Analysis
-
max time kernel
145s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
19-05-2024 22:28
Behavioral task
behavioral1
Sample
4c1844acd093de809b95044c34eb5020_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
4c1844acd093de809b95044c34eb5020_NeikiAnalytics.exe
-
Size
35KB
-
MD5
4c1844acd093de809b95044c34eb5020
-
SHA1
f410b1a20a30d947c8a2b158520e0640779f51d2
-
SHA256
0f4810f9b49d94e5262128a2456486b076734db252d2ca492463c8a21485ba53
-
SHA512
ff2bcc8f8dbfa946bffc34f576672c3f16216f12605616d8093114725470388b0cb9961b31904a87128042eb95d75b4d0c16c5326140e98f0a09b5bc2afb1962
-
SSDEEP
768:u6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:18Z0kA7FHlO2OwOTUtKjpB
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 820 omsecor.exe 2200 omsecor.exe 1612 omsecor.exe -
Loads dropped DLL 6 IoCs
Processes:
4c1844acd093de809b95044c34eb5020_NeikiAnalytics.exeomsecor.exeomsecor.exepid process 3000 4c1844acd093de809b95044c34eb5020_NeikiAnalytics.exe 3000 4c1844acd093de809b95044c34eb5020_NeikiAnalytics.exe 820 omsecor.exe 820 omsecor.exe 2200 omsecor.exe 2200 omsecor.exe -
Processes:
resource yara_rule behavioral1/memory/3000-0-0x0000000000400000-0x000000000042D000-memory.dmp upx \Users\Admin\AppData\Roaming\omsecor.exe upx behavioral1/memory/3000-10-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/3000-9-0x00000000003A0000-0x00000000003CD000-memory.dmp upx behavioral1/memory/820-14-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/820-18-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/820-21-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/820-24-0x0000000000400000-0x000000000042D000-memory.dmp upx \Windows\SysWOW64\omsecor.exe upx behavioral1/memory/820-27-0x0000000000350000-0x000000000037D000-memory.dmp upx behavioral1/memory/820-34-0x0000000000400000-0x000000000042D000-memory.dmp upx \Users\Admin\AppData\Roaming\omsecor.exe upx behavioral1/memory/2200-45-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1612-47-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1612-49-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1612-52-0x0000000000400000-0x000000000042D000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
4c1844acd093de809b95044c34eb5020_NeikiAnalytics.exeomsecor.exeomsecor.exedescription pid process target process PID 3000 wrote to memory of 820 3000 4c1844acd093de809b95044c34eb5020_NeikiAnalytics.exe omsecor.exe PID 3000 wrote to memory of 820 3000 4c1844acd093de809b95044c34eb5020_NeikiAnalytics.exe omsecor.exe PID 3000 wrote to memory of 820 3000 4c1844acd093de809b95044c34eb5020_NeikiAnalytics.exe omsecor.exe PID 3000 wrote to memory of 820 3000 4c1844acd093de809b95044c34eb5020_NeikiAnalytics.exe omsecor.exe PID 820 wrote to memory of 2200 820 omsecor.exe omsecor.exe PID 820 wrote to memory of 2200 820 omsecor.exe omsecor.exe PID 820 wrote to memory of 2200 820 omsecor.exe omsecor.exe PID 820 wrote to memory of 2200 820 omsecor.exe omsecor.exe PID 2200 wrote to memory of 1612 2200 omsecor.exe omsecor.exe PID 2200 wrote to memory of 1612 2200 omsecor.exe omsecor.exe PID 2200 wrote to memory of 1612 2200 omsecor.exe omsecor.exe PID 2200 wrote to memory of 1612 2200 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4c1844acd093de809b95044c34eb5020_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\4c1844acd093de809b95044c34eb5020_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
PID:1612
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
35KB
MD566039958bca2e90753432bb1bf87d4bf
SHA1c09d28def543147c6d9c79f0e0385f69603f7af0
SHA256c75dcd8e1415a859379125ee75a3a15e6070e10bb5fd7e35084c3b012ff3b9c3
SHA512c2d42d76a22eb42982145307ce8a7c790851b8c9d957c383792beed6bd4b89db836c7d2835b8663eec4c204ba1661b20d90d46ab7e61a868270c9ff93994b345
-
Filesize
35KB
MD57415a6f771a3f8d91363ff51fcd11f0d
SHA15cabdd2ec2c30ea092a4332a052dba85cb1932fa
SHA256f9f0dea1531b980bc1e6a530122bc3051c3761a789644b20f9638c3d0cebaa8d
SHA5126311e379eaabb5a667d717925bb565bb0c474ea22d01a318973387d42af4a29d52777da9e3b2294d00eab05b55a898ae1205cb0f86528d65286ea9844ea18661
-
Filesize
35KB
MD5a090e46a638581aa9f8fe79fa907ca5f
SHA12a4fc879e30c9d6079d8e926c04580e98c66f63d
SHA2568f0c8466e526069c808be2fe8dcc735389c5cfaf2f9345135c247016817a2f3d
SHA5128ba041e825631e534925396f465d5f982b9267eb999fd4278ee88aca244bc393a8c5038d84b8fb520603d0badd4367c1751e0eca31f7445309b243ace4fa4ef5