14555244012a9d456e830e44407a71eb365a6c6904520cc57c56c07d6032092c

General

Target

1afeadb591dd0a8ba5c10b60050b4290_NeikiAnalytics.exe
Size

40KB
MD5

1afeadb591dd0a8ba5c10b60050b4290
SHA1

489d4bde953d87c70e8e6e18d0b845f9624e7f14
SHA256

14555244012a9d456e830e44407a71eb365a6c6904520cc57c56c07d6032092c
SHA512

18e0b3ef34f55c2504244f272ff283ec4a52921d482b92b21b48d960a1769c54d0cf55f1544c0edecd9bf2ef5ae8ca701606c0edef975b1664827c615251ff20
SSDEEP

768:kBT37CPKKIm0CAbLg++PJHJzIWD+dVdCYgck5sIZFlzc3/Sg2aDM9uA9DM9uAF2q:CTWn1++PJHJXA/OsIZfzc3/Q82cicT

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (4867) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1692-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini.tmp	upx
C:\Program Files\7-Zip\7-zip.dll.tmp	upx
behavioral2/memory/1692-1053-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

1afeadb591dd0a8ba5c10b60050b4290_NeikiAnalytics.exe

description	ioc	process
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\java.security.tmp	1afeadb591dd0a8ba5c10b60050b4290_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\LICENSE.tmp	1afeadb591dd0a8ba5c10b60050b4290_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\offreg.dll.tmp	1afeadb591dd0a8ba5c10b60050b4290_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-string-l1-1-0.dll.tmp	1afeadb591dd0a8ba5c10b60050b4290_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Primitives.dll.tmp	1afeadb591dd0a8ba5c10b60050b4290_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Forms.Primitives.resources.dll.tmp	1afeadb591dd0a8ba5c10b60050b4290_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Forms.Design.resources.dll.tmp	1afeadb591dd0a8ba5c10b60050b4290_NeikiAnalytics.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\MEIPreload\preloaded_data.pb.tmp	1afeadb591dd0a8ba5c10b60050b4290_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ppd.xrm-ms.tmp	1afeadb591dd0a8ba5c10b60050b4290_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Grace-ul-oob.xrm-ms.tmp	1afeadb591dd0a8ba5c10b60050b4290_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\CT_ROOTS.XML.tmp	1afeadb591dd0a8ba5c10b60050b4290_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.da-dk.dll.tmp	1afeadb591dd0a8ba5c10b60050b4290_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.IsolatedStorage.dll.tmp	1afeadb591dd0a8ba5c10b60050b4290_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\management-agent.jar.tmp	1afeadb591dd0a8ba5c10b60050b4290_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\bin\jsound.dll.tmp	1afeadb591dd0a8ba5c10b60050b4290_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-ul-oob.xrm-ms.tmp	1afeadb591dd0a8ba5c10b60050b4290_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-pl.xrm-ms.tmp	1afeadb591dd0a8ba5c10b60050b4290_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\UIAutomationProvider.resources.dll.tmp	1afeadb591dd0a8ba5c10b60050b4290_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.ReportDesign.Forms.dll.tmp	1afeadb591dd0a8ba5c10b60050b4290_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\IGX.DLL.tmp	1afeadb591dd0a8ba5c10b60050b4290_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN010.XML.tmp	1afeadb591dd0a8ba5c10b60050b4290_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\pt-BR\tipresx.dll.mui.tmp	1afeadb591dd0a8ba5c10b60050b4290_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Windows.Forms.Primitives.resources.dll.tmp	1afeadb591dd0a8ba5c10b60050b4290_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.onenotemui.msi.16.en-us.xml.tmp	1afeadb591dd0a8ba5c10b60050b4290_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-140.png.tmp	1afeadb591dd0a8ba5c10b60050b4290_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNote.ini.tmp	1afeadb591dd0a8ba5c10b60050b4290_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\trusted.libraries.tmp	1afeadb591dd0a8ba5c10b60050b4290_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-ul-phn.xrm-ms.tmp	1afeadb591dd0a8ba5c10b60050b4290_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\StreamServer.dll.tmp	1afeadb591dd0a8ba5c10b60050b4290_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\TipTsf.dll.mui.tmp	1afeadb591dd0a8ba5c10b60050b4290_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscordbi.dll.tmp	1afeadb591dd0a8ba5c10b60050b4290_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationClient.resources.dll.tmp	1afeadb591dd0a8ba5c10b60050b4290_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Windows.Forms.Primitives.resources.dll.tmp	1afeadb591dd0a8ba5c10b60050b4290_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\bin\java_crw_demo.dll.tmp	1afeadb591dd0a8ba5c10b60050b4290_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\bin\splashscreen.dll.tmp	1afeadb591dd0a8ba5c10b60050b4290_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\MLASeventhEditionOfficeOnline.xsl.tmp	1afeadb591dd0a8ba5c10b60050b4290_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Extensions.dll.tmp	1afeadb591dd0a8ba5c10b60050b4290_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\colorimaging.md.tmp	1afeadb591dd0a8ba5c10b60050b4290_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Trial-ppd.xrm-ms.tmp	1afeadb591dd0a8ba5c10b60050b4290_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCHARTCOMMON.DLL.tmp	1afeadb591dd0a8ba5c10b60050b4290_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\lv\msipc.dll.mui.tmp	1afeadb591dd0a8ba5c10b60050b4290_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\WindowsBase.resources.dll.tmp	1afeadb591dd0a8ba5c10b60050b4290_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Trial-ppd.xrm-ms.tmp	1afeadb591dd0a8ba5c10b60050b4290_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\CHICAGO.XSL.tmp	1afeadb591dd0a8ba5c10b60050b4290_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART4.BDR.tmp	1afeadb591dd0a8ba5c10b60050b4290_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-140.png.tmp	1afeadb591dd0a8ba5c10b60050b4290_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\UIAutomationTypes.resources.dll.tmp	1afeadb591dd0a8ba5c10b60050b4290_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Controls.Ribbon.resources.dll.tmp	1afeadb591dd0a8ba5c10b60050b4290_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Grace-ul-oob.xrm-ms.tmp	1afeadb591dd0a8ba5c10b60050b4290_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GRLEX.DLL.tmp	1afeadb591dd0a8ba5c10b60050b4290_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\sbicudt58_64.dll.tmp	1afeadb591dd0a8ba5c10b60050b4290_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XPath.dll.tmp	1afeadb591dd0a8ba5c10b60050b4290_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Forms.resources.dll.tmp	1afeadb591dd0a8ba5c10b60050b4290_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\UIAutomationClient.resources.dll.tmp	1afeadb591dd0a8ba5c10b60050b4290_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Windows.Controls.Ribbon.resources.dll.tmp	1afeadb591dd0a8ba5c10b60050b4290_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-ppd.xrm-ms.tmp	1afeadb591dd0a8ba5c10b60050b4290_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\ISO690.XSL.tmp	1afeadb591dd0a8ba5c10b60050b4290_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\vccorlib140.dll.tmp	1afeadb591dd0a8ba5c10b60050b4290_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-pl.xrm-ms.tmp	1afeadb591dd0a8ba5c10b60050b4290_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-ul-oob.xrm-ms.tmp	1afeadb591dd0a8ba5c10b60050b4290_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ul-phn.xrm-ms.tmp	1afeadb591dd0a8ba5c10b60050b4290_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\COIN.WAV.tmp	1afeadb591dd0a8ba5c10b60050b4290_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Configuration.dll.tmp	1afeadb591dd0a8ba5c10b60050b4290_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\PresentationFramework.resources.dll.tmp	1afeadb591dd0a8ba5c10b60050b4290_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\1afeadb591dd0a8ba5c10b60050b4290_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1afeadb591dd0a8ba5c10b60050b4290_NeikiAnalytics.exe"
1⤵
- Drops file in Program Files directory
PID:1692

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini.tmp

Filesize
40KB

MD5
b763a190be9eacafddf0089780f533d1

SHA1
21438c068e4817532e0cc8134df3789cddc0f3f7

SHA256
2a61c7c002e3f5333e1b3d2a1f4a01773c74eb3ef0b251f900c4268da826f440

SHA512
2c92a089d709a549ad0f3fe4860744165fe6ef8130a905e499e53021cbb04d7a1a921d3ac18a78f123ddd72f88d5ad1ac54b700a9e5f6fe540d63469e37d6914

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
139KB

MD5
e92e78cdf4e620912eb3a3cf97d18ecd

SHA1
45ffbc75521ef1e54ecc551902e7c7e4cc24bf48

SHA256
faa5649d96aba2c4746c3a48480ff2a417af6852a81ca0dc35014d6c8b1fce5a

SHA512
ac1927d8cd25df4569de6932ddcd202a7d4fa716addb021d1b1fe9e8362c26d35dc41fe790ae8a094c247dc1eb7f432877284e2dcb1a9180d79dc900017824a9

Download Submit
memory/1692-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1692-1053-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing