8b0b6f3d712b610f5fe820aca750560c01d0f64901c2e69d7ff5378e66f64b64

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03-06-2024 18:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff2d64aee6779693c599e7611dff0d50_NeikiAnalytics.exe
Size

54KB
MD5

ff2d64aee6779693c599e7611dff0d50
SHA1

34cba0f66a82ddcd3f7a0b7f27db18963e60a2a0
SHA256

8b0b6f3d712b610f5fe820aca750560c01d0f64901c2e69d7ff5378e66f64b64
SHA512

9d2ccac6bc660c470b141418ce052c8461b3ab3929aef24c6593768c90db4b4fee4b0e483be5d5845aabaa2829d68c8610eded5cc46c9d0dd7e0f9873ab753e8
SSDEEP

1536:CTWn1++PJHJXA/OsIZfzc3/Q8asUsJOckSkcaa1aaK:KQSohsUsVaa1aaK

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (5185) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2664-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x00090000000226e8-2.dat	upx
behavioral2/files/0x0009000000022975-6.dat	upx
behavioral2/memory/2664-1118-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ink\ro-RO\tipresx.dll.mui.tmp	ff2d64aee6779693c599e7611dff0d50_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.hash.tmp	ff2d64aee6779693c599e7611dff0d50_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-ul-oob.xrm-ms.tmp	ff2d64aee6779693c599e7611dff0d50_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\index.win32.stats.json.tmp	ff2d64aee6779693c599e7611dff0d50_NeikiAnalytics.exe
File created	C:\Program Files\7-Zip\Lang\et.txt.tmp	ff2d64aee6779693c599e7611dff0d50_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.NETCore.App.runtimeconfig.json.tmp	ff2d64aee6779693c599e7611dff0d50_NeikiAnalytics.exe
File created	C:\Program Files\Internet Explorer\it-IT\iexplore.exe.mui.tmp	ff2d64aee6779693c599e7611dff0d50_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-ppd.xrm-ms.tmp	ff2d64aee6779693c599e7611dff0d50_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-ul-oob.xrm-ms.tmp	ff2d64aee6779693c599e7611dff0d50_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-br.dll.tmp	ff2d64aee6779693c599e7611dff0d50_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Numerics.dll.tmp	ff2d64aee6779693c599e7611dff0d50_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PenImc_cor3.dll.tmp	ff2d64aee6779693c599e7611dff0d50_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Client\vccorlib140.dll.tmp	ff2d64aee6779693c599e7611dff0d50_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GRLEX.DLL.tmp	ff2d64aee6779693c599e7611dff0d50_NeikiAnalytics.exe
File created	C:\Program Files\Internet Explorer\hmmapi.dll.tmp	ff2d64aee6779693c599e7611dff0d50_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\xerces.md.tmp	ff2d64aee6779693c599e7611dff0d50_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\bin\server\classes.jsa.tmp	ff2d64aee6779693c599e7611dff0d50_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Ion Boardroom.thmx.tmp	ff2d64aee6779693c599e7611dff0d50_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_KMS_Client-ul.xrm-ms.tmp	ff2d64aee6779693c599e7611dff0d50_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-180.png.tmp	ff2d64aee6779693c599e7611dff0d50_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Data.DataSetExtensions.dll.tmp	ff2d64aee6779693c599e7611dff0d50_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\UIAutomationTypes.resources.dll.tmp	ff2d64aee6779693c599e7611dff0d50_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\flavormap.properties.tmp	ff2d64aee6779693c599e7611dff0d50_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_PrepidBypass-ppd.xrm-ms.tmp	ff2d64aee6779693c599e7611dff0d50_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\OMICAUTINTL.DLL.tmp	ff2d64aee6779693c599e7611dff0d50_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-pl.xrm-ms.tmp	ff2d64aee6779693c599e7611dff0d50_NeikiAnalytics.exe
File created	C:\Program Files\7-Zip\Lang\si.txt.tmp	ff2d64aee6779693c599e7611dff0d50_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\WindowsBase.resources.dll.tmp	ff2d64aee6779693c599e7611dff0d50_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Input.Manipulations.dll.tmp	ff2d64aee6779693c599e7611dff0d50_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifestLoc.16.en-us.xml.tmp	ff2d64aee6779693c599e7611dff0d50_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-pl.xrm-ms.tmp	ff2d64aee6779693c599e7611dff0d50_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Controls.Ribbon.dll.tmp	ff2d64aee6779693c599e7611dff0d50_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\localedata.jar.tmp	ff2d64aee6779693c599e7611dff0d50_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\LICENSE.tmp	ff2d64aee6779693c599e7611dff0d50_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\redshift.ini.tmp	ff2d64aee6779693c599e7611dff0d50_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL107.XML.tmp	ff2d64aee6779693c599e7611dff0d50_NeikiAnalytics.exe
File created	C:\Program Files\7-Zip\Lang\ms.txt.tmp	ff2d64aee6779693c599e7611dff0d50_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\msinfo32.exe.mui.tmp	ff2d64aee6779693c599e7611dff0d50_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_CopyDrop32x32.gif.tmp	ff2d64aee6779693c599e7611dff0d50_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\MSIPCEvents.man.tmp	ff2d64aee6779693c599e7611dff0d50_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Layout.dll.tmp	ff2d64aee6779693c599e7611dff0d50_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-80.png.tmp	ff2d64aee6779693c599e7611dff0d50_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\WindowsBase.resources.dll.tmp	ff2d64aee6779693c599e7611dff0d50_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\invalid32x32.gif.tmp	ff2d64aee6779693c599e7611dff0d50_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\bin\w2k_lsa_auth.dll.tmp	ff2d64aee6779693c599e7611dff0d50_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\lib\logging.properties.tmp	ff2d64aee6779693c599e7611dff0d50_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-pl.xrm-ms.tmp	ff2d64aee6779693c599e7611dff0d50_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.bg-bg.dll.tmp	ff2d64aee6779693c599e7611dff0d50_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\msquic.dll.tmp	ff2d64aee6779693c599e7611dff0d50_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-pl.xrm-ms.tmp	ff2d64aee6779693c599e7611dff0d50_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.PowerBI.AdomdClient.dll.tmp	ff2d64aee6779693c599e7611dff0d50_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL095.XML.tmp	ff2d64aee6779693c599e7611dff0d50_NeikiAnalytics.exe
File created	C:\Program Files\DismountWrite.pot.tmp	ff2d64aee6779693c599e7611dff0d50_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Handles.dll.tmp	ff2d64aee6779693c599e7611dff0d50_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\WindowsBase.resources.dll.tmp	ff2d64aee6779693c599e7611dff0d50_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-100.png.tmp	ff2d64aee6779693c599e7611dff0d50_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\manifest.xml.tmp	ff2d64aee6779693c599e7611dff0d50_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-locale-l1-1-0.dll.tmp	ff2d64aee6779693c599e7611dff0d50_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Pipes.dll.tmp	ff2d64aee6779693c599e7611dff0d50_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	ff2d64aee6779693c599e7611dff0d50_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\AdHocReportingExcelClient.dll.tmp	ff2d64aee6779693c599e7611dff0d50_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jdb.exe.tmp	ff2d64aee6779693c599e7611dff0d50_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\mashupcompression.dll.tmp	ff2d64aee6779693c599e7611dff0d50_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\PresentationCore.resources.dll.tmp	ff2d64aee6779693c599e7611dff0d50_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\ff2d64aee6779693c599e7611dff0d50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\ff2d64aee6779693c599e7611dff0d50_NeikiAnalytics.exe"
1⤵
- Drops file in Program Files directory
PID:2664

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3558294865-3673844354-2255444939-1000\desktop.ini.tmp

Filesize
54KB

MD5
338b671fd956ed4d7e7366bf96a01cc9

SHA1
dd8a6fd5c9ca300cd23cef8d9f867d1f5abda9ae

SHA256
0d5c075df6881dafaed8e67847dfb1274c0e4fc941b3580edef0cae58eda5dfe

SHA512
fe6eb481dc48753f851f03aa5d3e09432a31da027288484f8c937c03b960fae402e76a2437b1d8093825c09e63ae9d498cf3ee54b4cefc73e139dc3aaacc172b

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
153KB

MD5
002507914fd24ae3e6ede7dd1608aa20

SHA1
80aaf7d5ed64545d8074f8e773f3be75e80cd534

SHA256
4b91f1a4952571061047b668ababb1db8b2b6852858c552c26eebc4c2e5004ba

SHA512
d3b4b80130977177ea286c8e05b563a778b5a1bf1d361ca2b59d4afcb1615d599f99512e1690e3b48260264ecf7a62fbee42f7b8e87284b40c1d34b48b47638d

Download Submit
memory/2664-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2664-1118-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads