Analysis
-
max time kernel
145s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2024 16:35
Behavioral task
behavioral1
Sample
f4436b10750b5abd50e65308988c0ce0_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
f4436b10750b5abd50e65308988c0ce0_NeikiAnalytics.exe
-
Size
35KB
-
MD5
f4436b10750b5abd50e65308988c0ce0
-
SHA1
d72bb7ca6fbeb581dddc0133d6baf5d1b534d497
-
SHA256
ec6f0134583a5bac273914fc276c475f0da21c83f3e101d2cfbf8bdcae05a669
-
SHA512
c7b18b4f519ffa684632a5a3f52f8ee809ceb0bc964cbf85423828ad12505a2f96d2390356b0239ab2051627c8213249733f4ccc39f4fd26bfd7766b2d2fa301
-
SSDEEP
768:/6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:C8Z0kA7FHlO2OwOTUtKjpB
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 4296 omsecor.exe 2344 omsecor.exe 664 omsecor.exe -
Processes:
resource yara_rule behavioral2/memory/4548-1-0x0000000000400000-0x000000000042D000-memory.dmp upx C:\Users\Admin\AppData\Roaming\omsecor.exe upx behavioral2/memory/4296-6-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/4296-7-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/4296-10-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/4296-13-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/4296-14-0x0000000000400000-0x000000000042D000-memory.dmp upx C:\Windows\SysWOW64\omsecor.exe upx behavioral2/memory/4296-20-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/2344-22-0x0000000000400000-0x000000000042D000-memory.dmp upx C:\Users\Admin\AppData\Roaming\omsecor.exe upx behavioral2/memory/2344-28-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/664-26-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/664-29-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/664-32-0x0000000000400000-0x000000000042D000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
f4436b10750b5abd50e65308988c0ce0_NeikiAnalytics.exeomsecor.exeomsecor.exedescription pid process target process PID 4548 wrote to memory of 4296 4548 f4436b10750b5abd50e65308988c0ce0_NeikiAnalytics.exe omsecor.exe PID 4548 wrote to memory of 4296 4548 f4436b10750b5abd50e65308988c0ce0_NeikiAnalytics.exe omsecor.exe PID 4548 wrote to memory of 4296 4548 f4436b10750b5abd50e65308988c0ce0_NeikiAnalytics.exe omsecor.exe PID 4296 wrote to memory of 2344 4296 omsecor.exe omsecor.exe PID 4296 wrote to memory of 2344 4296 omsecor.exe omsecor.exe PID 4296 wrote to memory of 2344 4296 omsecor.exe omsecor.exe PID 2344 wrote to memory of 664 2344 omsecor.exe omsecor.exe PID 2344 wrote to memory of 664 2344 omsecor.exe omsecor.exe PID 2344 wrote to memory of 664 2344 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f4436b10750b5abd50e65308988c0ce0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\f4436b10750b5abd50e65308988c0ce0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
PID:664
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
35KB
MD5e33a9af6430de5c407d3b842fc8f80aa
SHA1b969cde4449b9f7ae8b6441886ec363b48471e4a
SHA256f32066d9a8b53ecbdb298d1bdf38e3d1413b2248b20ec455593f0214442c787f
SHA51242e83f16342bdf23bf3576864cdb3bd98ed7c045a421fa14a30b4d566b2a480a5fa5d31a531b8adc21a8feb96fcc9fcd8da5b89c3fbdde112fdac70548e1815c
-
Filesize
35KB
MD546cd72f6b4edfc791895e6d62a605e7b
SHA1cacf86591a4829714ad8f846f15f7bb3cb001460
SHA2566356806d38b8cd31d3345f4743fe5524766cd2de43ae0dc00cd4609d1045d269
SHA512cf3c4edf67c7b706229d2f49d6cf34ed072cd4e46ede20e65f2d5fdb1248a58a0f9be6992805b0eb6044d779e40d241ddee44c4f10c2b301aba8428fe9bd7552
-
Filesize
35KB
MD51381cf24600c6c13533b9b4344243700
SHA1d45423ae2ed4e59ae4ddeffd9c5a8a1c08d5276f
SHA2569d2f50ad4741f154297f7378db882ead96e0ae9443a21232f92bc3f8a46bcb4f
SHA51201e0efdc3053a63799205899040b294eea11757f2ed24621f2c9f6cd3e77fc931a0fc2c2c47d70b369d52eaed5b0749d33ce4280a1d18903ba7bb6fba7f856af