Analysis
-
max time kernel
147s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
19-05-2024 23:06
Behavioral task
behavioral1
Sample
560483ba12b15ea6a143e386d936be90_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
560483ba12b15ea6a143e386d936be90_NeikiAnalytics.exe
-
Size
72KB
-
MD5
560483ba12b15ea6a143e386d936be90
-
SHA1
5168679dcd5f2fa464e1e149036d7b8571ca64db
-
SHA256
9fe28c5afd054913b2e138ac47e9690a77b452725f85fea48e6d0fa9d34eee9b
-
SHA512
27ebc83ef129f549f8942f046d0f01b427139961700dad578da2065d3d94f0eeeba4301fe015f9e98539c6c5d4ca1d18264c42bb2b19b56333cb67b8348ba5ad
-
SSDEEP
1536:Ld9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5211:7dseIOMEZEyFjEOFqTiQm5l/5211
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 3036 omsecor.exe 2696 omsecor.exe 2768 omsecor.exe -
Loads dropped DLL 6 IoCs
Processes:
560483ba12b15ea6a143e386d936be90_NeikiAnalytics.exeomsecor.exeomsecor.exepid process 2216 560483ba12b15ea6a143e386d936be90_NeikiAnalytics.exe 2216 560483ba12b15ea6a143e386d936be90_NeikiAnalytics.exe 3036 omsecor.exe 3036 omsecor.exe 2696 omsecor.exe 2696 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
560483ba12b15ea6a143e386d936be90_NeikiAnalytics.exeomsecor.exeomsecor.exedescription pid process target process PID 2216 wrote to memory of 3036 2216 560483ba12b15ea6a143e386d936be90_NeikiAnalytics.exe omsecor.exe PID 2216 wrote to memory of 3036 2216 560483ba12b15ea6a143e386d936be90_NeikiAnalytics.exe omsecor.exe PID 2216 wrote to memory of 3036 2216 560483ba12b15ea6a143e386d936be90_NeikiAnalytics.exe omsecor.exe PID 2216 wrote to memory of 3036 2216 560483ba12b15ea6a143e386d936be90_NeikiAnalytics.exe omsecor.exe PID 3036 wrote to memory of 2696 3036 omsecor.exe omsecor.exe PID 3036 wrote to memory of 2696 3036 omsecor.exe omsecor.exe PID 3036 wrote to memory of 2696 3036 omsecor.exe omsecor.exe PID 3036 wrote to memory of 2696 3036 omsecor.exe omsecor.exe PID 2696 wrote to memory of 2768 2696 omsecor.exe omsecor.exe PID 2696 wrote to memory of 2768 2696 omsecor.exe omsecor.exe PID 2696 wrote to memory of 2768 2696 omsecor.exe omsecor.exe PID 2696 wrote to memory of 2768 2696 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\560483ba12b15ea6a143e386d936be90_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\560483ba12b15ea6a143e386d936be90_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
PID:2768
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
72KB
MD5913138a0d13d9bea5212ead7c8ecb86f
SHA17865ec6784b9e7510ec2ca08409c1a33f16656d3
SHA256f4c21fd66a164398278bc627ea7213185108275443a7fa0bed3e734e0f71cf12
SHA512ce0e9203e6c321f267f75a3472df8b1971035048ac6c99202ce7bd6e72011f1d6b0628cca18dfe7659ece1447ea7f25e25a8d678ee6bbce13709cfcf94e167b7
-
Filesize
72KB
MD58c4d20f2bc54dbefa7fb35520743ede0
SHA1f43a6f3969d8f5a2eed4ff94b10cc79cfc937880
SHA256547e850cebfec5ea3747e6644239b2e2916ef3573d2cd48d49a88aba47e08837
SHA5128681877495543e1e7b7f7894c2573fc19bed5a089b4df197a5d661191b46732e7a8218909c85288b579905972558ebc8fd4d01152a2dc6acfa43a4356caee602
-
Filesize
72KB
MD5afa9ddcee5ebe39e1e67c318410ba9a4
SHA1265e75987013d04dac280d9b587c7c1a355182e0
SHA256614ddfeaff2f292a12602b054112f73835c119779b197d63463b7296b5fb741d
SHA512d8cc87688981139398729af715fc8e963a0910a50a7c0159306f57e58df11e41b96e4ab5fb255f584504223c16b922c6e5ce7f4ff3dc13465e066f6cb8025c30