Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2024 13:42
Behavioral task
behavioral1
Sample
ccf3202a38e701599318538b3a1f62e0_NeikiAnalytics.exe
Resource
win7-20240220-en
General
-
Target
ccf3202a38e701599318538b3a1f62e0_NeikiAnalytics.exe
-
Size
35KB
-
MD5
ccf3202a38e701599318538b3a1f62e0
-
SHA1
6315d7eea2bab3de152823d5f03c803b6539b0d3
-
SHA256
5cfd89282e30b73f7e45c884e4abdfe887811daae7b98477f90bf01565808d51
-
SHA512
e36e1006c4aff6d5ff3ff374bd5daa11849994997a83cafaa809623636737bd03655afcb06c6aca44997b50f0db40b2fbae021298cdf9215c251a1bf9f15f0e2
-
SSDEEP
768:GU6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:a8Z0kA7FHlO2OwOTUtKjpB
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
omsecor.exeomsecor.exepid process 4524 omsecor.exe 4464 omsecor.exe -
Processes:
resource yara_rule behavioral2/memory/3748-0-0x0000000000400000-0x000000000042D000-memory.dmp upx C:\Users\Admin\AppData\Roaming\omsecor.exe upx behavioral2/memory/4524-4-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/3748-7-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/4524-8-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/4524-11-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/4524-14-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/4524-15-0x0000000000400000-0x000000000042D000-memory.dmp upx C:\Windows\SysWOW64\omsecor.exe upx behavioral2/memory/4524-20-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/4464-22-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/4464-23-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/4464-26-0x0000000000400000-0x000000000042D000-memory.dmp upx -
Drops file in System32 directory 2 IoCs
Processes:
omsecor.exeomsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe File opened for modification C:\Windows\SysWOW64\merocz.xc6 omsecor.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
ccf3202a38e701599318538b3a1f62e0_NeikiAnalytics.exeomsecor.exedescription pid process target process PID 3748 wrote to memory of 4524 3748 ccf3202a38e701599318538b3a1f62e0_NeikiAnalytics.exe omsecor.exe PID 3748 wrote to memory of 4524 3748 ccf3202a38e701599318538b3a1f62e0_NeikiAnalytics.exe omsecor.exe PID 3748 wrote to memory of 4524 3748 ccf3202a38e701599318538b3a1f62e0_NeikiAnalytics.exe omsecor.exe PID 4524 wrote to memory of 4464 4524 omsecor.exe omsecor.exe PID 4524 wrote to memory of 4464 4524 omsecor.exe omsecor.exe PID 4524 wrote to memory of 4464 4524 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ccf3202a38e701599318538b3a1f62e0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\ccf3202a38e701599318538b3a1f62e0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4464
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
35KB
MD5a0c87e7564432bcf0039292043d3c541
SHA1efebf1cea7c0a413289e281dc57f40315b6a1ba5
SHA256fb81f3c7d903dac4bc878ba9612bbac1056be91b43c26d439c19e1aa2df15889
SHA512ba00f8e77cce09dc5506ebf90833624a4fd227be7e7d910107e44d780e82ccf5a0471e81a90d444c75fa0b1f6e761aef489627b60bc15c4fbfbe32dcff964276
-
Filesize
35KB
MD5131db9186e0f838010e6b910d9398920
SHA1ea07a9a1b1065ebd284a352c3b193b0b4126e736
SHA2563dfba1b149ee23ab80c7174396e7ef66f0854552b7b92f3d9be4cc5cf5b3b306
SHA512cfd93388f483fe2984729eb91fe9a4f0658acffce59e1bb6c5a3243d7e70ea4f1c0cadae6046f42583e91f79a5aaa7ccce1900c22d880d0d5e658974a7908166