Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
19-05-2024 23:56
Behavioral task
behavioral1
Sample
6449ca46b56dfd97a1a515c7545c9ba0_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
6449ca46b56dfd97a1a515c7545c9ba0_NeikiAnalytics.exe
-
Size
92KB
-
MD5
6449ca46b56dfd97a1a515c7545c9ba0
-
SHA1
db2208c9ca213a03f97849de69c4611f90e7b909
-
SHA256
ffdc1716124055192eef057867cec06c97d505be20443850ba4859aa2620e3a9
-
SHA512
c60748762d871e3a5031b692011b44038964a31f0fdd4674b5e489f2bdaa5d206237415d8d9ccbf0c976a239d16775cb7396aa8df91752db5014161f9a4a6f3c
-
SSDEEP
1536:Ud9dseIOcEr3bIvYvZEyF4EEOF6N4yS+AQmZTl/5:sdseIOyEZEyFjEOFqTiQm5l/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 3044 omsecor.exe 352 omsecor.exe 1988 omsecor.exe -
Loads dropped DLL 6 IoCs
Processes:
6449ca46b56dfd97a1a515c7545c9ba0_NeikiAnalytics.exeomsecor.exeomsecor.exepid process 2956 6449ca46b56dfd97a1a515c7545c9ba0_NeikiAnalytics.exe 2956 6449ca46b56dfd97a1a515c7545c9ba0_NeikiAnalytics.exe 3044 omsecor.exe 3044 omsecor.exe 352 omsecor.exe 352 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
6449ca46b56dfd97a1a515c7545c9ba0_NeikiAnalytics.exeomsecor.exeomsecor.exedescription pid process target process PID 2956 wrote to memory of 3044 2956 6449ca46b56dfd97a1a515c7545c9ba0_NeikiAnalytics.exe omsecor.exe PID 2956 wrote to memory of 3044 2956 6449ca46b56dfd97a1a515c7545c9ba0_NeikiAnalytics.exe omsecor.exe PID 2956 wrote to memory of 3044 2956 6449ca46b56dfd97a1a515c7545c9ba0_NeikiAnalytics.exe omsecor.exe PID 2956 wrote to memory of 3044 2956 6449ca46b56dfd97a1a515c7545c9ba0_NeikiAnalytics.exe omsecor.exe PID 3044 wrote to memory of 352 3044 omsecor.exe omsecor.exe PID 3044 wrote to memory of 352 3044 omsecor.exe omsecor.exe PID 3044 wrote to memory of 352 3044 omsecor.exe omsecor.exe PID 3044 wrote to memory of 352 3044 omsecor.exe omsecor.exe PID 352 wrote to memory of 1988 352 omsecor.exe omsecor.exe PID 352 wrote to memory of 1988 352 omsecor.exe omsecor.exe PID 352 wrote to memory of 1988 352 omsecor.exe omsecor.exe PID 352 wrote to memory of 1988 352 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6449ca46b56dfd97a1a515c7545c9ba0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\6449ca46b56dfd97a1a515c7545c9ba0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:352 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
PID:1988
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD5646e95436e49b94644c735e93d65dfcc
SHA1eca5b8a25bcd11d79eb973c22741b92f778ef00a
SHA2563cf2c2591c867d36f4d9b7d31ea61de8eed925df4c3e676a77aa0b742ba9ea0c
SHA512cf2e912608857cdd974c849074891c0e8a6b12a7f4d01dcfc51c3c41f28bcbc01f5a524ffc88f6271f4a9f0f9aa809b2fc8f861fd11d82c6cb6362d45bba3eb7
-
Filesize
92KB
MD5c94a7d24a8d629684cc8b90f372a7b99
SHA190adb11db9efb6682693f079926741d76826c408
SHA2566cfbc523a86ff559e5f29e44ee580f4aac591fd1e6ce359a01c18dd0ac970c87
SHA5129d6aeeb4c8e369db3119183a2a7643b46c6bd9534a67b371fcbe49931ce9e95c114b624877f96b8d546a121ee92e71ee74ca70c623e9363b9fc31839a0b4f48b
-
Filesize
92KB
MD5539ea1a15f26439037b594b043c368a7
SHA105f05d5d6c17c74b5b8617f318b7c033a5680247
SHA2564318e1d26bc37dbd22b5f8bc77ca251bcaeb58908b3a79ad36650eab6a98dbf3
SHA51263606457ff67e4d13e5b9cac41bb296dc931ada28b3e62360ad2194610db667d8f3af34c3cb0ae0fd04191b8f293ce1c21b869dbab754a0b058d6bfae644e0b4