Analysis
-
max time kernel
150s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2024 15:57
Behavioral task
behavioral1
Sample
eb1e83c18cc7a8366a0fbe64d952bf60_NeikiAnalytics.exe
Resource
win7-20231129-en
General
-
Target
eb1e83c18cc7a8366a0fbe64d952bf60_NeikiAnalytics.exe
-
Size
64KB
-
MD5
eb1e83c18cc7a8366a0fbe64d952bf60
-
SHA1
bf32cc86e6145f6b262b09cff5cf234fe1aa87f5
-
SHA256
13473a8ea2c2ef9ff7e052c636da90019ae5dd2c5213f5a98bfd78831f224e87
-
SHA512
d61a75360dcc4ec26ccb677e639eaea70683aaf2afb1f22da1b206937e04edb8eb00536ef8ff60208b7c999581228f427b1cc87bb77a97f52e2f17158efa5e25
-
SSDEEP
768:iMEIvFGvZEr8LFK0ic46N47eSdYAHwmZwSp6JXXlaa5uA:ibIvYvZEyFKF6N4yS+AQmZcl/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 1660 omsecor.exe 1852 omsecor.exe 4948 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
eb1e83c18cc7a8366a0fbe64d952bf60_NeikiAnalytics.exeomsecor.exeomsecor.exedescription pid process target process PID 1488 wrote to memory of 1660 1488 eb1e83c18cc7a8366a0fbe64d952bf60_NeikiAnalytics.exe omsecor.exe PID 1488 wrote to memory of 1660 1488 eb1e83c18cc7a8366a0fbe64d952bf60_NeikiAnalytics.exe omsecor.exe PID 1488 wrote to memory of 1660 1488 eb1e83c18cc7a8366a0fbe64d952bf60_NeikiAnalytics.exe omsecor.exe PID 1660 wrote to memory of 1852 1660 omsecor.exe omsecor.exe PID 1660 wrote to memory of 1852 1660 omsecor.exe omsecor.exe PID 1660 wrote to memory of 1852 1660 omsecor.exe omsecor.exe PID 1852 wrote to memory of 4948 1852 omsecor.exe omsecor.exe PID 1852 wrote to memory of 4948 1852 omsecor.exe omsecor.exe PID 1852 wrote to memory of 4948 1852 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\eb1e83c18cc7a8366a0fbe64d952bf60_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\eb1e83c18cc7a8366a0fbe64d952bf60_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
PID:4948
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD59e19607babf6d02c65b7af363c3f2ac5
SHA1106b0f4a0d0add5a837125c2212aa0d242f868a4
SHA256558cd1d450d62ee4e3f745dd1f1c3a6b127d4186540646303125d7b625be4cca
SHA512ff9dbfc3ae62ff81d197a50a1d1fe35a3739455a85eebd9d866b56897047d33d1d25d561c08c4c18fe5fe46261a048d8a361f8033a3f4687b78d6dc854bd53fc
-
Filesize
64KB
MD54e5fff3cdec056e923c95d1e4153b595
SHA1bc9a7e659dfc1b7f35b5b441c848773085b21e53
SHA2563154f7eef2e1ddf6471f36894fdb013844d60c9e2f156802d9132de4f7e855a1
SHA51236a1594482aab2d174ccd522ffbc7fc97f461deeb3e4fdc5fbe1ce8e8f2e5490e94a158e8bc73716f9261ca92f115397ebca55c354bddc8e5cf16152e45e3bd7
-
Filesize
64KB
MD51ab0e7ada645552ad0638fec17a5327f
SHA1a2ca38911519f4795a59da504ae223128fbea811
SHA2563482bbeb935402bb77cd9ec0d6f664dcd473e3a8668d42e8dfc2d6af635652f8
SHA5124876b4983eda25405322cef741fd9e5d2ca544a8f4ab92bda0f5fa5f726e0b25d16346b5b4642d6a458f88352f840fd80c70f54ebefbc2928f0a9e19343208b7