dharma | 7e6d3ceeafc612ead63ee55be9c1cbd4f501c7abd4ae2717d7f2130e94eccffe

General

Target

b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
Size

70KB
MD5

b15f25bb061766c31f948d1fd76c7970
SHA1

a3c053ab3c0a9357cb602a36bdfee9f65d22ee23
SHA256

7e6d3ceeafc612ead63ee55be9c1cbd4f501c7abd4ae2717d7f2130e94eccffe
SHA512

b35ad29404dee1c5fed9aebc4a3a16eba45ac9966badb1ea0349d6c29120c247b43a9e1fd60dc33192f2b08ea5860c809f0b8fc8a60574da5dd7986268984d0b
SSDEEP

1536:Dclu3E0ty5RM6EbxyY075jQndC6+JfLAVY4TNPgHse3ygWKLKpuC+:eu3NURAbyjQd8fcXZud0p

Score

10^/10

dharma defense_evasion execution impact persistence ransomware spyware stealer upx

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note

YOUR FILES ARE ENCRYPTED Don't worry,you can return all your files! If you want to restore them, follow this link: email [email protected] YOUR ID If you have not been answered via the link within 12 hours, write to us by e-mail: [email protected] Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (516) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe

Drops startup file 5 IoCs

Processes:

b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-5BD180E4.[[email protected]].get	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-5BD180E4.[[email protected]].get	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3152-0-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/3152-21658-0x0000000000400000-0x000000000041D000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe = "C:\\Windows\\System32\\b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe"	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe

Drops desktop.ini file(s) 64 IoCs

Processes:

b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Public\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe

Drops file in System32 directory 2 IoCs

Processes:

b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe

description	ioc	process
File created	C:\Windows\System32\Info.hta	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File created	C:\Windows\System32\b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

Processes:

b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarBadge.scale-125.png	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-synch-l1-1-0.dll.id-5BD180E4.[[email protected]].get	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\Microsoft.PackageManagement.CoreProviders.resources.dll	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\cy.pak	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.187.37\msedgeupdateres_gl.dll.id-5BD180E4.[[email protected]].get	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected].[[email protected]].get	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Windows.Forms.resources.dll	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nl-nl\ui-strings.js.id-5BD180E4.[[email protected]].get	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\c2rpridslicensefiles_auto.xml.id-5BD180E4.[[email protected]].get	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosLargeTile.contrast-black_scale-100.png	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-white\LargeTile.scale-125.png	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-256_altform-unplated.png	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\uk-ua\ui-strings.js.id-5BD180E4.[[email protected]].get	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PROFILE\PROFILE.INF.id-5BD180E4.[[email protected]].get	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.Linq.dll	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview2x.png	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EdgeWebView.dat	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Windows Media Player\de-DE\wmpnssui.dll.mui	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe.id-5BD180E4.[[email protected]].get	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-ppd.xrm-ms.id-5BD180E4.[[email protected]].get	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ChakraCore.Debugger.dll.id-5BD180E4.[[email protected]].get	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreWideTile.scale-200.png	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\fa.pak	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOnNotificationInAcrobat.gif	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png.id-5BD180E4.[[email protected]].get	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\new_icons.png.id-5BD180E4.[[email protected]].get	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-ppd.xrm-ms	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File created	C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\vlc.mo.id-5BD180E4.[[email protected]].get	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File created	C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\vlc.mo.id-5BD180E4.[[email protected]].get	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libremap_plugin.dll.id-5BD180E4.[[email protected]].get	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\kk.pak.id-5BD180E4.[[email protected]].get	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\cpdf\plugin.js.id-5BD180E4.[[email protected]].get	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-ppd.xrm-ms	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Xml.Linq.Resources.dll	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarWideTile.scale-400.png	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nb-no\ui-strings.js.id-5BD180E4.[[email protected]].get	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\hr-hr\ui-strings.js.id-5BD180E4.[[email protected]].get	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ja-jp\ui-strings.js.id-5BD180E4.[[email protected]].get	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\sat_logo.png.id-5BD180E4.[[email protected]].get	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Forms.Design.resources.dll.id-5BD180E4.[[email protected]].get	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Drawing.Design.dll.id-5BD180E4.[[email protected]].get	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-57x57-precomposed.png	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Edge.dat.id-5BD180E4.[[email protected]].get	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mpeg4audio_plugin.dll.id-5BD180E4.[[email protected]].get	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Controls.Ribbon.resources.dll.id-5BD180E4.[[email protected]].get	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\StopwatchMedTile.contrast-white_scale-100.png	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\1850_20x20x32.png	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\[email protected]	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\adc_logo.png.id-5BD180E4.[[email protected]].get	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-ul-phn.xrm-ms	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-time-l1-1-0.dll.id-5BD180E4.[[email protected]].get	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.Win32.Registry.AccessControl.dll.id-5BD180E4.[[email protected]].get	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\sendforsignature.svg	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\msvcr120.dll	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\s_filter_18.svg	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-memory-l1-1-0.dll	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\es-ES\wmplayer.exe.mui	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SATIN\THMBNAIL.PNG	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Forms.Design.resources.dll.id-5BD180E4.[[email protected]].get	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-white\WideTile.scale-100.png	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\bin\prism_common.dll.id-5BD180E4.[[email protected]].get	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\rhp_world_icon_hover.png.id-5BD180E4.[[email protected]].get	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Utilities.v3.5.dll	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\PSReadLine.format.ps1xml.id-5BD180E4.[[email protected]].get	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Direct Volume Access
T1006

Processes:

vssadmin.exevssadmin.exe

pid process

2948 vssadmin.exe
6872 vssadmin.exe

pid	process
2948	vssadmin.exe
6872	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe

pid	process
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 4024 vssvc.exe
Token: SeRestorePrivilege 4024 vssvc.exe
Token: SeAuditPrivilege 4024 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	4024	vssvc.exe
Token: SeRestorePrivilege	4024	vssvc.exe
Token: SeAuditPrivilege	4024	vssvc.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.execmd.execmd.exe

description	pid	process	target process
PID 3152 wrote to memory of 4524	3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe	cmd.exe
PID 3152 wrote to memory of 4524	3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe	cmd.exe
PID 4524 wrote to memory of 2796	4524	cmd.exe	mode.com
PID 4524 wrote to memory of 2796	4524	cmd.exe	mode.com
PID 4524 wrote to memory of 2948	4524	cmd.exe	vssadmin.exe
PID 4524 wrote to memory of 2948	4524	cmd.exe	vssadmin.exe
PID 3152 wrote to memory of 6996	3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe	cmd.exe
PID 3152 wrote to memory of 6996	3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe	cmd.exe
PID 6996 wrote to memory of 1896	6996	cmd.exe	mode.com
PID 6996 wrote to memory of 1896	6996	cmd.exe	mode.com
PID 6996 wrote to memory of 6872	6996	cmd.exe	vssadmin.exe
PID 6996 wrote to memory of 6872	6996	cmd.exe	vssadmin.exe
PID 3152 wrote to memory of 8512	3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe	mshta.exe
PID 3152 wrote to memory of 8512	3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe	mshta.exe
PID 3152 wrote to memory of 5268	3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe	mshta.exe
PID 3152 wrote to memory of 5268	3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe	mshta.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3152

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4524

C:\Windows\system32\mode.com
mode con cp select=1251
3⤵
PID:2796

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2948

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:6996

C:\Windows\system32\mode.com
mode con cp select=1251
3⤵
PID:1896

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:6872

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
2⤵
PID:8512

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
2⤵
PID:5268

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4024

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Windows Management Instrumentation

1

T1047

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

2

T1070

File Deletion

2

T1070.004

Modify Registry

1

T1112

Direct Volume Access

1

T1006

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id-5BD180E4.[[email protected]].get
Filesize
2.7MB

MD5
c509ba5b520b6914e6f2f908fa7d6560

SHA1
e54199ccf7e7dfd9f08c6e5961d32789db4478d3

SHA256
ebc508f7c28f655f4ef095db8b8a8f3e4d18d55581c389a734a5b910f6f3156d

SHA512
dc1881d608f38881369b3c443a9e942361f1917d83fe91627698bae930bdaf9bb9bcc6acb3d82a1724c4dbdc1f062e6747474f8ef324c792d0a338b1d20b5353

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
Filesize
7KB

MD5
ce0759e9d994b1cccc18bb3c17375acd

SHA1
e06da9b4006cbc27c770b66114b64f9972a38781

SHA256
bce02ffe36d357b0b0b2bec8aa6fb4427a03a259ba028ebca97ff9a115956843

SHA512
846a79ee6ec17cef4d9b503d8955f46e07956062adcdb8bf49ba5dda5bf6d85c04953163f501646c3a352f7500e7983bd8e991ce6b3dbe2e2f94899039af403b

Download Submit
memory/3152-0-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3152-21658-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads