.Serialization.Xml.dll.tmp	cecdae45573a357ca8193d2399fe3810_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Text.Encoding.Extensions.dll.tmp	cecdae45573a357ca8193d2399fe3810_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\pl\System.Xaml.resources.dll.tmp	cecdae45573a357ca8193d2399fe3810_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\tr\UIAutomationClientSideProviders.resources.dll.tmp	cecdae45573a357ca8193d2399fe3810_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Net.Mail.dll.tmp	cecdae45573a357ca8193d2399fe3810_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientCapabilities.json.tmp	cecdae45573a357ca8193d2399fe3810_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\System\ado\msado28.tlb.tmp	cecdae45573a357ca8193d2399fe3810_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-crt-conio-l1-1-0.dll.tmp	cecdae45573a357ca8193d2399fe3810_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Resources.ResourceManager.dll.tmp	cecdae45573a357ca8193d2399fe3810_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\Microsoft.NETCore.App.runtimeconfig.json.tmp	cecdae45573a357ca8193d2399fe3810_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.IO.FileSystem.DriveInfo.dll.tmp	cecdae45573a357ca8193d2399fe3810_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\tr\PresentationFramework.resources.dll.tmp	cecdae45573a357ca8193d2399fe3810_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\es\WindowsBase.resources.dll.tmp	cecdae45573a357ca8193d2399fe3810_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\InputPersonalization.exe.mui.tmp	cecdae45573a357ca8193d2399fe3810_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\VGX\VGX.dll.tmp	cecdae45573a357ca8193d2399fe3810_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\de\System.Windows.Input.Manipulations.resources.dll.tmp	cecdae45573a357ca8193d2399fe3810_NeikiAnalytics.exe
File created	C:\Program Files\7-Zip\Lang\mn.txt.tmp	cecdae45573a357ca8193d2399fe3810_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_ca.xml.tmp	cecdae45573a357ca8193d2399fe3810_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Net.WebSockets.dll.tmp	cecdae45573a357ca8193d2399fe3810_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\de\System.Windows.Input.Manipulations.resources.dll.tmp	cecdae45573a357ca8193d2399fe3810_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\fr\PresentationFramework.resources.dll.tmp	cecdae45573a357ca8193d2399fe3810_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\PresentationFramework-SystemCore.dll.tmp	cecdae45573a357ca8193d2399fe3810_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ja\System.Xaml.resources.dll.tmp	cecdae45573a357ca8193d2399fe3810_NeikiAnalytics.exe
File created	C:\Program Files\7-Zip\7zG.exe.tmp	cecdae45573a357ca8193d2399fe3810_NeikiAnalytics.exe
File created	C:\Program Files\7-Zip\Lang\el.txt.tmp	cecdae45573a357ca8193d2399fe3810_NeikiAnalytics.exe
File created	C:\Program Files\7-Zip\Lang\is.txt.tmp	cecdae45573a357ca8193d2399fe3810_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ea-sym.xml.tmp	cecdae45573a357ca8193d2399fe3810_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Drawing.Primitives.dll.tmp	cecdae45573a357ca8193d2399fe3810_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Threading.Overlapped.dll.tmp	cecdae45573a357ca8193d2399fe3810_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ru\PresentationFramework.resources.dll.tmp	cecdae45573a357ca8193d2399fe3810_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\System\Ole DB\de-DE\sqlxmlx.rll.mui.tmp	cecdae45573a357ca8193d2399fe3810_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\Microsoft.VisualBasic.Core.dll.tmp	cecdae45573a357ca8193d2399fe3810_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.IO.FileSystem.Primitives.dll.tmp	cecdae45573a357ca8193d2399fe3810_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hant\WindowsFormsIntegration.resources.dll.tmp	cecdae45573a357ca8193d2399fe3810_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Private.DataContractSerialization.dll.tmp	cecdae45573a357ca8193d2399fe3810_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Net.Primitives.dll.tmp	cecdae45573a357ca8193d2399fe3810_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\de\WindowsBase.resources.dll.tmp	cecdae45573a357ca8193d2399fe3810_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\de\WindowsFormsIntegration.resources.dll.tmp	cecdae45573a357ca8193d2399fe3810_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\pl\UIAutomationProvider.resources.dll.tmp	cecdae45573a357ca8193d2399fe3810_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\System\msadc\msadcer.dll.tmp	cecdae45573a357ca8193d2399fe3810_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Runtime.CompilerServices.VisualC.dll.tmp	cecdae45573a357ca8193d2399fe3810_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\pl\WindowsBase.resources.dll.tmp	cecdae45573a357ca8193d2399fe3810_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\cs\Microsoft.VisualBasic.Forms.resources.dll.tmp	cecdae45573a357ca8193d2399fe3810_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\cecdae45573a357ca8193d2399fe3810_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\cecdae45573a357ca8193d2399fe3810_NeikiAnalytics.exe"
1⤵
- Drops file in Program Files directory
PID:3292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3708 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
1⤵
PID:636

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini.tmp
Filesize
59KB

MD5
44b78cd0857555fdeac080885c743b34

SHA1
f7cb9b6eb6be39d2e1fa58d85314aef755bad973

SHA256
4be271984e4fb2ff38e3edac40c227fafeda08a5decd367fdbbec55e6b276fd8

SHA512
b5fcd6b456f20da2609544fda9b74eedd71d045b1c2813355b9c742ff721f70291e18fb2d73594a125bc6b73fee3747d2d9c23ecc58d8c956214b6fcbbd82c3f

Download Submit
C:\libsmartscreen.dll.tmp
Filesize
59KB

MD5
c0a3f0f99cad59eefa787f055d5b31bb

SHA1
7c8d66547ed1417c79ddc867bcec7c89e417dfe9

SHA256
1016e3e3ca03b3fa0882df1c9a24238ec8cb1e4405e973e74801a269c30cabc4

SHA512
91c78208dbc79e526697e86b18cab5e11815115b1e48206bd3ed17f3a5f7ccf7f58b8aa436c60a5a6a0456cbec3707d2d32cae19de1d61baaca7cef0e21a8967

Download Submit
memory/3292-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3292-228-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing