Analysis
-
max time kernel
145s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2024 15:04
Behavioral task
behavioral1
Sample
ddb47c76c975930de12c689f7f6e9ac0_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
ddb47c76c975930de12c689f7f6e9ac0_NeikiAnalytics.exe
-
Size
35KB
-
MD5
ddb47c76c975930de12c689f7f6e9ac0
-
SHA1
d1f18205eb24dfe5af0ebe5250a64632d56056f8
-
SHA256
bd638029b2c11a937fc9cd747e3b8804c8ae93e62eaa8b00b3fa2cf7cc2a23d5
-
SHA512
114a2d41fe70af9c629daed4d9912ca7896f49e7954cad71c59f65b2672e5587a8e90622e6a0d24f0f983394525be0ffc090ef1ecb7c9b8decc29bc74c0506eb
-
SSDEEP
768:j6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:e8Z0kA7FHlO2OwOTUtKjpB
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 4444 omsecor.exe 2716 omsecor.exe 1936 omsecor.exe -
Processes:
resource yara_rule behavioral2/memory/400-0-0x0000000000400000-0x000000000042D000-memory.dmp upx C:\Users\Admin\AppData\Roaming\omsecor.exe upx behavioral2/memory/400-4-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/4444-7-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/4444-8-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/4444-11-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/4444-14-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/4444-15-0x0000000000400000-0x000000000042D000-memory.dmp upx C:\Windows\SysWOW64\omsecor.exe upx behavioral2/memory/4444-20-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/2716-21-0x0000000000400000-0x000000000042D000-memory.dmp upx C:\Users\Admin\AppData\Roaming\omsecor.exe upx behavioral2/memory/1936-29-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/2716-27-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/1936-30-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/1936-33-0x0000000000400000-0x000000000042D000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
ddb47c76c975930de12c689f7f6e9ac0_NeikiAnalytics.exeomsecor.exeomsecor.exedescription pid process target process PID 400 wrote to memory of 4444 400 ddb47c76c975930de12c689f7f6e9ac0_NeikiAnalytics.exe omsecor.exe PID 400 wrote to memory of 4444 400 ddb47c76c975930de12c689f7f6e9ac0_NeikiAnalytics.exe omsecor.exe PID 400 wrote to memory of 4444 400 ddb47c76c975930de12c689f7f6e9ac0_NeikiAnalytics.exe omsecor.exe PID 4444 wrote to memory of 2716 4444 omsecor.exe omsecor.exe PID 4444 wrote to memory of 2716 4444 omsecor.exe omsecor.exe PID 4444 wrote to memory of 2716 4444 omsecor.exe omsecor.exe PID 2716 wrote to memory of 1936 2716 omsecor.exe omsecor.exe PID 2716 wrote to memory of 1936 2716 omsecor.exe omsecor.exe PID 2716 wrote to memory of 1936 2716 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ddb47c76c975930de12c689f7f6e9ac0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\ddb47c76c975930de12c689f7f6e9ac0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
PID:1936
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
35KB
MD515c12b1d577219df2cfdd63f2607a98e
SHA1a07ff5a36b13e02d31f33437a23c9004d00187a3
SHA256bb309614cfb7b38a4231984cb2abcd25ebd118c4763f2b26080ae7379c43e22e
SHA512513fd21f2833877f26ed6141533e1c0a0bf4c6ba0b24b6d2c429943e9f79a403c313f5924575db0b848d24e6a86da1a5ddbc244e28db73d19afead55f5fe90a2
-
Filesize
35KB
MD5856e31b1153c77956442e2685a7ef5ee
SHA1155732cdc7644a295ec8c04240fdfc7c5717c805
SHA2569d397d095137106b904862500df338eaf3f2162d022421341047f4054fed1064
SHA512473a2f409140eefef46f55c56bea674cd7efb71fe314dcc19fed204680f38a06c20cbaf6d172e7f776813f59da5912bfb234ced95cafb1e1215d1d3ba6cd99ef
-
Filesize
35KB
MD5cd7ee7b65436f935b4b806d9522b02f5
SHA175dfc6dae30060b40643c2d34b97a2e946fdbff2
SHA256188b07911e293b4db37ae7a5ffa53da8690ca154247f975ca21eacfc3b52b8e4
SHA5124a7106862cd51c477e880913cd7ca8b754e0f0058b4139c3bb4c34911182b63298fbfb60383ec45bda49cde189517e45f6d2212f23b433d2357b62dd65da2619