7454a3c35c8ec680c8a1427b551ab838b79748b301acbb9d4e4162e4c9917a1e

General

Target

bfaac262e97043aad2be90948aea5ba0_NeikiAnalytics.exe
Size

349KB
MD5

bfaac262e97043aad2be90948aea5ba0
SHA1

00e3025fbdd8717c9ea9da61451f87aef7d011f3
SHA256

7454a3c35c8ec680c8a1427b551ab838b79748b301acbb9d4e4162e4c9917a1e
SHA512

bc8e4bd0f52ec53c320078d6bb3c124bde077023a608d90bead0cfdd2fca7c2bb27ab797537a2656279470fa59c14640d056ecdab6a212e094ca344aa99d9426
SSDEEP

6144:JmCAIuZAIuDMVtM/5ejyLAuVtXgM1iLq7Jz2DxgBRjczXlvP/oF:7AIuZAIuOzBD5g/jc5vP/o

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (4075) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1124-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini.tmp	upx
C:\Program Files\7-Zip\7-zip.dll.tmp	upx
behavioral2/memory/1124-1338-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

bfaac262e97043aad2be90948aea5ba0_NeikiAnalytics.exe

description	ioc	process
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.zh-tw.dll.tmp	bfaac262e97043aad2be90948aea5ba0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Linq.dll.tmp	bfaac262e97043aad2be90948aea5ba0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\UIAutomationClientSideProviders.resources.dll.tmp	bfaac262e97043aad2be90948aea5ba0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Client\AppvIsvSubsystems32.dll.tmp	bfaac262e97043aad2be90948aea5ba0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVManifest.dll.tmp	bfaac262e97043aad2be90948aea5ba0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Formats.Asn1.dll.tmp	bfaac262e97043aad2be90948aea5ba0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Globalization.dll.tmp	bfaac262e97043aad2be90948aea5ba0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\PresentationUI.resources.dll.tmp	bfaac262e97043aad2be90948aea5ba0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemData.dll.tmp	bfaac262e97043aad2be90948aea5ba0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-file-l2-1-0.dll.tmp	bfaac262e97043aad2be90948aea5ba0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Grace-ul-oob.xrm-ms.tmp	bfaac262e97043aad2be90948aea5ba0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml.tmp	bfaac262e97043aad2be90948aea5ba0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\bin\j2pkcs11.dll.tmp	bfaac262e97043aad2be90948aea5ba0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-ppd.xrm-ms.tmp	bfaac262e97043aad2be90948aea5ba0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\TelemetryLog.xltx.tmp	bfaac262e97043aad2be90948aea5ba0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\UIAutomationClient.resources.dll.tmp	bfaac262e97043aad2be90948aea5ba0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationNative_cor3.dll.tmp	bfaac262e97043aad2be90948aea5ba0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-synch-l1-2-0.dll.tmp	bfaac262e97043aad2be90948aea5ba0_NeikiAnalytics.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\nb.pak.tmp	bfaac262e97043aad2be90948aea5ba0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_de.properties.tmp	bfaac262e97043aad2be90948aea5ba0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-math-l1-1-0.dll.tmp	bfaac262e97043aad2be90948aea5ba0_NeikiAnalytics.exe
File created	C:\Program Files\7-Zip\Lang\cy.txt.tmp	bfaac262e97043aad2be90948aea5ba0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\tabskb.dll.mui.tmp	bfaac262e97043aad2be90948aea5ba0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TabTip.exe.mui.tmp	bfaac262e97043aad2be90948aea5ba0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Numerics.Vectors.dll.tmp	bfaac262e97043aad2be90948aea5ba0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ObjectModel.dll.tmp	bfaac262e97043aad2be90948aea5ba0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Channels.dll.tmp	bfaac262e97043aad2be90948aea5ba0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\Microsoft.VisualBasic.Forms.resources.dll.tmp	bfaac262e97043aad2be90948aea5ba0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Trial-ppd.xrm-ms.tmp	bfaac262e97043aad2be90948aea5ba0_NeikiAnalytics.exe
File created	C:\Program Files\7-Zip\Lang\ta.txt.tmp	bfaac262e97043aad2be90948aea5ba0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-ul-oob.xrm-ms.tmp	bfaac262e97043aad2be90948aea5ba0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_SubTrial-pl.xrm-ms.tmp	bfaac262e97043aad2be90948aea5ba0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-ul-oob.xrm-ms.tmp	bfaac262e97043aad2be90948aea5ba0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\unicode.md.tmp	bfaac262e97043aad2be90948aea5ba0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Royale.dll.tmp	bfaac262e97043aad2be90948aea5ba0_NeikiAnalytics.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\tr.pak.tmp	bfaac262e97043aad2be90948aea5ba0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-ul-phn.xrm-ms.tmp	bfaac262e97043aad2be90948aea5ba0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial2-pl.xrm-ms.tmp	bfaac262e97043aad2be90948aea5ba0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.dll.tmp	bfaac262e97043aad2be90948aea5ba0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.Linq.dll.tmp	bfaac262e97043aad2be90948aea5ba0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.Watcher.dll.tmp	bfaac262e97043aad2be90948aea5ba0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Forms.Primitives.resources.dll.tmp	bfaac262e97043aad2be90948aea5ba0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\UIAutomationClientSideProviders.resources.dll.tmp	bfaac262e97043aad2be90948aea5ba0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.proofing.msi.16.en-us.xml.tmp	bfaac262e97043aad2be90948aea5ba0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Grace-ul-oob.xrm-ms.tmp	bfaac262e97043aad2be90948aea5ba0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\bwclassic.dotx.tmp	bfaac262e97043aad2be90948aea5ba0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Mail.dll.tmp	bfaac262e97043aad2be90948aea5ba0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-namedpipe-l1-1-0.dll.tmp	bfaac262e97043aad2be90948aea5ba0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ul-oob.xrm-ms.tmp	bfaac262e97043aad2be90948aea5ba0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_PrepidBypass-ul-oob.xrm-ms.tmp	bfaac262e97043aad2be90948aea5ba0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\WindowsFormsIntegration.resources.dll.tmp	bfaac262e97043aad2be90948aea5ba0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\bin\msvcp140.dll.tmp	bfaac262e97043aad2be90948aea5ba0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerView.PowerView.x-none.msi.16.x-none.xml.tmp	bfaac262e97043aad2be90948aea5ba0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Forms.Design.Editors.dll.tmp	bfaac262e97043aad2be90948aea5ba0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-ul-phn.xrm-ms.tmp	bfaac262e97043aad2be90948aea5ba0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Corbel.xml.tmp	bfaac262e97043aad2be90948aea5ba0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\UIAutomationTypes.resources.dll.tmp	bfaac262e97043aad2be90948aea5ba0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Pipes.dll.tmp	bfaac262e97043aad2be90948aea5ba0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.VisualBasic.Core.dll.tmp	bfaac262e97043aad2be90948aea5ba0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.DispatchProxy.dll.tmp	bfaac262e97043aad2be90948aea5ba0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\PresentationFramework.resources.dll.tmp	bfaac262e97043aad2be90948aea5ba0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationClientSideProviders.resources.dll.tmp	bfaac262e97043aad2be90948aea5ba0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Grace-ul-oob.xrm-ms.tmp	bfaac262e97043aad2be90948aea5ba0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\msinfo32.exe.mui.tmp	bfaac262e97043aad2be90948aea5ba0_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\bfaac262e97043aad2be90948aea5ba0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\bfaac262e97043aad2be90948aea5ba0_NeikiAnalytics.exe"
1⤵
- Drops file in Program Files directory
PID:1124

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini.tmp
Filesize
349KB

MD5
be4d81ca492a310424ae5031317f3284

SHA1
58b4922d8fbf485cb9a0a7c91df8997e2cbf12d0

SHA256
0e2b82301d1277b70f88a5ccfd049e6829895a7006b2b9976dd8b3d3c23cdb92

SHA512
b028032199f3a919e9de5a68a71984bbb69d155d5d60e2e9786ec04773a7783495c3202c7eba585740f6f2c9b70d7e787b4b41a8842063becc8abf2031f975c0

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp
Filesize
448KB

MD5
b924112f4004294cdb3389922c75835b

SHA1
a2a2bbb9a85740841298c69a2416f0be71acfc5b

SHA256
23617cd017c2fb16e6cca9fd0f1d0d8a1a12ec4f3e79615748f6328779fee915

SHA512
8039671d3f39561aee67de172e0b0dd7c8553cc5d45a999e3c1707590885aa855f4ef461f30e13717948eb4c9c4f06b1bf41fd5d21496ed698f8a19b7a17f4f5

Download Submit
memory/1124-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1124-1338-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing