Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
19-05-2024 18:16
Behavioral task
behavioral1
Sample
1250fe92a2260f7c09dc1c5095dd5230_NeikiAnalytics.exe
Resource
win7-20240508-en
General
-
Target
1250fe92a2260f7c09dc1c5095dd5230_NeikiAnalytics.exe
-
Size
68KB
-
MD5
1250fe92a2260f7c09dc1c5095dd5230
-
SHA1
7f3725bfabb33a113b075622f577cba0ca66a86d
-
SHA256
6fda56328ae06afb2adeba143f785bc80ba529a06b97d627251603698a886c7d
-
SHA512
ae3c582915a86927a1116e3d555bb9603855cfc0e12cf4b7d0e560a90b18a294caf0a73e804b6b3df000a1609630a7f72fadb49454ad63cb3027c38707f77f45
-
SSDEEP
1536:Id9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:4dseIOMEZEyFjEOFqTiQm5l/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 1736 omsecor.exe 2608 omsecor.exe 2924 omsecor.exe -
Loads dropped DLL 6 IoCs
Processes:
1250fe92a2260f7c09dc1c5095dd5230_NeikiAnalytics.exeomsecor.exeomsecor.exepid process 2108 1250fe92a2260f7c09dc1c5095dd5230_NeikiAnalytics.exe 2108 1250fe92a2260f7c09dc1c5095dd5230_NeikiAnalytics.exe 1736 omsecor.exe 1736 omsecor.exe 2608 omsecor.exe 2608 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1250fe92a2260f7c09dc1c5095dd5230_NeikiAnalytics.exeomsecor.exeomsecor.exedescription pid process target process PID 2108 wrote to memory of 1736 2108 1250fe92a2260f7c09dc1c5095dd5230_NeikiAnalytics.exe omsecor.exe PID 2108 wrote to memory of 1736 2108 1250fe92a2260f7c09dc1c5095dd5230_NeikiAnalytics.exe omsecor.exe PID 2108 wrote to memory of 1736 2108 1250fe92a2260f7c09dc1c5095dd5230_NeikiAnalytics.exe omsecor.exe PID 2108 wrote to memory of 1736 2108 1250fe92a2260f7c09dc1c5095dd5230_NeikiAnalytics.exe omsecor.exe PID 1736 wrote to memory of 2608 1736 omsecor.exe omsecor.exe PID 1736 wrote to memory of 2608 1736 omsecor.exe omsecor.exe PID 1736 wrote to memory of 2608 1736 omsecor.exe omsecor.exe PID 1736 wrote to memory of 2608 1736 omsecor.exe omsecor.exe PID 2608 wrote to memory of 2924 2608 omsecor.exe omsecor.exe PID 2608 wrote to memory of 2924 2608 omsecor.exe omsecor.exe PID 2608 wrote to memory of 2924 2608 omsecor.exe omsecor.exe PID 2608 wrote to memory of 2924 2608 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1250fe92a2260f7c09dc1c5095dd5230_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\1250fe92a2260f7c09dc1c5095dd5230_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
PID:2924
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
68KB
MD536ba5045984713994e40557aca4b1e0a
SHA1639dfffa81c32e6fc0bb0a362f251ef4a5e6f1a8
SHA256cd8f08327d1d2d2288d78996e39b9f76c1c947484a0d2fbca6e50b6f8455593b
SHA512c8f0b9d1e15ae8f66d9637899166f2f665d0c3e4dfe3c3f8bff0ce67cf9e67767d4f1f68861852c3a0a198d4e304f51b392a4bea241583440e6f0fa3f7b9338b
-
Filesize
68KB
MD5921e3af9255bb97b8229deefc2071f6a
SHA1f984ee09233cf7c8e74d1db3e061e08067f00cbb
SHA256bff6a82f3de4096b293b2708ad3972ac8e22bd2d5fc549e8cc080e580dca1245
SHA512e7e57d24607c359aa2146d3d380d7c6070ec28c9bfade13c120a35087b2e4df6ba343510fbca73ba9795ed32c4dad2560b7d39e7ff689e63d270a32b1616a682
-
Filesize
68KB
MD5d731e6fb560d9681b1fbad2d578935cb
SHA1e31cd803557c66238f76e40ce606fef8f8ac2021
SHA2562ceb82e483c69571bacebaf0fd47d25f5b16a2913d6952f33771e6a48c61152b
SHA5126f4ffad1e19f35455af6d605d254453ad593a417569f64c208263a839056d0957a4ecacbbf0cb5124ea0926d86c663222d113772437b69510f837d4316cd1d9e