Analysis
-
max time kernel
146s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
19-05-2024 16:35
Behavioral task
behavioral1
Sample
f4436b10750b5abd50e65308988c0ce0_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
f4436b10750b5abd50e65308988c0ce0_NeikiAnalytics.exe
-
Size
35KB
-
MD5
f4436b10750b5abd50e65308988c0ce0
-
SHA1
d72bb7ca6fbeb581dddc0133d6baf5d1b534d497
-
SHA256
ec6f0134583a5bac273914fc276c475f0da21c83f3e101d2cfbf8bdcae05a669
-
SHA512
c7b18b4f519ffa684632a5a3f52f8ee809ceb0bc964cbf85423828ad12505a2f96d2390356b0239ab2051627c8213249733f4ccc39f4fd26bfd7766b2d2fa301
-
SSDEEP
768:/6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:C8Z0kA7FHlO2OwOTUtKjpB
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 2992 omsecor.exe 1428 omsecor.exe 1444 omsecor.exe -
Loads dropped DLL 6 IoCs
Processes:
f4436b10750b5abd50e65308988c0ce0_NeikiAnalytics.exeomsecor.exeomsecor.exepid process 2868 f4436b10750b5abd50e65308988c0ce0_NeikiAnalytics.exe 2868 f4436b10750b5abd50e65308988c0ce0_NeikiAnalytics.exe 2992 omsecor.exe 2992 omsecor.exe 1428 omsecor.exe 1428 omsecor.exe -
Processes:
resource yara_rule behavioral1/memory/2868-1-0x0000000000400000-0x000000000042D000-memory.dmp upx \Users\Admin\AppData\Roaming\omsecor.exe upx behavioral1/memory/2992-10-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2992-12-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2992-15-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2992-18-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2992-21-0x0000000000400000-0x000000000042D000-memory.dmp upx \Windows\SysWOW64\omsecor.exe upx behavioral1/memory/2992-24-0x0000000000290000-0x00000000002BD000-memory.dmp upx behavioral1/memory/2992-31-0x0000000000400000-0x000000000042D000-memory.dmp upx \Users\Admin\AppData\Roaming\omsecor.exe upx behavioral1/memory/1444-44-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1428-42-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1444-46-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1444-49-0x0000000000400000-0x000000000042D000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
f4436b10750b5abd50e65308988c0ce0_NeikiAnalytics.exeomsecor.exeomsecor.exedescription pid process target process PID 2868 wrote to memory of 2992 2868 f4436b10750b5abd50e65308988c0ce0_NeikiAnalytics.exe omsecor.exe PID 2868 wrote to memory of 2992 2868 f4436b10750b5abd50e65308988c0ce0_NeikiAnalytics.exe omsecor.exe PID 2868 wrote to memory of 2992 2868 f4436b10750b5abd50e65308988c0ce0_NeikiAnalytics.exe omsecor.exe PID 2868 wrote to memory of 2992 2868 f4436b10750b5abd50e65308988c0ce0_NeikiAnalytics.exe omsecor.exe PID 2992 wrote to memory of 1428 2992 omsecor.exe omsecor.exe PID 2992 wrote to memory of 1428 2992 omsecor.exe omsecor.exe PID 2992 wrote to memory of 1428 2992 omsecor.exe omsecor.exe PID 2992 wrote to memory of 1428 2992 omsecor.exe omsecor.exe PID 1428 wrote to memory of 1444 1428 omsecor.exe omsecor.exe PID 1428 wrote to memory of 1444 1428 omsecor.exe omsecor.exe PID 1428 wrote to memory of 1444 1428 omsecor.exe omsecor.exe PID 1428 wrote to memory of 1444 1428 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f4436b10750b5abd50e65308988c0ce0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\f4436b10750b5abd50e65308988c0ce0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
PID:1444
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
35KB
MD546cd72f6b4edfc791895e6d62a605e7b
SHA1cacf86591a4829714ad8f846f15f7bb3cb001460
SHA2566356806d38b8cd31d3345f4743fe5524766cd2de43ae0dc00cd4609d1045d269
SHA512cf3c4edf67c7b706229d2f49d6cf34ed072cd4e46ede20e65f2d5fdb1248a58a0f9be6992805b0eb6044d779e40d241ddee44c4f10c2b301aba8428fe9bd7552
-
Filesize
35KB
MD53f253bc39915adc5df3209695f6183a4
SHA1defc0c4380a50b22e5f8217510ce97b4b20eac2a
SHA25680c31cfba0335dcde334347b5e03f488b03ab2de413197de41d3db6fd54231f8
SHA5122541ce9b8bdc434e6c8c1f68d3d36272ac19368f8659a19f9a48fccb3a15fa6989218de7bfb577b3061500777100d4d4e0d9bc38d4e57bd6adf3a7d645fefc74
-
Filesize
35KB
MD52329d3fbf29229fe044ce4f0c0f62b56
SHA11bb26fe7f6ab2df2cb51c41b173fb108608f81f5
SHA256be006c3758322f12e9481f3b3a722a5447b0962e659c3c22ef422a3a6112ab3c
SHA5121af1b41d131fd185f3643ca2328467bfc45f1383e7825ad73a65abd647b07564be2f0bd718eafaae7ae80179b028fbba67174e0ea09ca238ddcb3b5900778549