Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
19-05-2024 13:52
Behavioral task
behavioral1
Sample
cf2fd20fe34f0e3912692b87010dae50_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
cf2fd20fe34f0e3912692b87010dae50_NeikiAnalytics.exe
-
Size
88KB
-
MD5
cf2fd20fe34f0e3912692b87010dae50
-
SHA1
8e05d1da78b9469e4632701e1ee3e681f944afb4
-
SHA256
4775da73afa39225b4594fe94bd05850bac7777f0ca3a42c5b42ddb923215823
-
SHA512
42038ccea14ad842029ef695890b86df68e80f035e02b9d3e24155efe71dec8ef8fcf23d76b1ac6c0b792aca43eb598a61f3554a6fdc0f4a833531f7ef9283a6
-
SSDEEP
1536:fd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:XdseIOMEZEyFjEOFqTiQm5l/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 1620 omsecor.exe 2748 omsecor.exe 1736 omsecor.exe -
Loads dropped DLL 6 IoCs
Processes:
cf2fd20fe34f0e3912692b87010dae50_NeikiAnalytics.exeomsecor.exeomsecor.exepid process 2000 cf2fd20fe34f0e3912692b87010dae50_NeikiAnalytics.exe 2000 cf2fd20fe34f0e3912692b87010dae50_NeikiAnalytics.exe 1620 omsecor.exe 1620 omsecor.exe 2748 omsecor.exe 2748 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
cf2fd20fe34f0e3912692b87010dae50_NeikiAnalytics.exeomsecor.exeomsecor.exedescription pid process target process PID 2000 wrote to memory of 1620 2000 cf2fd20fe34f0e3912692b87010dae50_NeikiAnalytics.exe omsecor.exe PID 2000 wrote to memory of 1620 2000 cf2fd20fe34f0e3912692b87010dae50_NeikiAnalytics.exe omsecor.exe PID 2000 wrote to memory of 1620 2000 cf2fd20fe34f0e3912692b87010dae50_NeikiAnalytics.exe omsecor.exe PID 2000 wrote to memory of 1620 2000 cf2fd20fe34f0e3912692b87010dae50_NeikiAnalytics.exe omsecor.exe PID 1620 wrote to memory of 2748 1620 omsecor.exe omsecor.exe PID 1620 wrote to memory of 2748 1620 omsecor.exe omsecor.exe PID 1620 wrote to memory of 2748 1620 omsecor.exe omsecor.exe PID 1620 wrote to memory of 2748 1620 omsecor.exe omsecor.exe PID 2748 wrote to memory of 1736 2748 omsecor.exe omsecor.exe PID 2748 wrote to memory of 1736 2748 omsecor.exe omsecor.exe PID 2748 wrote to memory of 1736 2748 omsecor.exe omsecor.exe PID 2748 wrote to memory of 1736 2748 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cf2fd20fe34f0e3912692b87010dae50_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\cf2fd20fe34f0e3912692b87010dae50_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
PID:1736
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
88KB
MD5131b25d0a970b0f44c002bf6bd4d27f8
SHA1153288c91e5a429ce158acf93c3001945da4ef84
SHA256adf89be5638650b37d674af80e9504fd8c201f91509be5f8645610806d4e9eb0
SHA512866e54e10146fa35904de5dd78daab296d649c093813cefa24f8860ad88e25f5a53c4a0edf9e7370a360b6d4fa1c12e586ed070f325d708fdf24c719a84a8564
-
Filesize
88KB
MD5d296903c20bf5cebec7c173a05bfa36f
SHA188c25b33d07449d95eeb18e7477f10ea22b6f2dc
SHA25624fe7e3907b9a36b95a813ab340f21f922d0eae303f1ae3bb8ef04430492f5d1
SHA5121814bee032efcb1cd173d81d57bf4f33080b30e9262398b21632bc21f966a4054ab07c8dcc5c28610bb6a7b4621b38833b61768ef07b1fe5405b04b2efddc231
-
Filesize
88KB
MD52a378599d59c580fb40d7347ff612a72
SHA188e72b8da6edf364b830ac147981433e293bc7ab
SHA256c16bbd5bee904435c93799d420db3584ba510d60372d8bb26ab6bee15ca84b3d
SHA5124959802ad3409d65cf452c8189d718d4871ead535d8ad954808a306baa128d389193800d5d28d37cdbf72190d48c01008d4e7a936550e06ff2e0b557c5ed727b