f423e88c6e3899162ea01e2e87234e6087ff97c055475eefb1e3e02a44891c11

General

Target

3dd8ff79c363ef4e46336a51dca58ab0_NeikiAnalytics.exe
Size

217KB
MD5

3dd8ff79c363ef4e46336a51dca58ab0
SHA1

402d5572d92e071ea1757e7dce59ac1d9c36ae95
SHA256

f423e88c6e3899162ea01e2e87234e6087ff97c055475eefb1e3e02a44891c11
SHA512

dcc57449dde56eae0a10802f9962b2203520fd70a9a4d5e2c3f898b8e5068b2fa55994888b7e55b8741c605e9c526a7d7b6210e2e4decda314acb5785062dbc0
SSDEEP

3072:+nymCAIuZAIuYSMjoqtMHfhfFfAIuZAIuYSMjoqtMHfhf1:JmCAIuZAIuDMVtM/XfAIuZAIuDMVtM/r

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (4725) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2316-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-3558294865-3673844354-2255444939-1000\desktop.ini.tmp	upx
C:\Program Files\7-Zip\7-zip.dll.tmp	upx
behavioral2/memory/2316-1641-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

3dd8ff79c363ef4e46336a51dca58ab0_NeikiAnalytics.exe

description	ioc	process
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-pl.xrm-ms.tmp	3dd8ff79c363ef4e46336a51dca58ab0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.EditorRibbon.dll.tmp	3dd8ff79c363ef4e46336a51dca58ab0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\WPFEXTENSIONS.DLL.tmp	3dd8ff79c363ef4e46336a51dca58ab0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\ucrtbase.dll.tmp	3dd8ff79c363ef4e46336a51dca58ab0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\PresentationUI.resources.dll.tmp	3dd8ff79c363ef4e46336a51dca58ab0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\JavaAccessBridge-64.dll.tmp	3dd8ff79c363ef4e46336a51dca58ab0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\Informix.xsl.tmp	3dd8ff79c363ef4e46336a51dca58ab0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\bin\j2gss.dll.tmp	3dd8ff79c363ef4e46336a51dca58ab0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\lib\resources.jar.tmp	3dd8ff79c363ef4e46336a51dca58ab0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-pl.xrm-ms.tmp	3dd8ff79c363ef4e46336a51dca58ab0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_K_COL.HXK.tmp	3dd8ff79c363ef4e46336a51dca58ab0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\ISO690Nmerical.XSL.tmp	3dd8ff79c363ef4e46336a51dca58ab0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mip_clienttelemetry.dll.tmp	3dd8ff79c363ef4e46336a51dca58ab0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.IO.Packaging.dll.tmp	3dd8ff79c363ef4e46336a51dca58ab0_NeikiAnalytics.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\MEIPreload\manifest.json.tmp	3dd8ff79c363ef4e46336a51dca58ab0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\Office16\OSPP.HTM.tmp	3dd8ff79c363ef4e46336a51dca58ab0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\WindowsBase.resources.dll.tmp	3dd8ff79c363ef4e46336a51dca58ab0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\unpack.dll.tmp	3dd8ff79c363ef4e46336a51dca58ab0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Inset.eftx.tmp	3dd8ff79c363ef4e46336a51dca58ab0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription3-ul-oob.xrm-ms.tmp	3dd8ff79c363ef4e46336a51dca58ab0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-100.png.tmp	3dd8ff79c363ef4e46336a51dca58ab0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_CopyNoDrop32x32.gif.tmp	3dd8ff79c363ef4e46336a51dca58ab0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\lib\ct.sym.tmp	3dd8ff79c363ef4e46336a51dca58ab0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.wordmui.msi.16.en-us.xml.tmp	3dd8ff79c363ef4e46336a51dca58ab0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-pl.xrm-ms.tmp	3dd8ff79c363ef4e46336a51dca58ab0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\System\ado\fr-FR\msader15.dll.mui.tmp	3dd8ff79c363ef4e46336a51dca58ab0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\jfxswt.jar.tmp	3dd8ff79c363ef4e46336a51dca58ab0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Grace-ppd.xrm-ms.tmp	3dd8ff79c363ef4e46336a51dca58ab0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\Microsoft.VisualBasic.Forms.resources.dll.tmp	3dd8ff79c363ef4e46336a51dca58ab0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\PresentationUI.resources.dll.tmp	3dd8ff79c363ef4e46336a51dca58ab0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-80.png.tmp	3dd8ff79c363ef4e46336a51dca58ab0_NeikiAnalytics.exe
File created	C:\Program Files\7-Zip\Lang\fy.txt.tmp	3dd8ff79c363ef4e46336a51dca58ab0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.RegularExpressions.dll.tmp	3dd8ff79c363ef4e46336a51dca58ab0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Windows.Input.Manipulations.resources.dll.tmp	3dd8ff79c363ef4e46336a51dca58ab0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe.tmp	3dd8ff79c363ef4e46336a51dca58ab0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\net.properties.tmp	3dd8ff79c363ef4e46336a51dca58ab0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\splash.gif.tmp	3dd8ff79c363ef4e46336a51dca58ab0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Client\C2R32.dll.tmp	3dd8ff79c363ef4e46336a51dca58ab0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Grace-ul-oob.xrm-ms.tmp	3dd8ff79c363ef4e46336a51dca58ab0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\mshwLatin.dll.mui.tmp	3dd8ff79c363ef4e46336a51dca58ab0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.TraceSource.dll.tmp	3dd8ff79c363ef4e46336a51dca58ab0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\ReachFramework.resources.dll.tmp	3dd8ff79c363ef4e46336a51dca58ab0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	3dd8ff79c363ef4e46336a51dca58ab0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-file-l1-2-0.dll.tmp	3dd8ff79c363ef4e46336a51dca58ab0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ppd.xrm-ms.tmp	3dd8ff79c363ef4e46336a51dca58ab0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.NetworkInformation.dll.tmp	3dd8ff79c363ef4e46336a51dca58ab0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\UIAutomationProvider.resources.dll.tmp	3dd8ff79c363ef4e46336a51dca58ab0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\bin\lcms.dll.tmp	3dd8ff79c363ef4e46336a51dca58ab0_NeikiAnalytics.exe
File created	C:\Program Files\7-Zip\Lang\tr.txt.tmp	3dd8ff79c363ef4e46336a51dca58ab0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Controls.Ribbon.resources.dll.tmp	3dd8ff79c363ef4e46336a51dca58ab0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\PresentationCore.resources.dll.tmp	3dd8ff79c363ef4e46336a51dca58ab0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.ZipFile.dll.tmp	3dd8ff79c363ef4e46336a51dca58ab0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\UIAutomationTypes.resources.dll.tmp	3dd8ff79c363ef4e46336a51dca58ab0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-ul-phn.xrm-ms.tmp	3dd8ff79c363ef4e46336a51dca58ab0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-180.png.tmp	3dd8ff79c363ef4e46336a51dca58ab0_NeikiAnalytics.exe
File created	C:\Program Files\7-Zip\Lang\mng2.txt.tmp	3dd8ff79c363ef4e46336a51dca58ab0_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msadcer.dll.mui.tmp	3dd8ff79c363ef4e46336a51dca58ab0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.Annotations.dll.tmp	3dd8ff79c363ef4e46336a51dca58ab0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Encodings.Web.dll.tmp	3dd8ff79c363ef4e46336a51dca58ab0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\hijrah-config-umalqura.properties.tmp	3dd8ff79c363ef4e46336a51dca58ab0_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\relaxngcc.md.tmp	3dd8ff79c363ef4e46336a51dca58ab0_NeikiAnalytics.exe
File created	C:\Program Files\MeasureOpen.m3u.tmp	3dd8ff79c363ef4e46336a51dca58ab0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OFFSYMXB.TTF.tmp	3dd8ff79c363ef4e46336a51dca58ab0_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Forms.Primitives.resources.dll.tmp	3dd8ff79c363ef4e46336a51dca58ab0_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\3dd8ff79c363ef4e46336a51dca58ab0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3dd8ff79c363ef4e46336a51dca58ab0_NeikiAnalytics.exe"
1⤵
- Drops file in Program Files directory
PID:2316

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3558294865-3673844354-2255444939-1000\desktop.ini.tmp
Filesize
217KB

MD5
8dd195100d3042afd55bcf8b4ebe287b

SHA1
8de91c3f8c5bd088ffb86ad0384f3fa2c3e74ca5

SHA256
c7e20226a027bfb786a1a22799532c7b3c975239148fc2a53dde6449f9b915bc

SHA512
5eb5ee80bfa4ad25c513bff411f6cffc8098cd9306babbaa3d63d34bd6bb56101b9ce45275ae9c7b75aaaf710ce5fa022f5370612d239b0652ebfbb73ba383cd

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp
Filesize
316KB

MD5
add4a1cadc02766ee2814259182dfd9b

SHA1
df16b95c8aef79e5e1c98b839778e598e6a925b9

SHA256
60962fa70caf4ac0358ad2745ec8febff3ad0089faadcb320ed738086b460169

SHA512
e171ddd5d5fbdd5ada75dde72139c79e677e5cff35b6a1b93494852c0b41353fc0a94e470cc4e16f22f95b4ca5234086329bd92a3ca6937398951a2e496856d4

Download Submit
memory/2316-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2316-1641-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing