dharma | 7e6d3ceeafc612ead63ee55be9c1cbd4f501c7abd4ae2717d7f2130e94eccffe

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
19-06-2024 09:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
Size

70KB
MD5

b15f25bb061766c31f948d1fd76c7970
SHA1

a3c053ab3c0a9357cb602a36bdfee9f65d22ee23
SHA256

7e6d3ceeafc612ead63ee55be9c1cbd4f501c7abd4ae2717d7f2130e94eccffe
SHA512

b35ad29404dee1c5fed9aebc4a3a16eba45ac9966badb1ea0349d6c29120c247b43a9e1fd60dc33192f2b08ea5860c809f0b8fc8a60574da5dd7986268984d0b
SSDEEP

1536:Dclu3E0ty5RM6EbxyY075jQndC6+JfLAVY4TNPgHse3ygWKLKpuC+:eu3NURAbyjQd8fcXZud0p

Score

10^/10

dharma defense_evasion execution impact persistence ransomware spyware stealer upx

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note

YOUR FILES ARE ENCRYPTED Don't worry,you can return all your files! If you want to restore them, follow this link: email [email protected] YOUR ID If you have not been answered via the link within 12 hours, write to us by e-mail: [email protected] Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (516) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe

Drops startup file 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-5BD180E4.[[email protected]].get	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-5BD180E4.[[email protected]].get	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3152-0-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/3152-21658-0x0000000000400000-0x000000000041D000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe = "C:\\Windows\\System32\\b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe"	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Public\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\Info.hta	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File created	C:\Windows\System32\b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarBadge.scale-125.png	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-synch-l1-1-0.dll.id-5BD180E4.[[email protected]].get	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\Microsoft.PackageManagement.CoreProviders.resources.dll	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\cy.pak	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.187.37\msedgeupdateres_gl.dll.id-5BD180E4.[[email protected]].get	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected].[[email protected]].get	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Windows.Forms.resources.dll	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nl-nl\ui-strings.js.id-5BD180E4.[[email protected]].get	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\c2rpridslicensefiles_auto.xml.id-5BD180E4.[[email protected]].get	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosLargeTile.contrast-black_scale-100.png	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-white\LargeTile.scale-125.png	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-256_altform-unplated.png	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\uk-ua\ui-strings.js.id-5BD180E4.[[email protected]].get	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PROFILE\PROFILE.INF.id-5BD180E4.[[email protected]].get	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.Linq.dll	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview2x.png	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EdgeWebView.dat	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Windows Media Player\de-DE\wmpnssui.dll.mui	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe.id-5BD180E4.[[email protected]].get	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-ppd.xrm-ms.id-5BD180E4.[[email protected]].get	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ChakraCore.Debugger.dll.id-5BD180E4.[[email protected]].get	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreWideTile.scale-200.png	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\fa.pak	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOnNotificationInAcrobat.gif	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png.id-5BD180E4.[[email protected]].get	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\new_icons.png.id-5BD180E4.[[email protected]].get	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-ppd.xrm-ms	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File created	C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\vlc.mo.id-5BD180E4.[[email protected]].get	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File created	C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\vlc.mo.id-5BD180E4.[[email protected]].get	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libremap_plugin.dll.id-5BD180E4.[[email protected]].get	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\kk.pak.id-5BD180E4.[[email protected]].get	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\cpdf\plugin.js.id-5BD180E4.[[email protected]].get	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-ppd.xrm-ms	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Xml.Linq.Resources.dll	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarWideTile.scale-400.png	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nb-no\ui-strings.js.id-5BD180E4.[[email protected]].get	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\hr-hr\ui-strings.js.id-5BD180E4.[[email protected]].get	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ja-jp\ui-strings.js.id-5BD180E4.[[email protected]].get	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\sat_logo.png.id-5BD180E4.[[email protected]].get	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Forms.Design.resources.dll.id-5BD180E4.[[email protected]].get	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Drawing.Design.dll.id-5BD180E4.[[email protected]].get	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-57x57-precomposed.png	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Edge.dat.id-5BD180E4.[[email protected]].get	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mpeg4audio_plugin.dll.id-5BD180E4.[[email protected]].get	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Controls.Ribbon.resources.dll.id-5BD180E4.[[email protected]].get	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\StopwatchMedTile.contrast-white_scale-100.png	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\1850_20x20x32.png	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\[email protected]	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\adc_logo.png.id-5BD180E4.[[email protected]].get	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-ul-phn.xrm-ms	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-time-l1-1-0.dll.id-5BD180E4.[[email protected]].get	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.Win32.Registry.AccessControl.dll.id-5BD180E4.[[email protected]].get	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\sendforsignature.svg	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\msvcr120.dll	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\s_filter_18.svg	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-memory-l1-1-0.dll	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\es-ES\wmplayer.exe.mui	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SATIN\THMBNAIL.PNG	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Forms.Design.resources.dll.id-5BD180E4.[[email protected]].get	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-white\WideTile.scale-100.png	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre-1.8\bin\prism_common.dll.id-5BD180E4.[[email protected]].get	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\rhp_world_icon_hover.png.id-5BD180E4.[[email protected]].get	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Utilities.v3.5.dll	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\PSReadLine.format.ps1xml.id-5BD180E4.[[email protected]].get	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 3 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2948	vssadmin.exe
6872	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	4024	vssvc.exe
Token: SeRestorePrivilege	4024	vssvc.exe
Token: SeAuditPrivilege	4024	vssvc.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3152 wrote to memory of 4524	3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe	82
PID 3152 wrote to memory of 4524	3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe	82
PID 4524 wrote to memory of 2796	4524	cmd.exe	84
PID 4524 wrote to memory of 2796	4524	cmd.exe	84
PID 4524 wrote to memory of 2948	4524	cmd.exe	85
PID 4524 wrote to memory of 2948	4524	cmd.exe	85
PID 3152 wrote to memory of 6996	3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe	92
PID 3152 wrote to memory of 6996	3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe	92
PID 6996 wrote to memory of 1896	6996	cmd.exe	94
PID 6996 wrote to memory of 1896	6996	cmd.exe	94
PID 6996 wrote to memory of 6872	6996	cmd.exe	95
PID 6996 wrote to memory of 6872	6996	cmd.exe	95
PID 3152 wrote to memory of 8512	3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe	96
PID 3152 wrote to memory of 8512	3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe	96
PID 3152 wrote to memory of 5268	3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe	97
PID 3152 wrote to memory of 5268	3152	b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe	97

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b15f25bb061766c31f948d1fd76c7970_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3152
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4524
- - C:\Windows\system32\mode.com
    mode con cp select=1251
    3⤵
    PID:2796
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2948
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:6996
- - C:\Windows\system32\mode.com
    mode con cp select=1251
    3⤵
    PID:1896
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:6872
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
  2⤵
  PID:8512
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
  2⤵
  PID:5268

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id-5BD180E4.[[email protected]].get

Filesize
2.7MB

MD5
c509ba5b520b6914e6f2f908fa7d6560

SHA1
e54199ccf7e7dfd9f08c6e5961d32789db4478d3

SHA256
ebc508f7c28f655f4ef095db8b8a8f3e4d18d55581c389a734a5b910f6f3156d

SHA512
dc1881d608f38881369b3c443a9e942361f1917d83fe91627698bae930bdaf9bb9bcc6acb3d82a1724c4dbdc1f062e6747474f8ef324c792d0a338b1d20b5353

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Filesize
7KB

MD5
ce0759e9d994b1cccc18bb3c17375acd

SHA1
e06da9b4006cbc27c770b66114b64f9972a38781

SHA256
bce02ffe36d357b0b0b2bec8aa6fb4427a03a259ba028ebca97ff9a115956843

SHA512
846a79ee6ec17cef4d9b503d8955f46e07956062adcdb8bf49ba5dda5bf6d85c04953163f501646c3a352f7500e7983bd8e991ce6b3dbe2e2f94899039af403b

Download Submit
memory/3152-0-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3152-21658-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download