Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
19-05-2024 15:04
Behavioral task
behavioral1
Sample
ddb47c76c975930de12c689f7f6e9ac0_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
ddb47c76c975930de12c689f7f6e9ac0_NeikiAnalytics.exe
-
Size
35KB
-
MD5
ddb47c76c975930de12c689f7f6e9ac0
-
SHA1
d1f18205eb24dfe5af0ebe5250a64632d56056f8
-
SHA256
bd638029b2c11a937fc9cd747e3b8804c8ae93e62eaa8b00b3fa2cf7cc2a23d5
-
SHA512
114a2d41fe70af9c629daed4d9912ca7896f49e7954cad71c59f65b2672e5587a8e90622e6a0d24f0f983394525be0ffc090ef1ecb7c9b8decc29bc74c0506eb
-
SSDEEP
768:j6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:e8Z0kA7FHlO2OwOTUtKjpB
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 2592 omsecor.exe 1288 omsecor.exe 1528 omsecor.exe -
Loads dropped DLL 6 IoCs
Processes:
ddb47c76c975930de12c689f7f6e9ac0_NeikiAnalytics.exeomsecor.exeomsecor.exepid process 1044 ddb47c76c975930de12c689f7f6e9ac0_NeikiAnalytics.exe 1044 ddb47c76c975930de12c689f7f6e9ac0_NeikiAnalytics.exe 2592 omsecor.exe 2592 omsecor.exe 1288 omsecor.exe 1288 omsecor.exe -
Processes:
resource yara_rule behavioral1/memory/1044-0-0x0000000000400000-0x000000000042D000-memory.dmp upx \Users\Admin\AppData\Roaming\omsecor.exe upx behavioral1/memory/1044-11-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2592-13-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2592-14-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2592-20-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2592-23-0x0000000000400000-0x000000000042D000-memory.dmp upx \Windows\SysWOW64\omsecor.exe upx behavioral1/memory/2592-26-0x0000000000290000-0x00000000002BD000-memory.dmp upx behavioral1/memory/2592-33-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1288-37-0x0000000000400000-0x000000000042D000-memory.dmp upx \Users\Admin\AppData\Roaming\omsecor.exe upx behavioral1/memory/1528-46-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1528-48-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1528-51-0x0000000000400000-0x000000000042D000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
ddb47c76c975930de12c689f7f6e9ac0_NeikiAnalytics.exeomsecor.exeomsecor.exedescription pid process target process PID 1044 wrote to memory of 2592 1044 ddb47c76c975930de12c689f7f6e9ac0_NeikiAnalytics.exe omsecor.exe PID 1044 wrote to memory of 2592 1044 ddb47c76c975930de12c689f7f6e9ac0_NeikiAnalytics.exe omsecor.exe PID 1044 wrote to memory of 2592 1044 ddb47c76c975930de12c689f7f6e9ac0_NeikiAnalytics.exe omsecor.exe PID 1044 wrote to memory of 2592 1044 ddb47c76c975930de12c689f7f6e9ac0_NeikiAnalytics.exe omsecor.exe PID 2592 wrote to memory of 1288 2592 omsecor.exe omsecor.exe PID 2592 wrote to memory of 1288 2592 omsecor.exe omsecor.exe PID 2592 wrote to memory of 1288 2592 omsecor.exe omsecor.exe PID 2592 wrote to memory of 1288 2592 omsecor.exe omsecor.exe PID 1288 wrote to memory of 1528 1288 omsecor.exe omsecor.exe PID 1288 wrote to memory of 1528 1288 omsecor.exe omsecor.exe PID 1288 wrote to memory of 1528 1288 omsecor.exe omsecor.exe PID 1288 wrote to memory of 1528 1288 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ddb47c76c975930de12c689f7f6e9ac0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\ddb47c76c975930de12c689f7f6e9ac0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
PID:1528
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
35KB
MD5856e31b1153c77956442e2685a7ef5ee
SHA1155732cdc7644a295ec8c04240fdfc7c5717c805
SHA2569d397d095137106b904862500df338eaf3f2162d022421341047f4054fed1064
SHA512473a2f409140eefef46f55c56bea674cd7efb71fe314dcc19fed204680f38a06c20cbaf6d172e7f776813f59da5912bfb234ced95cafb1e1215d1d3ba6cd99ef
-
Filesize
35KB
MD5beb216940f507ddbd6b680f889165d65
SHA12ff2e890dbae4570636d2f3de8e46aacb618ba18
SHA2566c11dc5d1827e34bfb0e47195753ca23732fcb02874df1bc308f6f09a89ac322
SHA5128708ee138615fd00ff436d7ab56fe959ca1186d5d2196c1e8566f31c2f3da59b064d50994d3d7a71e7f8c4bb975f89e24905dbb85bc2e5aff8a6103032b76636
-
Filesize
35KB
MD5a1b2224ad60e9dfeaf791675c5855ed0
SHA15ec04bd46880e9d00be86da9bc264875527b121f
SHA25618093e8fd8c19ef382c7b7ae9a408539eabab9e9059078577f705f2c63fe9e51
SHA512694d077b2efb96b810685bac810e16f4de3a7330699668d088631da581f368a6648abdd0cf6bf3fb21f297e4fdcbfda32d2daf9231027e387e41344015c924d1