Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
16/05/2024, 12:28
Behavioral task
behavioral1
Sample
de86bcecd5ab117c9ddb8d6656cd2c20_NeikiAnalytics.exe
Resource
win7-20240508-en
General
-
Target
de86bcecd5ab117c9ddb8d6656cd2c20_NeikiAnalytics.exe
-
Size
89KB
-
MD5
de86bcecd5ab117c9ddb8d6656cd2c20
-
SHA1
a6c5feb3548f464de304ede65e05f951135462b8
-
SHA256
4f8eab55c185ced3aec2de348aec9026a3ae9d2b07a7086cd87225e4d20e3387
-
SHA512
87888d11431b6647bcb3e80c84e37fcb3193a7fbcc524f7af45306484fa91d697577635fe050d29f5720bb976741f72c2ff25f125ddc50f26a0d9764a44d4185
-
SSDEEP
768:ZMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:ZbIvYvZEyFKF6N4yS+AQmZTl/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 2196 omsecor.exe 2880 omsecor.exe 3004 omsecor.exe -
Loads dropped DLL 6 IoCs
pid Process 2976 de86bcecd5ab117c9ddb8d6656cd2c20_NeikiAnalytics.exe 2976 de86bcecd5ab117c9ddb8d6656cd2c20_NeikiAnalytics.exe 2196 omsecor.exe 2196 omsecor.exe 2880 omsecor.exe 2880 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2976 wrote to memory of 2196 2976 de86bcecd5ab117c9ddb8d6656cd2c20_NeikiAnalytics.exe 28 PID 2976 wrote to memory of 2196 2976 de86bcecd5ab117c9ddb8d6656cd2c20_NeikiAnalytics.exe 28 PID 2976 wrote to memory of 2196 2976 de86bcecd5ab117c9ddb8d6656cd2c20_NeikiAnalytics.exe 28 PID 2976 wrote to memory of 2196 2976 de86bcecd5ab117c9ddb8d6656cd2c20_NeikiAnalytics.exe 28 PID 2196 wrote to memory of 2880 2196 omsecor.exe 32 PID 2196 wrote to memory of 2880 2196 omsecor.exe 32 PID 2196 wrote to memory of 2880 2196 omsecor.exe 32 PID 2196 wrote to memory of 2880 2196 omsecor.exe 32 PID 2880 wrote to memory of 3004 2880 omsecor.exe 33 PID 2880 wrote to memory of 3004 2880 omsecor.exe 33 PID 2880 wrote to memory of 3004 2880 omsecor.exe 33 PID 2880 wrote to memory of 3004 2880 omsecor.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\de86bcecd5ab117c9ddb8d6656cd2c20_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\de86bcecd5ab117c9ddb8d6656cd2c20_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
PID:3004
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
89KB
MD5654a82bb4f83a017d36d29107c782da1
SHA1ac087ece0430443d68ee062cdbec078a6664d672
SHA256b3324cdd9226f63a02577504d8267ee09eb32bd0969681472945336b8af4bf82
SHA51252850bbf90e46c96af30997506315ad2f418ab37a8564446958907001cf0c2e71dfa73ac84309cf1148e84868f9496d544d43f6cd5bba718eb3c298482c0338b
-
Filesize
89KB
MD56894c728d9a7f485dee3126ca2b4534d
SHA19f3962ccbecf69c1a7eceb9988e2e986574bc657
SHA256678679e1a4e3903cfc2003c3196e7ada196876f3811d477e6c5adfbcfb87bb24
SHA512783edfaeb44130044f726740ca24f543f4fa8e953245a91118d12c52a7c4bef2d22241efb5c097d7f511af0b7f0be3b76f1daac9d7573786d926c03d4c93f336
-
Filesize
89KB
MD57e4cc382fa65a297b304c1abbe6220cc
SHA16436a1da575cd0da599828e74d6ffd7de3e05d73
SHA2566441dfcd16dc66cdca00d1cc395ad64b0efaef66886edfbad813e0bd93d88180
SHA512d3499039452f41b89433787d70d970921483be1f483711b7f8d9e15ce4d970ca0f2b387028c58476c269b6784815807d299bcc4c906d0427e51e7bf216dd0759