Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2024 21:42
Behavioral task
behavioral1
Sample
419fb94993688f5ba07303c9ebfdd100_NeikiAnalytics.exe
Resource
win7-20240215-en
General
-
Target
419fb94993688f5ba07303c9ebfdd100_NeikiAnalytics.exe
-
Size
88KB
-
MD5
419fb94993688f5ba07303c9ebfdd100
-
SHA1
36c7bd34d76734e3f0d5f8930761b7e63c2c23eb
-
SHA256
78275a526e8128da61eb9bcf7d23d082b513c78eec1b9864f3f54134d344be7e
-
SHA512
fb384da4b2b11f48876bae9fc4ac210b244f49d4d58d813ef3f6095b656e67789478a49348f27fe20ad4bb7e3f0bd4fe76cc677c1b676d90f35b41779f9b9351
-
SSDEEP
768:uMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:ubIvYvZEyFKF6N4yS+AQmZTl/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 4324 omsecor.exe 3672 omsecor.exe 4400 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
419fb94993688f5ba07303c9ebfdd100_NeikiAnalytics.exeomsecor.exeomsecor.exedescription pid process target process PID 2204 wrote to memory of 4324 2204 419fb94993688f5ba07303c9ebfdd100_NeikiAnalytics.exe omsecor.exe PID 2204 wrote to memory of 4324 2204 419fb94993688f5ba07303c9ebfdd100_NeikiAnalytics.exe omsecor.exe PID 2204 wrote to memory of 4324 2204 419fb94993688f5ba07303c9ebfdd100_NeikiAnalytics.exe omsecor.exe PID 4324 wrote to memory of 3672 4324 omsecor.exe omsecor.exe PID 4324 wrote to memory of 3672 4324 omsecor.exe omsecor.exe PID 4324 wrote to memory of 3672 4324 omsecor.exe omsecor.exe PID 3672 wrote to memory of 4400 3672 omsecor.exe omsecor.exe PID 3672 wrote to memory of 4400 3672 omsecor.exe omsecor.exe PID 3672 wrote to memory of 4400 3672 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\419fb94993688f5ba07303c9ebfdd100_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\419fb94993688f5ba07303c9ebfdd100_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
PID:4400
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
88KB
MD5aebd5276b5031e6d8aae23bc581ef32a
SHA1914ede2da717ba26ec7b9f2a249731a19570a10e
SHA2563bbca189fcb80779a3296d4afac3c4cceba2e3650feb0779b84f1e11383574dd
SHA5123dfe131e3418af30693de5bac71cbdd01bc6c9fe52ac4f54a78259e9bb63e9e46f6858030c2a5799632db8b86b901da9d68e2127bc99272fdb66a8081b1ff5d3
-
Filesize
88KB
MD5216a5a3f44909fa0cc6cd66a8c4a84fa
SHA126d5c36b70479d4170ea470b10d7668a54835eba
SHA25619ce62857c5a380d05d52325e390c8b1ec4299f7cb0eab69012acd2ad7328be0
SHA512d97fbfdb800416c0618910da1c3953c8e2160ff2e642c5c8bc4b2affc8ea820d91fb09251e68c75469b817d6d0cab34faab7e24b869a50fa05f9f7409744bd10
-
Filesize
88KB
MD5ba9ca3181e6acdd3c6d80e66a1077cff
SHA1885fbec3aab1294210087e1f2f3577f02c937803
SHA256cbb7d019c810aa09c18b29c93e399294d7a219a1871ed9633bf56bcd4a471c53
SHA51259a5d26f318108f4609cf7afd10a1d714e7e9758fa6acb1e8928ad76547739ebb8576032b969e15d1431bce6a19e1d28a3803b223c85e3c64a00f23d94b9be01