Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
19-05-2024 15:54
Behavioral task
behavioral1
Sample
ea4b8258ea7656cc6859faa6772d0070_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
ea4b8258ea7656cc6859faa6772d0070_NeikiAnalytics.exe
-
Size
35KB
-
MD5
ea4b8258ea7656cc6859faa6772d0070
-
SHA1
0faca799f7e63291ffd662ee8493acf301886b5b
-
SHA256
e1b813815f8a7f15b24823c47aef070222987070c4b83859bdad6bac317938fc
-
SHA512
e4c2bc724ff43a5c1970179ca2ea68c1ac8c9479ea8361f06b1fe4fa97cea17d82819d2174e5c049b3c71c25929b4d3c5f0e135c1804412120510a573d6ff16d
-
SSDEEP
768:e6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:l8Z0kA7FHlO2OwOTUtKjpB
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 1320 omsecor.exe 2332 omsecor.exe 1908 omsecor.exe -
Loads dropped DLL 6 IoCs
Processes:
ea4b8258ea7656cc6859faa6772d0070_NeikiAnalytics.exeomsecor.exeomsecor.exepid process 2792 ea4b8258ea7656cc6859faa6772d0070_NeikiAnalytics.exe 2792 ea4b8258ea7656cc6859faa6772d0070_NeikiAnalytics.exe 1320 omsecor.exe 1320 omsecor.exe 2332 omsecor.exe 2332 omsecor.exe -
Processes:
resource yara_rule behavioral1/memory/2792-0-0x0000000000400000-0x000000000042D000-memory.dmp upx \Users\Admin\AppData\Roaming\omsecor.exe upx behavioral1/memory/1320-14-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2792-12-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1320-15-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1320-18-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1320-21-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1320-24-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2332-47-0x0000000000400000-0x000000000042D000-memory.dmp upx C:\Users\Admin\AppData\Roaming\omsecor.exe upx behavioral1/memory/1908-48-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2332-40-0x0000000000220000-0x000000000024D000-memory.dmp upx C:\Windows\SysWOW64\omsecor.exe upx behavioral1/memory/1320-34-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1320-27-0x0000000001F70000-0x0000000001F9D000-memory.dmp upx behavioral1/memory/1908-50-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1908-53-0x0000000000400000-0x000000000042D000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
ea4b8258ea7656cc6859faa6772d0070_NeikiAnalytics.exeomsecor.exeomsecor.exedescription pid process target process PID 2792 wrote to memory of 1320 2792 ea4b8258ea7656cc6859faa6772d0070_NeikiAnalytics.exe omsecor.exe PID 2792 wrote to memory of 1320 2792 ea4b8258ea7656cc6859faa6772d0070_NeikiAnalytics.exe omsecor.exe PID 2792 wrote to memory of 1320 2792 ea4b8258ea7656cc6859faa6772d0070_NeikiAnalytics.exe omsecor.exe PID 2792 wrote to memory of 1320 2792 ea4b8258ea7656cc6859faa6772d0070_NeikiAnalytics.exe omsecor.exe PID 1320 wrote to memory of 2332 1320 omsecor.exe omsecor.exe PID 1320 wrote to memory of 2332 1320 omsecor.exe omsecor.exe PID 1320 wrote to memory of 2332 1320 omsecor.exe omsecor.exe PID 1320 wrote to memory of 2332 1320 omsecor.exe omsecor.exe PID 2332 wrote to memory of 1908 2332 omsecor.exe omsecor.exe PID 2332 wrote to memory of 1908 2332 omsecor.exe omsecor.exe PID 2332 wrote to memory of 1908 2332 omsecor.exe omsecor.exe PID 2332 wrote to memory of 1908 2332 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ea4b8258ea7656cc6859faa6772d0070_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\ea4b8258ea7656cc6859faa6772d0070_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
PID:1908
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
35KB
MD52a541cb03737d4b287b01efc5fa6edc2
SHA16be83e77e238608209c06f3d1d705ad9bc76dae9
SHA2568f702e81868dd2b926e07df7643a61720186242927ce27f425033828569b4f43
SHA5129dcd23b67a6fd5bb70a0af72da6734e139cefeb5282b975a851bd44e3419631e29063850a83cf865d3f42c44943a09e618c246b07521ce28f424bb39c2dd3318
-
Filesize
35KB
MD591ad98d31ff0f7326213b84b78892407
SHA11331cadc57af20dc1b28cc0fc70cf32c651d44c4
SHA256bf33be38c15fde5df61ab26ae8c97e006054a6eb6382d6c1de30f80091a3c2b4
SHA5129610088367022bf95537b5185e22665750f11691ac83ccd13aabb7044e8cf4940dad948c941310ba02ca74ea411dbe1888c935d11e25160f1fe3ec8a57dc1b61
-
Filesize
35KB
MD553e7f97ee5472e77f56e4b25ad2e210a
SHA1a657d300b07e249fb9f6645b2e26c1a92bfcccec
SHA2561b3161384d555f6fafed139fd102f7fd8270dd7a3a88012b1400393c220be336
SHA512ade434cff6ec7f96df748ece6ddf2119b41842c109aaaad36e671b6633c4ceb3e054251f8204eb04c4c5c455aa67568c4326e5c3e2a71cf6ae09f86583024f16