Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
11/05/2024, 01:35
Behavioral task
behavioral1
Sample
4dde36502dc77fbcc5cb3d22d0c2b450_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
4dde36502dc77fbcc5cb3d22d0c2b450_NeikiAnalytics.exe
-
Size
89KB
-
MD5
4dde36502dc77fbcc5cb3d22d0c2b450
-
SHA1
a9f891e3f72ab1848bdb2d324bdb5aa56e586930
-
SHA256
c8d66f81fb6872e9a575e3d9c96d74dc656884c5af212431c3ce03b6519c1796
-
SHA512
97a887c89c96902445b8a034dc063e4cf1c0b77a5558fcffd2bae0a5826a69b85b273ae09f911c0dac7b48a76153b4a952530b4838a1cc1e9d3f30df426a7c21
-
SSDEEP
768:+MEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:+bIvYvZEyFKF6N4yS+AQmZTl/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 4764 omsecor.exe 3364 omsecor.exe 1332 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1160 wrote to memory of 4764 1160 4dde36502dc77fbcc5cb3d22d0c2b450_NeikiAnalytics.exe 83 PID 1160 wrote to memory of 4764 1160 4dde36502dc77fbcc5cb3d22d0c2b450_NeikiAnalytics.exe 83 PID 1160 wrote to memory of 4764 1160 4dde36502dc77fbcc5cb3d22d0c2b450_NeikiAnalytics.exe 83 PID 4764 wrote to memory of 3364 4764 omsecor.exe 102 PID 4764 wrote to memory of 3364 4764 omsecor.exe 102 PID 4764 wrote to memory of 3364 4764 omsecor.exe 102 PID 3364 wrote to memory of 1332 3364 omsecor.exe 103 PID 3364 wrote to memory of 1332 3364 omsecor.exe 103 PID 3364 wrote to memory of 1332 3364 omsecor.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\4dde36502dc77fbcc5cb3d22d0c2b450_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\4dde36502dc77fbcc5cb3d22d0c2b450_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3364 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
PID:1332
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
89KB
MD5e7c3db1a26083756f3defd0a18f70303
SHA1ed0c64822e50b22c6676426fbb2b6712c9d4ec59
SHA25656f175d33b3af7737942a6ca48c634b29bc5b92eff8be161d670c17d5fc808df
SHA5120c9364c3f033b52aeccd6745e8d096d6969988cf8164d601da1bf44ea9825e2a2618b3fcc7a8ca50015985d4873bbfc1c42eee3a4894bba37a6d8880bc257d58
-
Filesize
89KB
MD5119722b7d67e6d94fdac45a8832e64cc
SHA147057b09e1aa4f37e21add9e90902c3697f3b42d
SHA2563a0a527a0b2e01a65e0557190be3223f6c5b66939a0718f113076a19b66cc037
SHA512d5857adaedd80c0de0fe80f1b7603f573cb2688469d3a3cc460914b807b28df1452908e6f3229a340b46d42845dc223110bdcd1be598aa346f003b605e0fa532
-
Filesize
89KB
MD5cb26fe3e0db4f6fc0c8e3b7cf3c2881d
SHA1eabd8a478d22a8e7f96330347d8bdcd191d50856
SHA256ecb20b7b6099dfe101ab047a7c0d93b1cf194e52c5ab76ba9474bb874d111439
SHA512e202f7437cf95961ae3ffb2f166e1dcf20736be1da70533ba9a531033027d2c5fb9fda54c810241e5a87c4111589a83d14ed88050015362e76f63c540b64f29f