Analysis
-
max time kernel
145s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2024 15:54
Behavioral task
behavioral1
Sample
ea4b8258ea7656cc6859faa6772d0070_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
ea4b8258ea7656cc6859faa6772d0070_NeikiAnalytics.exe
-
Size
35KB
-
MD5
ea4b8258ea7656cc6859faa6772d0070
-
SHA1
0faca799f7e63291ffd662ee8493acf301886b5b
-
SHA256
e1b813815f8a7f15b24823c47aef070222987070c4b83859bdad6bac317938fc
-
SHA512
e4c2bc724ff43a5c1970179ca2ea68c1ac8c9479ea8361f06b1fe4fa97cea17d82819d2174e5c049b3c71c25929b4d3c5f0e135c1804412120510a573d6ff16d
-
SSDEEP
768:e6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:l8Z0kA7FHlO2OwOTUtKjpB
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 4016 omsecor.exe 2184 omsecor.exe 3340 omsecor.exe -
Processes:
resource yara_rule behavioral2/memory/2748-0-0x0000000000400000-0x000000000042D000-memory.dmp upx C:\Users\Admin\AppData\Roaming\omsecor.exe upx behavioral2/memory/4016-5-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/2748-6-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/4016-7-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/4016-10-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/4016-13-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/4016-14-0x0000000000400000-0x000000000042D000-memory.dmp upx C:\Windows\SysWOW64\omsecor.exe upx behavioral2/memory/2184-18-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/4016-21-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/3340-25-0x0000000000400000-0x000000000042D000-memory.dmp upx C:\Users\Admin\AppData\Roaming\omsecor.exe upx behavioral2/memory/2184-27-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/3340-29-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/3340-31-0x0000000000400000-0x000000000042D000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
ea4b8258ea7656cc6859faa6772d0070_NeikiAnalytics.exeomsecor.exeomsecor.exedescription pid process target process PID 2748 wrote to memory of 4016 2748 ea4b8258ea7656cc6859faa6772d0070_NeikiAnalytics.exe omsecor.exe PID 2748 wrote to memory of 4016 2748 ea4b8258ea7656cc6859faa6772d0070_NeikiAnalytics.exe omsecor.exe PID 2748 wrote to memory of 4016 2748 ea4b8258ea7656cc6859faa6772d0070_NeikiAnalytics.exe omsecor.exe PID 4016 wrote to memory of 2184 4016 omsecor.exe omsecor.exe PID 4016 wrote to memory of 2184 4016 omsecor.exe omsecor.exe PID 4016 wrote to memory of 2184 4016 omsecor.exe omsecor.exe PID 2184 wrote to memory of 3340 2184 omsecor.exe omsecor.exe PID 2184 wrote to memory of 3340 2184 omsecor.exe omsecor.exe PID 2184 wrote to memory of 3340 2184 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ea4b8258ea7656cc6859faa6772d0070_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\ea4b8258ea7656cc6859faa6772d0070_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
PID:3340
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4256 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:81⤵PID:3188
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
35KB
MD52b57f287055bb4d52867aa96a90b4110
SHA1f078cb63e86c5427880099f829ab22a317634738
SHA25611b2174ec4ddb88330d99257c44492b0755b8ce015d5677cc7f496388e67dc95
SHA51236f646654cd853d88775a9279a1f7eec05d6dc44a389b155f1395dd261231ce0bf7ef061ab6c2e6fb5c27afef9feb0c5ff51e3829f23937ba09912d3498a7c72
-
Filesize
35KB
MD553e7f97ee5472e77f56e4b25ad2e210a
SHA1a657d300b07e249fb9f6645b2e26c1a92bfcccec
SHA2561b3161384d555f6fafed139fd102f7fd8270dd7a3a88012b1400393c220be336
SHA512ade434cff6ec7f96df748ece6ddf2119b41842c109aaaad36e671b6633c4ceb3e054251f8204eb04c4c5c455aa67568c4326e5c3e2a71cf6ae09f86583024f16
-
Filesize
35KB
MD588ccf33362a884387e399ddcb71231c0
SHA10f4187dd7c0f14948be865a074f5a1cf0519aa3a
SHA25655bedecb03540a47edeae1bda4b1230ecc701a2fd5e3e56fca2e392bd728f2e1
SHA51220a2430a4815dc94b38147da16fe6d23a672b7fe5f64a7d1eb5712f285b66f609c147e547e2df9e450deb7c2689b82da5429b4352f5d2cae4c1ee806e916e018