Analysis
-
max time kernel
143s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2024 13:52
Behavioral task
behavioral1
Sample
cf2fd20fe34f0e3912692b87010dae50_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
cf2fd20fe34f0e3912692b87010dae50_NeikiAnalytics.exe
-
Size
88KB
-
MD5
cf2fd20fe34f0e3912692b87010dae50
-
SHA1
8e05d1da78b9469e4632701e1ee3e681f944afb4
-
SHA256
4775da73afa39225b4594fe94bd05850bac7777f0ca3a42c5b42ddb923215823
-
SHA512
42038ccea14ad842029ef695890b86df68e80f035e02b9d3e24155efe71dec8ef8fcf23d76b1ac6c0b792aca43eb598a61f3554a6fdc0f4a833531f7ef9283a6
-
SSDEEP
1536:fd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:XdseIOMEZEyFjEOFqTiQm5l/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
omsecor.exeomsecor.exepid process 1528 omsecor.exe 4780 omsecor.exe -
Drops file in System32 directory 2 IoCs
Processes:
omsecor.exeomsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe File opened for modification C:\Windows\SysWOW64\merocz.xc6 omsecor.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cf2fd20fe34f0e3912692b87010dae50_NeikiAnalytics.exeomsecor.exedescription pid process target process PID 1804 wrote to memory of 1528 1804 cf2fd20fe34f0e3912692b87010dae50_NeikiAnalytics.exe omsecor.exe PID 1804 wrote to memory of 1528 1804 cf2fd20fe34f0e3912692b87010dae50_NeikiAnalytics.exe omsecor.exe PID 1804 wrote to memory of 1528 1804 cf2fd20fe34f0e3912692b87010dae50_NeikiAnalytics.exe omsecor.exe PID 1528 wrote to memory of 4780 1528 omsecor.exe omsecor.exe PID 1528 wrote to memory of 4780 1528 omsecor.exe omsecor.exe PID 1528 wrote to memory of 4780 1528 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cf2fd20fe34f0e3912692b87010dae50_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\cf2fd20fe34f0e3912692b87010dae50_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4780
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1316 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:81⤵PID:2284
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
88KB
MD5131b25d0a970b0f44c002bf6bd4d27f8
SHA1153288c91e5a429ce158acf93c3001945da4ef84
SHA256adf89be5638650b37d674af80e9504fd8c201f91509be5f8645610806d4e9eb0
SHA512866e54e10146fa35904de5dd78daab296d649c093813cefa24f8860ad88e25f5a53c4a0edf9e7370a360b6d4fa1c12e586ed070f325d708fdf24c719a84a8564
-
Filesize
88KB
MD51f8f97a6b3ade25e21c48d83bd5ec2c3
SHA166b380240e105cf68347dd8d4f2bbff1c77e6bca
SHA256521248d40f910dc708cbde2215e5f40abaf607d7d69a90cdf4a6cc22c31867fd
SHA5124f9a32daa286876f051fe39b01acc253814c33421bfb3199b07e64ebc8cf1bfb3f6010fc7690613935559a1bf14a29ad21a38bcab2b6d052813b755c45df9a5d