Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2024 23:06
Behavioral task
behavioral1
Sample
560483ba12b15ea6a143e386d936be90_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
560483ba12b15ea6a143e386d936be90_NeikiAnalytics.exe
-
Size
72KB
-
MD5
560483ba12b15ea6a143e386d936be90
-
SHA1
5168679dcd5f2fa464e1e149036d7b8571ca64db
-
SHA256
9fe28c5afd054913b2e138ac47e9690a77b452725f85fea48e6d0fa9d34eee9b
-
SHA512
27ebc83ef129f549f8942f046d0f01b427139961700dad578da2065d3d94f0eeeba4301fe015f9e98539c6c5d4ca1d18264c42bb2b19b56333cb67b8348ba5ad
-
SSDEEP
1536:Ld9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5211:7dseIOMEZEyFjEOFqTiQm5l/5211
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 1360 omsecor.exe 4460 omsecor.exe 2208 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
560483ba12b15ea6a143e386d936be90_NeikiAnalytics.exeomsecor.exeomsecor.exedescription pid process target process PID 1020 wrote to memory of 1360 1020 560483ba12b15ea6a143e386d936be90_NeikiAnalytics.exe omsecor.exe PID 1020 wrote to memory of 1360 1020 560483ba12b15ea6a143e386d936be90_NeikiAnalytics.exe omsecor.exe PID 1020 wrote to memory of 1360 1020 560483ba12b15ea6a143e386d936be90_NeikiAnalytics.exe omsecor.exe PID 1360 wrote to memory of 4460 1360 omsecor.exe omsecor.exe PID 1360 wrote to memory of 4460 1360 omsecor.exe omsecor.exe PID 1360 wrote to memory of 4460 1360 omsecor.exe omsecor.exe PID 4460 wrote to memory of 2208 4460 omsecor.exe omsecor.exe PID 4460 wrote to memory of 2208 4460 omsecor.exe omsecor.exe PID 4460 wrote to memory of 2208 4460 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\560483ba12b15ea6a143e386d936be90_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\560483ba12b15ea6a143e386d936be90_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
PID:2208
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
72KB
MD55122c2fcaaba9aafadfb0b1331d42638
SHA136a9252e2f2b1dd47381f527997753722147d0f6
SHA256d3d0be9439335c979c4a127a90102dae0a1e860f2420661689c7871af9d43cd3
SHA5128d57f38ccfee7031d743ef6247d517b469cbbc3adec833e20b5346e5821d56421b15518f075badf10202053b8465759c974c2f2fd21dde133ebfd755d003a507
-
Filesize
72KB
MD5913138a0d13d9bea5212ead7c8ecb86f
SHA17865ec6784b9e7510ec2ca08409c1a33f16656d3
SHA256f4c21fd66a164398278bc627ea7213185108275443a7fa0bed3e734e0f71cf12
SHA512ce0e9203e6c321f267f75a3472df8b1971035048ac6c99202ce7bd6e72011f1d6b0628cca18dfe7659ece1447ea7f25e25a8d678ee6bbce13709cfcf94e167b7
-
Filesize
72KB
MD50f80ec2a5fea78f2ef1dbdd9a17c2e95
SHA11600c8e6bc541c796711a67ac53adaf4712eb6c3
SHA25699e1e4df7c395c0d7a42970f702f258bd478c9025460cd2da22ac91b1c21f481
SHA512b41da0939441b5ea6c431143b3bb72819be6e52581417e509683fc3eacea55696f2d0c20253f2ce8fab0ee245e7c71786a1928057f8ffe3a5cf43a2e12213379