21338efda13d2edd2557b1885d1f89421aae0140534d6a9000e7a9a98858a795

General

Target

6c9f3dadbb1bde938ce7eabb512bc790_NeikiAnalytics.exe
Size

120KB
MD5

6c9f3dadbb1bde938ce7eabb512bc790
SHA1

9ed97e7a6c548aeab00e3dc19a3e2a56ba98b092
SHA256

21338efda13d2edd2557b1885d1f89421aae0140534d6a9000e7a9a98858a795
SHA512

e6555d2056775d53dbf97cf8381ed5a39231159682430de5515fbcc5e70e8de2f5bd4b2f0cf6b002eab647550a67ef2f3398afcd91b6b65be76368258df41b79
SSDEEP

1536:67Zf/FAxTWY1++PJHJXA/OsIZfzc3/Q8xJJMJJbTWn1++PJHJXA/OsIZfzc3/Q8S:+nyiQSolQSoR

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (4731) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1952-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-3571316656-3665257725-2415531812-1000\desktop.ini.tmp	upx
C:\Program Files\7-Zip\7-zip.dll.tmp	upx
behavioral2/memory/1952-1698-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

6c9f3dadbb1bde938ce7eabb512bc790_NeikiAnalytics.exe

description	ioc	process
File created	C:\Program Files\Common Files\microsoft shared\ink\sv-SE\tipresx.dll.mui.tmp	6c9f3dadbb1bde938ce7eabb512bc790_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Xaml.resources.dll.tmp	6c9f3dadbb1bde938ce7eabb512bc790_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_Subscription-ul-oob.xrm-ms.tmp	6c9f3dadbb1bde938ce7eabb512bc790_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub_M365_eula.txt.tmp	6c9f3dadbb1bde938ce7eabb512bc790_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MYSL.ICO.tmp	6c9f3dadbb1bde938ce7eabb512bc790_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Classic.dll.tmp	6c9f3dadbb1bde938ce7eabb512bc790_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\msvcp140_2.dll.tmp	6c9f3dadbb1bde938ce7eabb512bc790_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ppd.xrm-ms.tmp	6c9f3dadbb1bde938ce7eabb512bc790_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-ppd.xrm-ms.tmp	6c9f3dadbb1bde938ce7eabb512bc790_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-ul-oob.xrm-ms.tmp	6c9f3dadbb1bde938ce7eabb512bc790_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Configuration.dll.tmp	6c9f3dadbb1bde938ce7eabb512bc790_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Xaml.resources.dll.tmp	6c9f3dadbb1bde938ce7eabb512bc790_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\jpeg_fx.md.tmp	6c9f3dadbb1bde938ce7eabb512bc790_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_K_COL.HXK.tmp	6c9f3dadbb1bde938ce7eabb512bc790_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	6c9f3dadbb1bde938ce7eabb512bc790_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_Grace-ul-oob.xrm-ms.tmp	6c9f3dadbb1bde938ce7eabb512bc790_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Grace-ul-oob.xrm-ms.tmp	6c9f3dadbb1bde938ce7eabb512bc790_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Principal.Windows.dll.tmp	6c9f3dadbb1bde938ce7eabb512bc790_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\UIAutomationClientSideProviders.resources.dll.tmp	6c9f3dadbb1bde938ce7eabb512bc790_NeikiAnalytics.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_200_percent.pak.tmp	6c9f3dadbb1bde938ce7eabb512bc790_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-console-l1-1-0.dll.tmp	6c9f3dadbb1bde938ce7eabb512bc790_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Grace-ppd.xrm-ms.tmp	6c9f3dadbb1bde938ce7eabb512bc790_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsymb.ttf.tmp	6c9f3dadbb1bde938ce7eabb512bc790_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial1-pl.xrm-ms.tmp	6c9f3dadbb1bde938ce7eabb512bc790_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	6c9f3dadbb1bde938ce7eabb512bc790_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.PowerBI.AdomdClient.dll.tmp	6c9f3dadbb1bde938ce7eabb512bc790_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\EXCELPLUGINDATAPROVIDER.DLL.tmp	6c9f3dadbb1bde938ce7eabb512bc790_NeikiAnalytics.exe
File created	C:\Program Files\7-Zip\7zFM.exe.tmp	6c9f3dadbb1bde938ce7eabb512bc790_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.DataContractSerialization.dll.tmp	6c9f3dadbb1bde938ce7eabb512bc790_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemCore.dll.tmp	6c9f3dadbb1bde938ce7eabb512bc790_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\Microsoft.VisualBasic.Forms.resources.dll.tmp	6c9f3dadbb1bde938ce7eabb512bc790_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.ScriptDom.dll.tmp	6c9f3dadbb1bde938ce7eabb512bc790_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_CopyDrop32x32.gif.tmp	6c9f3dadbb1bde938ce7eabb512bc790_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win7_RTL.wmv.tmp	6c9f3dadbb1bde938ce7eabb512bc790_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_MAKC2R-ul-phn.xrm-ms.tmp	6c9f3dadbb1bde938ce7eabb512bc790_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_PrepidBypass-ppd.xrm-ms.tmp	6c9f3dadbb1bde938ce7eabb512bc790_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\TipTsf.dll.mui.tmp	6c9f3dadbb1bde938ce7eabb512bc790_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.InteropServices.dll.tmp	6c9f3dadbb1bde938ce7eabb512bc790_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Timer.dll.tmp	6c9f3dadbb1bde938ce7eabb512bc790_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.IO.Packaging.dll.tmp	6c9f3dadbb1bde938ce7eabb512bc790_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial2-ul-oob.xrm-ms.tmp	6c9f3dadbb1bde938ce7eabb512bc790_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\WHOOSH.WAV.tmp	6c9f3dadbb1bde938ce7eabb512bc790_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Resources.Extensions.dll.tmp	6c9f3dadbb1bde938ce7eabb512bc790_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Xaml.resources.dll.tmp	6c9f3dadbb1bde938ce7eabb512bc790_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\System.Windows.Forms.resources.dll.tmp	6c9f3dadbb1bde938ce7eabb512bc790_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest4-ppd.xrm-ms.tmp	6c9f3dadbb1bde938ce7eabb512bc790_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sk-sk.dll.tmp	6c9f3dadbb1bde938ce7eabb512bc790_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\UIAutomationTypes.resources.dll.tmp	6c9f3dadbb1bde938ce7eabb512bc790_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\ReachFramework.resources.dll.tmp	6c9f3dadbb1bde938ce7eabb512bc790_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-synch-l1-1-0.dll.tmp	6c9f3dadbb1bde938ce7eabb512bc790_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.onenotemui.msi.16.en-us.xml.tmp	6c9f3dadbb1bde938ce7eabb512bc790_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Forms.resources.dll.tmp	6c9f3dadbb1bde938ce7eabb512bc790_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\UIAutomationClientSideProviders.resources.dll.tmp	6c9f3dadbb1bde938ce7eabb512bc790_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\hijrah-config-umalqura.properties.tmp	6c9f3dadbb1bde938ce7eabb512bc790_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Grace-ppd.xrm-ms.tmp	6c9f3dadbb1bde938ce7eabb512bc790_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-ul-oob.xrm-ms.tmp	6c9f3dadbb1bde938ce7eabb512bc790_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Grace-ppd.xrm-ms.tmp	6c9f3dadbb1bde938ce7eabb512bc790_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-ul-oob.xrm-ms.tmp	6c9f3dadbb1bde938ce7eabb512bc790_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007.tmp	6c9f3dadbb1bde938ce7eabb512bc790_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-convert-l1-1-0.dll.tmp	6c9f3dadbb1bde938ce7eabb512bc790_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tipresx.dll.tmp	6c9f3dadbb1bde938ce7eabb512bc790_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\tabskb.dll.mui.tmp	6c9f3dadbb1bde938ce7eabb512bc790_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.AccessControl.dll.tmp	6c9f3dadbb1bde938ce7eabb512bc790_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Forms.Primitives.resources.dll.tmp	6c9f3dadbb1bde938ce7eabb512bc790_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\6c9f3dadbb1bde938ce7eabb512bc790_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6c9f3dadbb1bde938ce7eabb512bc790_NeikiAnalytics.exe"
1⤵
- Drops file in Program Files directory
PID:1952

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3571316656-3665257725-2415531812-1000\desktop.ini.tmp
Filesize
120KB

MD5
3d86f9fe12d0f802bb00d9ff22340331

SHA1
f29a37eaf19deadca8fa04cbf9b2cce28c59909c

SHA256
59e1b804f1f980101ebc5749586cc1b148231efb869eb6d4ca48c2c15b91e4fe

SHA512
a78e1d83e3d5d93953ab94e089f25f9a8fc958ed3d9962bca539940f3070a6c286ee80da79e9d6c91b961404c53bf38728e5fb6cdb3bd7c2b04567c4d7467719

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp
Filesize
219KB

MD5
843cd369128b1f9b4ce24f2c83d2811d

SHA1
3336dfd4a88e31da7bda2ac955fd669049d7892d

SHA256
8897202b5d9de7dc4be7c02ad62c24055a056c28730803431ef903ee76de99fc

SHA512
0a49b32bd27181469d179057b1f111774b37a3980c70579eef658fdd24f10db2a0060755582c7fea20cfaf73ae5e3d1446ebf6cc41293af4c339ea09134279ea

Download Submit
memory/1952-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1952-1698-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing