Analysis
-
max time kernel
135s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
15-05-2024 04:01
Behavioral task
behavioral1
Sample
772ecfaf450037d110309a722be51cb0_NeikiAnalytics.exe
Resource
win7-20240508-en
General
-
Target
772ecfaf450037d110309a722be51cb0_NeikiAnalytics.exe
-
Size
62KB
-
MD5
772ecfaf450037d110309a722be51cb0
-
SHA1
80b35673363b09dadb9f15da611fe557480401ad
-
SHA256
81642b660cc4cfea91eb2ac9b2227bb9050ac963a94539562c204a2839a796e0
-
SHA512
533cc1a1dd0b23c64a7eb40ac0a00c51f0eb6f2fbf5b2d22380c3cc9041e04279ee59b359008ec2fe7e1f526f400ee618026490794d4d6e970a652399fd12269
-
SSDEEP
768:TMEIvFGvZEr8LFK0ic46N47eSdYAHwmZQp6JXXlaa5uA:TbIvYvZEyFKF6N4yS+AQmZtl/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 4736 omsecor.exe 2800 omsecor.exe 4888 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 768 wrote to memory of 4736 768 772ecfaf450037d110309a722be51cb0_NeikiAnalytics.exe 82 PID 768 wrote to memory of 4736 768 772ecfaf450037d110309a722be51cb0_NeikiAnalytics.exe 82 PID 768 wrote to memory of 4736 768 772ecfaf450037d110309a722be51cb0_NeikiAnalytics.exe 82 PID 4736 wrote to memory of 2800 4736 omsecor.exe 93 PID 4736 wrote to memory of 2800 4736 omsecor.exe 93 PID 4736 wrote to memory of 2800 4736 omsecor.exe 93 PID 2800 wrote to memory of 4888 2800 omsecor.exe 94 PID 2800 wrote to memory of 4888 2800 omsecor.exe 94 PID 2800 wrote to memory of 4888 2800 omsecor.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\772ecfaf450037d110309a722be51cb0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\772ecfaf450037d110309a722be51cb0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
PID:4888
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
62KB
MD55ce50dfb074ac70a7654e2319faa4efb
SHA142b9f2b7340aefc50a80fe8bbc67008ac1402aa1
SHA256bad9403d2799f619376b1c7ba95460367e7a1b598b38e8dd7afbd443f9fe8b27
SHA5122a37fd364042d4e16496fb826a6ef3f2e51b4872a09490771e7bbbed24bfd988bd5bd732071c63119e96ae534186a16b4e2d86790168e5259363e6cf092459dc
-
Filesize
62KB
MD5844a6f85dc6f625c6fa369eabaab7156
SHA113362756b49d39838a1f1b64cef6e69c4f3c294c
SHA25648642b198f4912ee5181c1b92207006d272ca3f5097a59c29b1bd11f29cb5214
SHA512f7f433136e440a7d9a80e949cf45dc7243b6772302a3477bdd218e95258c9fed261c70b2626c20fc79d5b2531cca84b90c68bb6818da0164f38f90132fde99fe
-
Filesize
62KB
MD52f88e96bb372e463a454dd4745c547f0
SHA118f6596af570a2f633604b589be043a89a1b39bb
SHA256bb5f80508256d9514fa6ff9e1de60a79ceb603fa801da33643f6923c5fa5cf68
SHA5122aa766fe4e295770c36c63fd86e536d5d323ecaad34751027213778e8ee09d9cf7fd113fd1621332bce143ec7f3ac5b424c7f17a2ba7e76046fd8776a154ceb0