05cd9086acfa020f504d1e5bb74a5923995ebdc346fd5e45f05455c5d2ca248e

General

Target

942da28a926a40c27d6e6772bb7bd010_NeikiAnalytics.exe
Size

81KB
MD5

942da28a926a40c27d6e6772bb7bd010
SHA1

d98a0cd03d8adf1ec12af937baa3fe24a65693a2
SHA256

05cd9086acfa020f504d1e5bb74a5923995ebdc346fd5e45f05455c5d2ca248e
SHA512

dea05c6dde84950ebe2355e3807a4b53f2eb3cdbce1cf8e5e51931d94258f0303bc8a1098175004eaba62395f60538747ba53fe3dab2c890b4f6553639a5d322
SSDEEP

1536:V7Zf/FAxTWY1++PJHJXA/OsIZfzc3/Q8asUsJOw:fnyiQSohsUsZ

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (5190) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3812-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini.tmp	upx
C:\Program Files\7-Zip\7-zip.dll.tmp	upx
behavioral2/memory/3812-1952-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

942da28a926a40c27d6e6772bb7bd010_NeikiAnalytics.exe

description	ioc	process
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ul-oob.xrm-ms.tmp	942da28a926a40c27d6e6772bb7bd010_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-ul-phn.xrm-ms.tmp	942da28a926a40c27d6e6772bb7bd010_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\basicsimple.dotx.tmp	942da28a926a40c27d6e6772bb7bd010_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ApiClient.dll.tmp	942da28a926a40c27d6e6772bb7bd010_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-heap-l1-1-0.dll.tmp	942da28a926a40c27d6e6772bb7bd010_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Emit.ILGeneration.dll.tmp	942da28a926a40c27d6e6772bb7bd010_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\Microsoft.VisualBasic.Forms.resources.dll.tmp	942da28a926a40c27d6e6772bb7bd010_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest4-pl.xrm-ms.tmp	942da28a926a40c27d6e6772bb7bd010_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\officeappguardwin32.exe.tmp	942da28a926a40c27d6e6772bb7bd010_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.dll.tmp	942da28a926a40c27d6e6772bb7bd010_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\ReachFramework.resources.dll.tmp	942da28a926a40c27d6e6772bb7bd010_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationUI.dll.tmp	942da28a926a40c27d6e6772bb7bd010_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\UIAutomationTypes.resources.dll.tmp	942da28a926a40c27d6e6772bb7bd010_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\meta-index.tmp	942da28a926a40c27d6e6772bb7bd010_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT-Rockwell.xml.tmp	942da28a926a40c27d6e6772bb7bd010_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-ppd.xrm-ms.tmp	942da28a926a40c27d6e6772bb7bd010_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ul.xrm-ms.tmp	942da28a926a40c27d6e6772bb7bd010_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvApi.dll.tmp	942da28a926a40c27d6e6772bb7bd010_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.cab.cat.tmp	942da28a926a40c27d6e6772bb7bd010_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.dll.tmp	942da28a926a40c27d6e6772bb7bd010_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Controls.Ribbon.resources.dll.tmp	942da28a926a40c27d6e6772bb7bd010_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\relaxngdatatype.md.tmp	942da28a926a40c27d6e6772bb7bd010_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\PRIVATE_ODBC32.dll.tmp	942da28a926a40c27d6e6772bb7bd010_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-namedpipe-l1-1-0.dll.tmp	942da28a926a40c27d6e6772bb7bd010_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\PresentationCore.resources.dll.tmp	942da28a926a40c27d6e6772bb7bd010_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-interlocked-l1-1-0.dll.tmp	942da28a926a40c27d6e6772bb7bd010_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-100.png.tmp	942da28a926a40c27d6e6772bb7bd010_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\et\msipc.dll.mui.tmp	942da28a926a40c27d6e6772bb7bd010_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\ucrtbase.dll.tmp	942da28a926a40c27d6e6772bb7bd010_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\PresentationCore.resources.dll.tmp	942da28a926a40c27d6e6772bb7bd010_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\jni_md.h.tmp	942da28a926a40c27d6e6772bb7bd010_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\libpng.md.tmp	942da28a926a40c27d6e6772bb7bd010_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16ConsumerPerp_Bypass30-ul-oob.xrm-ms.tmp	942da28a926a40c27d6e6772bb7bd010_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Tasks.dll.tmp	942da28a926a40c27d6e6772bb7bd010_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\PresentationUI.resources.dll.tmp	942da28a926a40c27d6e6772bb7bd010_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\icu_web.md.tmp	942da28a926a40c27d6e6772bb7bd010_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\icu.md.tmp	942da28a926a40c27d6e6772bb7bd010_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscordaccore.dll.tmp	942da28a926a40c27d6e6772bb7bd010_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\FA000000009.tmp	942da28a926a40c27d6e6772bb7bd010_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\ANALYS32.XLL.tmp	942da28a926a40c27d6e6772bb7bd010_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\System\ado\msado28.tlb.tmp	942da28a926a40c27d6e6772bb7bd010_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\System\ado\msador28.tlb.tmp	942da28a926a40c27d6e6772bb7bd010_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Aero2.dll.tmp	942da28a926a40c27d6e6772bb7bd010_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\ssv.dll.tmp	942da28a926a40c27d6e6772bb7bd010_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-pl.xrm-ms.tmp	942da28a926a40c27d6e6772bb7bd010_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\PresentationUI.resources.dll.tmp	942da28a926a40c27d6e6772bb7bd010_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial.xml.tmp	942da28a926a40c27d6e6772bb7bd010_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Grace-ul-oob.xrm-ms.tmp	942da28a926a40c27d6e6772bb7bd010_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Data.dll.tmp	942da28a926a40c27d6e6772bb7bd010_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.Uri.dll.tmp	942da28a926a40c27d6e6772bb7bd010_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ServiceProcess.dll.tmp	942da28a926a40c27d6e6772bb7bd010_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\PresentationFramework.resources.dll.tmp	942da28a926a40c27d6e6772bb7bd010_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\ReachFramework.resources.dll.tmp	942da28a926a40c27d6e6772bb7bd010_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-ppd.xrm-ms.tmp	942da28a926a40c27d6e6772bb7bd010_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\linessimple.dotx.tmp	942da28a926a40c27d6e6772bb7bd010_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\XLSLICER.DLL.tmp	942da28a926a40c27d6e6772bb7bd010_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jstack.exe.tmp	942da28a926a40c27d6e6772bb7bd010_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-ul-oob.xrm-ms.tmp	942da28a926a40c27d6e6772bb7bd010_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Trial-ppd.xrm-ms.tmp	942da28a926a40c27d6e6772bb7bd010_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-pl.xrm-ms.tmp	942da28a926a40c27d6e6772bb7bd010_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqloledb.dll.tmp	942da28a926a40c27d6e6772bb7bd010_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\PresentationCore.resources.dll.tmp	942da28a926a40c27d6e6772bb7bd010_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\UIAutomationProvider.resources.dll.tmp	942da28a926a40c27d6e6772bb7bd010_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Grace-ppd.xrm-ms.tmp	942da28a926a40c27d6e6772bb7bd010_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\942da28a926a40c27d6e6772bb7bd010_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\942da28a926a40c27d6e6772bb7bd010_NeikiAnalytics.exe"
1⤵
- Drops file in Program Files directory
PID:3812

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini.tmp
Filesize
81KB

MD5
9d011f76caa9ced497cf50c2a4758b6a

SHA1
63cd771cde047608bf0597acb9982c751800493a

SHA256
f94ba0a27bc92dc2ec60004e5eb262558bdfc0f444b56af0a7f4f5a0e9293fc3

SHA512
75f3e914f9ad6ba5a2b783835ed1c1ae5458af1e717ee3171e9b8e1c3f55679c0e6b0055a0af4bc55fb661add9d08acae1790e409504fd5e3f7075131b3aebce

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp
Filesize
180KB

MD5
4d9b71b8970bff49b20b2c5dca757246

SHA1
a767d152ac83f9e2bc703a537b6fee9a40a10a6a

SHA256
d0afd0506f5e1866a0c1831560f20faf78f54f020ea3c6e44b00d5779452745b

SHA512
92cd84381a7da1cd606c2208686685342070436eb1bd0cdfb5aa9d11b5a9bf6811d18b5b880c10d547b38e16c7f74d30e1c25387eff5ca948a4b61314fc20b61

Download Submit
memory/3812-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3812-1952-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing