Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2024 16:23
Behavioral task
behavioral1
Sample
f1443d530c33991545851fd1fc8f64d0_NeikiAnalytics.exe
Resource
win7-20240419-en
General
-
Target
f1443d530c33991545851fd1fc8f64d0_NeikiAnalytics.exe
-
Size
35KB
-
MD5
f1443d530c33991545851fd1fc8f64d0
-
SHA1
25f13fbd840e3dce09526506b08e900c5b4a2fb2
-
SHA256
08ec2af680d9e1a17e8a14f174f85f84e18c0d77b0ba5edfa74d0c02495e2124
-
SHA512
5a41735166eeb337280cc180291510652d796b8e835e8539cc3d6da186e6481b05268f5ea5176210ed7c26af4b2264bbea2c8aae6d0b0f963845b0ab263b96f0
-
SSDEEP
768:k6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:z8Z0kA7FHlO2OwOTUtKjpB
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 1492 omsecor.exe 3416 omsecor.exe 3672 omsecor.exe -
Processes:
resource yara_rule behavioral2/memory/5048-0-0x0000000000400000-0x000000000042D000-memory.dmp upx C:\Users\Admin\AppData\Roaming\omsecor.exe upx behavioral2/memory/5048-5-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/1492-7-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/1492-8-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/1492-11-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/1492-14-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/1492-15-0x0000000000400000-0x000000000042D000-memory.dmp upx C:\Windows\SysWOW64\omsecor.exe upx behavioral2/memory/1492-21-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/3416-22-0x0000000000400000-0x000000000042D000-memory.dmp upx C:\Users\Admin\AppData\Roaming\omsecor.exe upx behavioral2/memory/3416-27-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/3672-28-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/3672-30-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/3672-33-0x0000000000400000-0x000000000042D000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
f1443d530c33991545851fd1fc8f64d0_NeikiAnalytics.exeomsecor.exeomsecor.exedescription pid process target process PID 5048 wrote to memory of 1492 5048 f1443d530c33991545851fd1fc8f64d0_NeikiAnalytics.exe omsecor.exe PID 5048 wrote to memory of 1492 5048 f1443d530c33991545851fd1fc8f64d0_NeikiAnalytics.exe omsecor.exe PID 5048 wrote to memory of 1492 5048 f1443d530c33991545851fd1fc8f64d0_NeikiAnalytics.exe omsecor.exe PID 1492 wrote to memory of 3416 1492 omsecor.exe omsecor.exe PID 1492 wrote to memory of 3416 1492 omsecor.exe omsecor.exe PID 1492 wrote to memory of 3416 1492 omsecor.exe omsecor.exe PID 3416 wrote to memory of 3672 3416 omsecor.exe omsecor.exe PID 3416 wrote to memory of 3672 3416 omsecor.exe omsecor.exe PID 3416 wrote to memory of 3672 3416 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f1443d530c33991545851fd1fc8f64d0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\f1443d530c33991545851fd1fc8f64d0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3416 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
PID:3672
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
35KB
MD5dd326c2717746f2692e70360e6b027c8
SHA12a7fb8cb3f5ef45a989347971a750c4605449418
SHA2566225756162730bbd54f2f60d98d6e7a19892681f708e52d69619c215226e55a0
SHA512f2a7a544f77287a0d106740505c6a113738e296b5ed600c565843647da81a060c77e8ae45d3bb4ba7496aede5238825dc6bee83c286790840d118b2a827a63b3
-
Filesize
35KB
MD57e8ade6d5357893def7071140dff6f30
SHA1a7d883fe8e4344cf422ece5e06fbabd04627a568
SHA256ade72ea8b9797d187e0fdb5b425620fa1d6dee780625f96e6fb552d91ff33b17
SHA5121745702e1670f1f129be21554101aa71235df82f60d061607b6d70c0c8e484bbf6de1766de5f3d760b342beaf8f1988f7d2ab2fdfb6df3d05c6ba009f0145d40
-
Filesize
35KB
MD5fe4fa743c6f809a602615438c45d3522
SHA1346515e9205420d1d2c911bb22ee842c29691712
SHA2562ca41985efceed751b1ed8f214bc65c5e17923f2089b2a0602f44578e60de93b
SHA512a2e074b50520d8a0658ad59a77b18a39b7416b1024fd72d222be08a70014eeb4a72c9926f345cab0baa8cb2b211e0f1970ba0f92c3b42c4bc0d60d6673136a47