Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2024 23:56
Behavioral task
behavioral1
Sample
6449ca46b56dfd97a1a515c7545c9ba0_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
6449ca46b56dfd97a1a515c7545c9ba0_NeikiAnalytics.exe
-
Size
92KB
-
MD5
6449ca46b56dfd97a1a515c7545c9ba0
-
SHA1
db2208c9ca213a03f97849de69c4611f90e7b909
-
SHA256
ffdc1716124055192eef057867cec06c97d505be20443850ba4859aa2620e3a9
-
SHA512
c60748762d871e3a5031b692011b44038964a31f0fdd4674b5e489f2bdaa5d206237415d8d9ccbf0c976a239d16775cb7396aa8df91752db5014161f9a4a6f3c
-
SSDEEP
1536:Ud9dseIOcEr3bIvYvZEyF4EEOF6N4yS+AQmZTl/5:sdseIOyEZEyFjEOFqTiQm5l/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
omsecor.exeomsecor.exepid process 1876 omsecor.exe 5052 omsecor.exe -
Drops file in System32 directory 2 IoCs
Processes:
omsecor.exeomsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe File opened for modification C:\Windows\SysWOW64\merocz.xc6 omsecor.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
6449ca46b56dfd97a1a515c7545c9ba0_NeikiAnalytics.exeomsecor.exedescription pid process target process PID 3484 wrote to memory of 1876 3484 6449ca46b56dfd97a1a515c7545c9ba0_NeikiAnalytics.exe omsecor.exe PID 3484 wrote to memory of 1876 3484 6449ca46b56dfd97a1a515c7545c9ba0_NeikiAnalytics.exe omsecor.exe PID 3484 wrote to memory of 1876 3484 6449ca46b56dfd97a1a515c7545c9ba0_NeikiAnalytics.exe omsecor.exe PID 1876 wrote to memory of 5052 1876 omsecor.exe omsecor.exe PID 1876 wrote to memory of 5052 1876 omsecor.exe omsecor.exe PID 1876 wrote to memory of 5052 1876 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6449ca46b56dfd97a1a515c7545c9ba0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\6449ca46b56dfd97a1a515c7545c9ba0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5052
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD5646e95436e49b94644c735e93d65dfcc
SHA1eca5b8a25bcd11d79eb973c22741b92f778ef00a
SHA2563cf2c2591c867d36f4d9b7d31ea61de8eed925df4c3e676a77aa0b742ba9ea0c
SHA512cf2e912608857cdd974c849074891c0e8a6b12a7f4d01dcfc51c3c41f28bcbc01f5a524ffc88f6271f4a9f0f9aa809b2fc8f861fd11d82c6cb6362d45bba3eb7
-
Filesize
92KB
MD59b088f2a348dfca3104407d1fa545e96
SHA1df0406a3d84d2412d1d6745fcd529a258faa5dd9
SHA256597459f804df9a8a98eb7f45f3c0587c507f794f14deb0d131c442018862de17
SHA5123c8f934696ef909010de17627ba46fe30732817c7ac2dbb7387024b1a4555434a2eb3fd39b5a6c455c78cc735f7dc466a0da25b026e55868275d55016c2f6a7d