Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2024 15:22
Behavioral task
behavioral1
Sample
e21334854c1732db05619261c709c470_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
e21334854c1732db05619261c709c470_NeikiAnalytics.exe
-
Size
84KB
-
MD5
e21334854c1732db05619261c709c470
-
SHA1
85e1cf5b14a2440f0987f7cf9d10bd6cc84f02c7
-
SHA256
f0fa8801dd3c886a8aef5868150964c5a99ea506cf8fd30afeae39e281dc8749
-
SHA512
812efa3b2fcebe8d96e502e3d8795a04d761765bbe58bd23bf69ef66ef450fe6e28be377434306600cea47e07a966b63ee9f22cb26d6edc8eb33a6654ffd7306
-
SSDEEP
768:6MEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:6bIvYvZEyFKF6N4yS+AQmZTl/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 1632 omsecor.exe 4260 omsecor.exe 3532 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
e21334854c1732db05619261c709c470_NeikiAnalytics.exeomsecor.exeomsecor.exedescription pid process target process PID 4124 wrote to memory of 1632 4124 e21334854c1732db05619261c709c470_NeikiAnalytics.exe omsecor.exe PID 4124 wrote to memory of 1632 4124 e21334854c1732db05619261c709c470_NeikiAnalytics.exe omsecor.exe PID 4124 wrote to memory of 1632 4124 e21334854c1732db05619261c709c470_NeikiAnalytics.exe omsecor.exe PID 1632 wrote to memory of 4260 1632 omsecor.exe omsecor.exe PID 1632 wrote to memory of 4260 1632 omsecor.exe omsecor.exe PID 1632 wrote to memory of 4260 1632 omsecor.exe omsecor.exe PID 4260 wrote to memory of 3532 4260 omsecor.exe omsecor.exe PID 4260 wrote to memory of 3532 4260 omsecor.exe omsecor.exe PID 4260 wrote to memory of 3532 4260 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e21334854c1732db05619261c709c470_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\e21334854c1732db05619261c709c470_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4124 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4260 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
PID:3532
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
84KB
MD50159b6b46c2803c94b4de85c1d435730
SHA18d59d6a99360a5b3612d2c54f8dbc6354676b367
SHA25615a45884588bdbf3fe0a4c44f2371088dcd88a47b94d4ba13999115d3d8ed611
SHA512a19ee45db3e8ffa6c7e7137559a62d0e9b326ae01da48285c6d4410df0486204adf963b800f42c3ec40d3a8a1a72295fda826eb1585b33a6efca1f9c1f36d8cd
-
Filesize
84KB
MD54a2df8bbd31bdf906b0ef5ea1cdb77b4
SHA18b37054650ba1044fb429d6e02e2cb39767bd61f
SHA256827bdb0adc2996097261a28764779414041feffd5b3dbe88dfe30da10e22f755
SHA51271a08453c6233d5aa2909e856ccda6f88b3f45a1524c004aabf8df994b32e1b9e84fc1657e919fe6d3620c36507ce4ab8857f2ab82aa12df40e9456afc0a2ce4
-
Filesize
84KB
MD520929334189516dd171f8b115dffe0ae
SHA10eb17ddbc19c05875e3c2cc85026bb143f55c00f
SHA25611bec1d1e5579d8148fbdfe90e920e4972ee0718c64141fb8177bdcc26516dba
SHA512c3ffed80cfcd0471199874919cce833aebe1a3452ea4808c0c353e74bbfb56923e144a31036a603f2d18403af0df6992467a350e1c8a1db989a855d598f076af