504a1f79aeb0a6c93d9bdd71aed0c26095c71627ae22923d0fe981de76261161

General

Target

0fb464bf25da53b9ec21dc4edec28f10_NeikiAnalytics.exe
Size

72KB
MD5

0fb464bf25da53b9ec21dc4edec28f10
SHA1

a4d92980aea7339ddb11d8972f098d44cab1d404
SHA256

504a1f79aeb0a6c93d9bdd71aed0c26095c71627ae22923d0fe981de76261161
SHA512

1a63cdd6e87dea4bcff0f0856ccb4a7a7f7ca57b8026995551ce74c351eb53e35aa402ad78625106f449b58dbbc2d837ea5708d9aed573d174c98b64453e3e6c
SSDEEP

1536:67Zf/FAxTWY1++PJHJXA/OsIZfzc3/Q8xJJMJJu:+nyiQSog

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (5000) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1020-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-2539840389-1261165778-1087677076-1000\desktop.ini.tmp	upx
C:\Program Files\7-Zip\7-zip.dll.tmp	upx
behavioral2/memory/1020-1776-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

0fb464bf25da53b9ec21dc4edec28f10_NeikiAnalytics.exe

description	ioc	process
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Document.XmlSerializers.dll.tmp	0fb464bf25da53b9ec21dc4edec28f10_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Security.Cryptography.Xml.dll.tmp	0fb464bf25da53b9ec21dc4edec28f10_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Grace-ppd.xrm-ms.tmp	0fb464bf25da53b9ec21dc4edec28f10_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\lcms.md.tmp	0fb464bf25da53b9ec21dc4edec28f10_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ul-phn.xrm-ms.tmp	0fb464bf25da53b9ec21dc4edec28f10_NeikiAnalytics.exe
File created	C:\Program Files\7-Zip\Lang\co.txt.tmp	0fb464bf25da53b9ec21dc4edec28f10_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.NameResolution.dll.tmp	0fb464bf25da53b9ec21dc4edec28f10_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalDemoR_BypassTrial180-ul-oob.xrm-ms.tmp	0fb464bf25da53b9ec21dc4edec28f10_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-ul-phn.xrm-ms.tmp	0fb464bf25da53b9ec21dc4edec28f10_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Tracing.dll.tmp	0fb464bf25da53b9ec21dc4edec28f10_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\bin\dtplugin\npdeployJava1.dll.tmp	0fb464bf25da53b9ec21dc4edec28f10_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ul-phn.xrm-ms.tmp	0fb464bf25da53b9ec21dc4edec28f10_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PPINTL.DLL.tmp	0fb464bf25da53b9ec21dc4edec28f10_NeikiAnalytics.exe
File created	C:\Program Files\7-Zip\Lang\da.txt.tmp	0fb464bf25da53b9ec21dc4edec28f10_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\lib\javafx-mx.jar.tmp	0fb464bf25da53b9ec21dc4edec28f10_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscordaccore.dll.tmp	0fb464bf25da53b9ec21dc4edec28f10_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Windows.Input.Manipulations.resources.dll.tmp	0fb464bf25da53b9ec21dc4edec28f10_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_KMS_Client_AE-ul.xrm-ms.tmp	0fb464bf25da53b9ec21dc4edec28f10_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	0fb464bf25da53b9ec21dc4edec28f10_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\msvcp120.dll.tmp	0fb464bf25da53b9ec21dc4edec28f10_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.kk-kz.dll.tmp	0fb464bf25da53b9ec21dc4edec28f10_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml.tmp	0fb464bf25da53b9ec21dc4edec28f10_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\JitV.dll.tmp	0fb464bf25da53b9ec21dc4edec28f10_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\id\msipc.dll.mui.tmp	0fb464bf25da53b9ec21dc4edec28f10_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\jcup.md.tmp	0fb464bf25da53b9ec21dc4edec28f10_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-ul-phn.xrm-ms.tmp	0fb464bf25da53b9ec21dc4edec28f10_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-ppd.xrm-ms.tmp	0fb464bf25da53b9ec21dc4edec28f10_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_COL.HXT.tmp	0fb464bf25da53b9ec21dc4edec28f10_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	0fb464bf25da53b9ec21dc4edec28f10_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemData.dll.tmp	0fb464bf25da53b9ec21dc4edec28f10_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.CodeDom.dll.tmp	0fb464bf25da53b9ec21dc4edec28f10_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\PresentationCore.resources.dll.tmp	0fb464bf25da53b9ec21dc4edec28f10_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.dll.tmp	0fb464bf25da53b9ec21dc4edec28f10_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\lib\tools.jar.tmp	0fb464bf25da53b9ec21dc4edec28f10_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\CLVWINTL.DLL.tmp	0fb464bf25da53b9ec21dc4edec28f10_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.ConnectionUI.dll.tmp	0fb464bf25da53b9ec21dc4edec28f10_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-180.png.tmp	0fb464bf25da53b9ec21dc4edec28f10_NeikiAnalytics.exe
File created	C:\Program Files\7-Zip\Lang\be.txt.tmp	0fb464bf25da53b9ec21dc4edec28f10_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\System\ado\msader15.dll.tmp	0fb464bf25da53b9ec21dc4edec28f10_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msvcr120.dll.tmp	0fb464bf25da53b9ec21dc4edec28f10_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-namedpipe-l1-1-0.dll.tmp	0fb464bf25da53b9ec21dc4edec28f10_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription5-ul-oob.xrm-ms.tmp	0fb464bf25da53b9ec21dc4edec28f10_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_KMS_Client-ul-oob.xrm-ms.tmp	0fb464bf25da53b9ec21dc4edec28f10_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Transactions.Local.dll.tmp	0fb464bf25da53b9ec21dc4edec28f10_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\bin\serialver.exe.tmp	0fb464bf25da53b9ec21dc4edec28f10_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_CopyDrop32x32.gif.tmp	0fb464bf25da53b9ec21dc4edec28f10_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntimeR_PrepidBypass-ul-oob.xrm-ms.tmp	0fb464bf25da53b9ec21dc4edec28f10_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	0fb464bf25da53b9ec21dc4edec28f10_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-180.png.tmp	0fb464bf25da53b9ec21dc4edec28f10_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\System\fr-FR\wab32res.dll.mui.tmp	0fb464bf25da53b9ec21dc4edec28f10_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\UIAutomationTypes.resources.dll.tmp	0fb464bf25da53b9ec21dc4edec28f10_NeikiAnalytics.exe
File created	C:\Program Files\Internet Explorer\hmmapi.dll.tmp	0fb464bf25da53b9ec21dc4edec28f10_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTrial-pl.xrm-ms.tmp	0fb464bf25da53b9ec21dc4edec28f10_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\EXCELPLUGINDATAPROVIDER.DLL.tmp	0fb464bf25da53b9ec21dc4edec28f10_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XPath.dll.tmp	0fb464bf25da53b9ec21dc4edec28f10_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Controls.Ribbon.resources.dll.tmp	0fb464bf25da53b9ec21dc4edec28f10_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN082.XML.tmp	0fb464bf25da53b9ec21dc4edec28f10_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\PersonaSpy.js.tmp	0fb464bf25da53b9ec21dc4edec28f10_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Trial-pl.xrm-ms.tmp	0fb464bf25da53b9ec21dc4edec28f10_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-pl.xrm-ms.tmp	0fb464bf25da53b9ec21dc4edec28f10_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ul-oob.xrm-ms.tmp	0fb464bf25da53b9ec21dc4edec28f10_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\CLICK.WAV.tmp	0fb464bf25da53b9ec21dc4edec28f10_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Encodings.Web.dll.tmp	0fb464bf25da53b9ec21dc4edec28f10_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\UIAutomationClientSideProviders.resources.dll.tmp	0fb464bf25da53b9ec21dc4edec28f10_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\0fb464bf25da53b9ec21dc4edec28f10_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0fb464bf25da53b9ec21dc4edec28f10_NeikiAnalytics.exe"
1⤵
- Drops file in Program Files directory
PID:1020

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2539840389-1261165778-1087677076-1000\desktop.ini.tmp
Filesize
72KB

MD5
0da9b11a32d8cb3cb4c93f98e4cbbd75

SHA1
77c5835ba781be32ade7047a91441479ca921c52

SHA256
ee9c3de10bfe5102824d0b2d21915e8b67fc6fd5527b13999f849e34bcce6ebe

SHA512
fbf1bc5d01f912ac4127dd49e2545f1c4e8f57fbeac46f1065e9d6254d6267654dbd68c155663fc941eebf0c4b67f8e20876e67883cb9539ec8c45e3580e4c13

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp
Filesize
171KB

MD5
ed8136f29af15478a3f5b0f3aa57608a

SHA1
6caef1197cae6cb21cbc29b747800854968e24b2

SHA256
5af2f0e3901bd4c5e75a32268fdfb50c7f6851455338d6c1e86863d7f6943016

SHA512
7244db3de567bd09df717429b6aa9b7aa907a9e3b75802677e0fc243b3fc14db92d944e539e375a02aa05aa2659148c35ef10da75639110af9f8f749a71f8324

Download Submit
memory/1020-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1020-1776-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing