Analysis
-
max time kernel
146s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
19-05-2024 22:21
Behavioral task
behavioral1
Sample
4a3e205eda2bf17b4814f80634f85020_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
4a3e205eda2bf17b4814f80634f85020_NeikiAnalytics.exe
-
Size
35KB
-
MD5
4a3e205eda2bf17b4814f80634f85020
-
SHA1
86b186846dd3e3d0c9991f67bdf15acfe810a119
-
SHA256
611c99ba02d45fb455adedfbf2fcd66ef46786e9805a60ea0b691c21e41b82a8
-
SHA512
d87c476cc2ebcadfc0ba8826873536c20dc5bb7600bdb0c16841855ef8103fe5985082bed349defc1c662d1e6949655e97c7a0a3556f3a701009602d7429095f
-
SSDEEP
768:T6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:O8Z0kA7FHlO2OwOTUtKjpB
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 2908 omsecor.exe 2300 omsecor.exe 1896 omsecor.exe -
Loads dropped DLL 6 IoCs
Processes:
4a3e205eda2bf17b4814f80634f85020_NeikiAnalytics.exeomsecor.exeomsecor.exepid process 292 4a3e205eda2bf17b4814f80634f85020_NeikiAnalytics.exe 292 4a3e205eda2bf17b4814f80634f85020_NeikiAnalytics.exe 2908 omsecor.exe 2908 omsecor.exe 2300 omsecor.exe 2300 omsecor.exe -
Processes:
resource yara_rule behavioral1/memory/292-0-0x0000000000400000-0x000000000042D000-memory.dmp upx \Users\Admin\AppData\Roaming\omsecor.exe upx behavioral1/memory/292-11-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2908-13-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2908-15-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2908-18-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2908-21-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2908-24-0x0000000000400000-0x000000000042D000-memory.dmp upx \Windows\SysWOW64\omsecor.exe upx behavioral1/memory/2908-35-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2300-36-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2908-27-0x0000000000380000-0x00000000003AD000-memory.dmp upx \Users\Admin\AppData\Roaming\omsecor.exe upx behavioral1/memory/2300-46-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1896-49-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1896-50-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1896-53-0x0000000000400000-0x000000000042D000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
4a3e205eda2bf17b4814f80634f85020_NeikiAnalytics.exeomsecor.exeomsecor.exedescription pid process target process PID 292 wrote to memory of 2908 292 4a3e205eda2bf17b4814f80634f85020_NeikiAnalytics.exe omsecor.exe PID 292 wrote to memory of 2908 292 4a3e205eda2bf17b4814f80634f85020_NeikiAnalytics.exe omsecor.exe PID 292 wrote to memory of 2908 292 4a3e205eda2bf17b4814f80634f85020_NeikiAnalytics.exe omsecor.exe PID 292 wrote to memory of 2908 292 4a3e205eda2bf17b4814f80634f85020_NeikiAnalytics.exe omsecor.exe PID 2908 wrote to memory of 2300 2908 omsecor.exe omsecor.exe PID 2908 wrote to memory of 2300 2908 omsecor.exe omsecor.exe PID 2908 wrote to memory of 2300 2908 omsecor.exe omsecor.exe PID 2908 wrote to memory of 2300 2908 omsecor.exe omsecor.exe PID 2300 wrote to memory of 1896 2300 omsecor.exe omsecor.exe PID 2300 wrote to memory of 1896 2300 omsecor.exe omsecor.exe PID 2300 wrote to memory of 1896 2300 omsecor.exe omsecor.exe PID 2300 wrote to memory of 1896 2300 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a3e205eda2bf17b4814f80634f85020_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\4a3e205eda2bf17b4814f80634f85020_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:292 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
PID:1896
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
35KB
MD547d23b50ebffe846cc961a2047352357
SHA1ac1ddb731430964777d181ab3bd6c72a32b812eb
SHA2565fd29ff0315b2f103f48d9645b705bd8d79484348562ec8df0c61a8e4fd5a04b
SHA5121c702185a320324ee2df176cc0808da8ca55fcf946b3e8178a173cf390bf1a998a36a751bdc34e69b60b0270905eff99f38551ce698634f0bd0a1cbd38d86122
-
Filesize
35KB
MD535e1a71514f0f9e71e3900afb564f098
SHA15388563141e847552f4d94ad8f1c3f0e333a5b99
SHA256e52320d1c25883a936646abaef0a1b6dae7f6405e424cbbd968a7a0b06442da2
SHA512c2e34a6ba0b0595b6eb04d59852662648ec655f2eecbf5ae76a9c1bcfa4b07dd2129e0671bd3e4a62ed1c755629007a3addb00f8d5911dfbab19233024fd7b98
-
Filesize
35KB
MD5bca6842ed956c1c8deb3d032a37fc606
SHA13ad42d601f00bcc11440343d78ba096e113f9cb4
SHA25661b7198d2b110c3867519c53677a00022a388c7e324ac1aeed68a970c2768209
SHA51293c97be2a07dc2f805678817b3f9c5b694d92aded45fc5c8f6f5891a2f11b3f8d87c6fec247becec0a9f813b94c546fdc9dfb2b8741b98c367a9a82420b05828