Analysis
-
max time kernel
145s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
19-05-2024 13:42
Behavioral task
behavioral1
Sample
ccf3202a38e701599318538b3a1f62e0_NeikiAnalytics.exe
Resource
win7-20240220-en
General
-
Target
ccf3202a38e701599318538b3a1f62e0_NeikiAnalytics.exe
-
Size
35KB
-
MD5
ccf3202a38e701599318538b3a1f62e0
-
SHA1
6315d7eea2bab3de152823d5f03c803b6539b0d3
-
SHA256
5cfd89282e30b73f7e45c884e4abdfe887811daae7b98477f90bf01565808d51
-
SHA512
e36e1006c4aff6d5ff3ff374bd5daa11849994997a83cafaa809623636737bd03655afcb06c6aca44997b50f0db40b2fbae021298cdf9215c251a1bf9f15f0e2
-
SSDEEP
768:GU6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:a8Z0kA7FHlO2OwOTUtKjpB
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 1740 omsecor.exe 1856 omsecor.exe 328 omsecor.exe -
Loads dropped DLL 6 IoCs
Processes:
ccf3202a38e701599318538b3a1f62e0_NeikiAnalytics.exeomsecor.exeomsecor.exepid process 2084 ccf3202a38e701599318538b3a1f62e0_NeikiAnalytics.exe 2084 ccf3202a38e701599318538b3a1f62e0_NeikiAnalytics.exe 1740 omsecor.exe 1740 omsecor.exe 1856 omsecor.exe 1856 omsecor.exe -
Processes:
resource yara_rule behavioral1/memory/2084-1-0x0000000000400000-0x000000000042D000-memory.dmp upx \Users\Admin\AppData\Roaming\omsecor.exe upx behavioral1/memory/1740-11-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1740-12-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1740-15-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1740-18-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1740-21-0x0000000000400000-0x000000000042D000-memory.dmp upx \Windows\SysWOW64\omsecor.exe upx behavioral1/memory/1740-24-0x0000000000280000-0x00000000002AD000-memory.dmp upx behavioral1/memory/1740-31-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1856-33-0x0000000000400000-0x000000000042D000-memory.dmp upx \Users\Admin\AppData\Roaming\omsecor.exe upx behavioral1/memory/1856-44-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/328-45-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/328-47-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/328-50-0x0000000000400000-0x000000000042D000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
ccf3202a38e701599318538b3a1f62e0_NeikiAnalytics.exeomsecor.exeomsecor.exedescription pid process target process PID 2084 wrote to memory of 1740 2084 ccf3202a38e701599318538b3a1f62e0_NeikiAnalytics.exe omsecor.exe PID 2084 wrote to memory of 1740 2084 ccf3202a38e701599318538b3a1f62e0_NeikiAnalytics.exe omsecor.exe PID 2084 wrote to memory of 1740 2084 ccf3202a38e701599318538b3a1f62e0_NeikiAnalytics.exe omsecor.exe PID 2084 wrote to memory of 1740 2084 ccf3202a38e701599318538b3a1f62e0_NeikiAnalytics.exe omsecor.exe PID 1740 wrote to memory of 1856 1740 omsecor.exe omsecor.exe PID 1740 wrote to memory of 1856 1740 omsecor.exe omsecor.exe PID 1740 wrote to memory of 1856 1740 omsecor.exe omsecor.exe PID 1740 wrote to memory of 1856 1740 omsecor.exe omsecor.exe PID 1856 wrote to memory of 328 1856 omsecor.exe omsecor.exe PID 1856 wrote to memory of 328 1856 omsecor.exe omsecor.exe PID 1856 wrote to memory of 328 1856 omsecor.exe omsecor.exe PID 1856 wrote to memory of 328 1856 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ccf3202a38e701599318538b3a1f62e0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\ccf3202a38e701599318538b3a1f62e0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
PID:328
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
35KB
MD5a0c87e7564432bcf0039292043d3c541
SHA1efebf1cea7c0a413289e281dc57f40315b6a1ba5
SHA256fb81f3c7d903dac4bc878ba9612bbac1056be91b43c26d439c19e1aa2df15889
SHA512ba00f8e77cce09dc5506ebf90833624a4fd227be7e7d910107e44d780e82ccf5a0471e81a90d444c75fa0b1f6e761aef489627b60bc15c4fbfbe32dcff964276
-
Filesize
35KB
MD5ae1086a0b0f44313d926fcf47dd6ed24
SHA15c3a1cb032508c42b758f1f17ab494c5c1da9b1b
SHA256045c9ac028051536385925cdc8246594d04b4b70311b2431bd1cfe824d87965c
SHA5123b4bc8a1f58d4f0d205d894ef7d79566589e45abc643288bc720ca96ed92c802811b5b749fb34761da02ac1dc90cbe9eeae2eb869719356f4827513c3d667755
-
Filesize
35KB
MD5c5d988698ccd37a60d575aa789db2d65
SHA1a987eff7d0961ecbdec61faaffbdfddb5e34930a
SHA256925605de3b54efd82c12c458bbd1b6a4a79df74e33ef3bc6c2a5c07a689deca9
SHA512a165dd6361cc44d1a187cd47f1068a8faad88631df6403908ed50db7d1078b1307b045318a2ce66dec5df15d8b67f4be6ce466142f5d2a6ca2d672c4f3fa1ffa