Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2024 22:21
Behavioral task
behavioral1
Sample
4a3e205eda2bf17b4814f80634f85020_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
4a3e205eda2bf17b4814f80634f85020_NeikiAnalytics.exe
-
Size
35KB
-
MD5
4a3e205eda2bf17b4814f80634f85020
-
SHA1
86b186846dd3e3d0c9991f67bdf15acfe810a119
-
SHA256
611c99ba02d45fb455adedfbf2fcd66ef46786e9805a60ea0b691c21e41b82a8
-
SHA512
d87c476cc2ebcadfc0ba8826873536c20dc5bb7600bdb0c16841855ef8103fe5985082bed349defc1c662d1e6949655e97c7a0a3556f3a701009602d7429095f
-
SSDEEP
768:T6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:O8Z0kA7FHlO2OwOTUtKjpB
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
omsecor.exeomsecor.exepid process 1072 omsecor.exe 3028 omsecor.exe -
Processes:
resource yara_rule behavioral2/memory/4288-1-0x0000000000400000-0x000000000042D000-memory.dmp upx C:\Users\Admin\AppData\Roaming\omsecor.exe upx behavioral2/memory/1072-6-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/1072-7-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/1072-10-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/1072-13-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/1072-14-0x0000000000400000-0x000000000042D000-memory.dmp upx C:\Windows\SysWOW64\omsecor.exe upx behavioral2/memory/1072-20-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/3028-21-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/3028-22-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/3028-25-0x0000000000400000-0x000000000042D000-memory.dmp upx -
Drops file in System32 directory 2 IoCs
Processes:
omsecor.exeomsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe File opened for modification C:\Windows\SysWOW64\merocz.xc6 omsecor.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
4a3e205eda2bf17b4814f80634f85020_NeikiAnalytics.exeomsecor.exedescription pid process target process PID 4288 wrote to memory of 1072 4288 4a3e205eda2bf17b4814f80634f85020_NeikiAnalytics.exe omsecor.exe PID 4288 wrote to memory of 1072 4288 4a3e205eda2bf17b4814f80634f85020_NeikiAnalytics.exe omsecor.exe PID 4288 wrote to memory of 1072 4288 4a3e205eda2bf17b4814f80634f85020_NeikiAnalytics.exe omsecor.exe PID 1072 wrote to memory of 3028 1072 omsecor.exe omsecor.exe PID 1072 wrote to memory of 3028 1072 omsecor.exe omsecor.exe PID 1072 wrote to memory of 3028 1072 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a3e205eda2bf17b4814f80634f85020_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\4a3e205eda2bf17b4814f80634f85020_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3028
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
35KB
MD547d23b50ebffe846cc961a2047352357
SHA1ac1ddb731430964777d181ab3bd6c72a32b812eb
SHA2565fd29ff0315b2f103f48d9645b705bd8d79484348562ec8df0c61a8e4fd5a04b
SHA5121c702185a320324ee2df176cc0808da8ca55fcf946b3e8178a173cf390bf1a998a36a751bdc34e69b60b0270905eff99f38551ce698634f0bd0a1cbd38d86122
-
Filesize
35KB
MD535e1a71514f0f9e71e3900afb564f098
SHA15388563141e847552f4d94ad8f1c3f0e333a5b99
SHA256e52320d1c25883a936646abaef0a1b6dae7f6405e424cbbd968a7a0b06442da2
SHA512c2e34a6ba0b0595b6eb04d59852662648ec655f2eecbf5ae76a9c1bcfa4b07dd2129e0671bd3e4a62ed1c755629007a3addb00f8d5911dfbab19233024fd7b98