Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2024 18:16
Behavioral task
behavioral1
Sample
1250fe92a2260f7c09dc1c5095dd5230_NeikiAnalytics.exe
Resource
win7-20240508-en
General
-
Target
1250fe92a2260f7c09dc1c5095dd5230_NeikiAnalytics.exe
-
Size
68KB
-
MD5
1250fe92a2260f7c09dc1c5095dd5230
-
SHA1
7f3725bfabb33a113b075622f577cba0ca66a86d
-
SHA256
6fda56328ae06afb2adeba143f785bc80ba529a06b97d627251603698a886c7d
-
SHA512
ae3c582915a86927a1116e3d555bb9603855cfc0e12cf4b7d0e560a90b18a294caf0a73e804b6b3df000a1609630a7f72fadb49454ad63cb3027c38707f77f45
-
SSDEEP
1536:Id9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:4dseIOMEZEyFjEOFqTiQm5l/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 2352 omsecor.exe 4764 omsecor.exe 2676 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
1250fe92a2260f7c09dc1c5095dd5230_NeikiAnalytics.exeomsecor.exeomsecor.exedescription pid process target process PID 4880 wrote to memory of 2352 4880 1250fe92a2260f7c09dc1c5095dd5230_NeikiAnalytics.exe omsecor.exe PID 4880 wrote to memory of 2352 4880 1250fe92a2260f7c09dc1c5095dd5230_NeikiAnalytics.exe omsecor.exe PID 4880 wrote to memory of 2352 4880 1250fe92a2260f7c09dc1c5095dd5230_NeikiAnalytics.exe omsecor.exe PID 2352 wrote to memory of 4764 2352 omsecor.exe omsecor.exe PID 2352 wrote to memory of 4764 2352 omsecor.exe omsecor.exe PID 2352 wrote to memory of 4764 2352 omsecor.exe omsecor.exe PID 4764 wrote to memory of 2676 4764 omsecor.exe omsecor.exe PID 4764 wrote to memory of 2676 4764 omsecor.exe omsecor.exe PID 4764 wrote to memory of 2676 4764 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1250fe92a2260f7c09dc1c5095dd5230_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\1250fe92a2260f7c09dc1c5095dd5230_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
PID:2676
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
68KB
MD59e319d9b83293fbfadf87dbdd9c44ec0
SHA13040738b150fe5d95d9a094766305e85a672298d
SHA2567a3a496899d62afa7fabf18396c9920e2ec1eec742e4d9a6dbb423b051b8efc9
SHA512d1ffaf2c48802a91d2842413989094557f9d119b174ad8cf3d0254a94c05b47fda7a71d55e65c3a553179622dee6c34f58b3994b5ed29b8b1c79457e682bfb25
-
Filesize
68KB
MD536ba5045984713994e40557aca4b1e0a
SHA1639dfffa81c32e6fc0bb0a362f251ef4a5e6f1a8
SHA256cd8f08327d1d2d2288d78996e39b9f76c1c947484a0d2fbca6e50b6f8455593b
SHA512c8f0b9d1e15ae8f66d9637899166f2f665d0c3e4dfe3c3f8bff0ce67cf9e67767d4f1f68861852c3a0a198d4e304f51b392a4bea241583440e6f0fa3f7b9338b
-
Filesize
68KB
MD51b04947bf9237a4b3de22995d9087311
SHA19a3b5d567802876af7e084e606b424407deeafdb
SHA256c64cd655b6d0fd0b47cbabda0d0292cbaee4f5974911f5f8839df14dc94c9d45
SHA512641ccdd013942d8a795ff196c1b211a106e3102a09afaf80128b9a9134e66bf0fc4cf13d8e50fa376f1f8ab8535b861280233498ddd6d42038e3517a599d2abb