Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
19-05-2024 16:23
Behavioral task
behavioral1
Sample
f1443d530c33991545851fd1fc8f64d0_NeikiAnalytics.exe
Resource
win7-20240419-en
General
-
Target
f1443d530c33991545851fd1fc8f64d0_NeikiAnalytics.exe
-
Size
35KB
-
MD5
f1443d530c33991545851fd1fc8f64d0
-
SHA1
25f13fbd840e3dce09526506b08e900c5b4a2fb2
-
SHA256
08ec2af680d9e1a17e8a14f174f85f84e18c0d77b0ba5edfa74d0c02495e2124
-
SHA512
5a41735166eeb337280cc180291510652d796b8e835e8539cc3d6da186e6481b05268f5ea5176210ed7c26af4b2264bbea2c8aae6d0b0f963845b0ab263b96f0
-
SSDEEP
768:k6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:z8Z0kA7FHlO2OwOTUtKjpB
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 3000 omsecor.exe 1220 omsecor.exe 2412 omsecor.exe -
Loads dropped DLL 6 IoCs
Processes:
f1443d530c33991545851fd1fc8f64d0_NeikiAnalytics.exeomsecor.exeomsecor.exepid process 1600 f1443d530c33991545851fd1fc8f64d0_NeikiAnalytics.exe 1600 f1443d530c33991545851fd1fc8f64d0_NeikiAnalytics.exe 3000 omsecor.exe 3000 omsecor.exe 1220 omsecor.exe 1220 omsecor.exe -
Processes:
resource yara_rule behavioral1/memory/1600-0-0x0000000000400000-0x000000000042D000-memory.dmp upx \Users\Admin\AppData\Roaming\omsecor.exe upx behavioral1/memory/1600-4-0x0000000000230000-0x000000000025D000-memory.dmp upx behavioral1/memory/3000-13-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1600-10-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/3000-14-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/3000-17-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/3000-20-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/3000-23-0x0000000000400000-0x000000000042D000-memory.dmp upx \Windows\SysWOW64\omsecor.exe upx behavioral1/memory/3000-26-0x0000000000290000-0x00000000002BD000-memory.dmp upx behavioral1/memory/3000-34-0x0000000000400000-0x000000000042D000-memory.dmp upx \Users\Admin\AppData\Roaming\omsecor.exe upx behavioral1/memory/1220-37-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2412-46-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2412-48-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2412-51-0x0000000000400000-0x000000000042D000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
f1443d530c33991545851fd1fc8f64d0_NeikiAnalytics.exeomsecor.exeomsecor.exedescription pid process target process PID 1600 wrote to memory of 3000 1600 f1443d530c33991545851fd1fc8f64d0_NeikiAnalytics.exe omsecor.exe PID 1600 wrote to memory of 3000 1600 f1443d530c33991545851fd1fc8f64d0_NeikiAnalytics.exe omsecor.exe PID 1600 wrote to memory of 3000 1600 f1443d530c33991545851fd1fc8f64d0_NeikiAnalytics.exe omsecor.exe PID 1600 wrote to memory of 3000 1600 f1443d530c33991545851fd1fc8f64d0_NeikiAnalytics.exe omsecor.exe PID 3000 wrote to memory of 1220 3000 omsecor.exe omsecor.exe PID 3000 wrote to memory of 1220 3000 omsecor.exe omsecor.exe PID 3000 wrote to memory of 1220 3000 omsecor.exe omsecor.exe PID 3000 wrote to memory of 1220 3000 omsecor.exe omsecor.exe PID 1220 wrote to memory of 2412 1220 omsecor.exe omsecor.exe PID 1220 wrote to memory of 2412 1220 omsecor.exe omsecor.exe PID 1220 wrote to memory of 2412 1220 omsecor.exe omsecor.exe PID 1220 wrote to memory of 2412 1220 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f1443d530c33991545851fd1fc8f64d0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\f1443d530c33991545851fd1fc8f64d0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
PID:2412
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
35KB
MD57e8ade6d5357893def7071140dff6f30
SHA1a7d883fe8e4344cf422ece5e06fbabd04627a568
SHA256ade72ea8b9797d187e0fdb5b425620fa1d6dee780625f96e6fb552d91ff33b17
SHA5121745702e1670f1f129be21554101aa71235df82f60d061607b6d70c0c8e484bbf6de1766de5f3d760b342beaf8f1988f7d2ab2fdfb6df3d05c6ba009f0145d40
-
Filesize
35KB
MD5d7b126af241a909837b08f6b6518dd0c
SHA1aff1656886a6b73ff7509456d29ac5bf56a517db
SHA25692404d891f448b7f9918442681650a6ee7cd4cb98a58c125019b669ef6a13f83
SHA5121f330753c898bc6339bb95c33ba74c01684d6140a53b55bae964089624465d53e2181b0fcad69e300224445887302e04b1de946a47eecdb3894fe4b6bae121a6
-
Filesize
35KB
MD51886ecf7911fc45e2b01ddbb0c10ffca
SHA193b3fafff7f23d558492197ebd4ec2bc7b19927b
SHA256600adc28534e98cb4737436e0601497e1f627841238ebb123c5506a69e93d7f6
SHA51233647bac8341f6c4e2f764a1089622602b9bb4e8e1abcd56c1e49c7a3ae45eb12a7239ace446f70ca90ed392cf84bf0000baa481bf29eb7616c77a3f1b17f46c