Analysis
-
max time kernel
145s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
19-05-2024 18:44
Behavioral task
behavioral1
Sample
1918d9b514799d520138f35cd790f970_NeikiAnalytics.exe
Resource
win7-20240508-en
General
-
Target
1918d9b514799d520138f35cd790f970_NeikiAnalytics.exe
-
Size
92KB
-
MD5
1918d9b514799d520138f35cd790f970
-
SHA1
56878704a2c83fc1b24a1e7fe11e509e2a760d3b
-
SHA256
8da2f608528331dbd1ddcc3500575fcb54ebeab692b5865b22166f84e18285b3
-
SHA512
2d9504c220125d9ac29004723f0f87ccfc92b3d6eec0a607e776e81a13ee9852986f2ee3bfbd3bc9526de024f56d8c7eeb62ed586685192b34bb70e185e210d3
-
SSDEEP
768:MMEIvFGvoEr8LFK0ic46N47eSvYAHwmZGp6JXXlaa5uA:MbIvYvoEyFKF6N4ySAAQmZTl/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 2796 omsecor.exe 1848 omsecor.exe 1692 omsecor.exe -
Loads dropped DLL 6 IoCs
Processes:
1918d9b514799d520138f35cd790f970_NeikiAnalytics.exeomsecor.exeomsecor.exepid process 1964 1918d9b514799d520138f35cd790f970_NeikiAnalytics.exe 1964 1918d9b514799d520138f35cd790f970_NeikiAnalytics.exe 2796 omsecor.exe 2796 omsecor.exe 1848 omsecor.exe 1848 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1918d9b514799d520138f35cd790f970_NeikiAnalytics.exeomsecor.exeomsecor.exedescription pid process target process PID 1964 wrote to memory of 2796 1964 1918d9b514799d520138f35cd790f970_NeikiAnalytics.exe omsecor.exe PID 1964 wrote to memory of 2796 1964 1918d9b514799d520138f35cd790f970_NeikiAnalytics.exe omsecor.exe PID 1964 wrote to memory of 2796 1964 1918d9b514799d520138f35cd790f970_NeikiAnalytics.exe omsecor.exe PID 1964 wrote to memory of 2796 1964 1918d9b514799d520138f35cd790f970_NeikiAnalytics.exe omsecor.exe PID 2796 wrote to memory of 1848 2796 omsecor.exe omsecor.exe PID 2796 wrote to memory of 1848 2796 omsecor.exe omsecor.exe PID 2796 wrote to memory of 1848 2796 omsecor.exe omsecor.exe PID 2796 wrote to memory of 1848 2796 omsecor.exe omsecor.exe PID 1848 wrote to memory of 1692 1848 omsecor.exe omsecor.exe PID 1848 wrote to memory of 1692 1848 omsecor.exe omsecor.exe PID 1848 wrote to memory of 1692 1848 omsecor.exe omsecor.exe PID 1848 wrote to memory of 1692 1848 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1918d9b514799d520138f35cd790f970_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\1918d9b514799d520138f35cd790f970_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
PID:1692
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD548c25827d0468c208437fd2523217c7f
SHA1be7409cd8d43516fe108aa9975cce1f82f8bb4b1
SHA256ad8565a16403aa4239029694ace79a6c4ed9939d76263fdf58acd88a1c9c2ba7
SHA512535ac55f9d3e4fa83a4b26219db80564a372e25347c7f0921958597bc8478f28955291d4d9d40bbf49bfd6cce44e745bfbf6e40c2b710fb7c0bdc46f6f65f1b0
-
Filesize
92KB
MD5dbe495da852b04916669af3bcf543e6d
SHA1c6ababcdc1984b7d4ab27dcdf8a9eeb4c8592a61
SHA25691ee4c3ee50bf1277478d019895981952f6a55faed72edd9850fd3718745e750
SHA512142398c4acbf34319f067996b1a8b498a2feb50989b29c4c5a25e44deadabdba95bb08d47eb6a4b151df43671b69f481cf617c4be435be6804e9f1ca8968a2b7
-
Filesize
92KB
MD583b1d5ffcbdcac983d6eea3f46f37a42
SHA18f1afdadc9d7bf4be8c0cd4945c96487c97dee43
SHA256ad9f3b15f86394acb40ff7e6c1fab914c5a74ae6c717e0fcbf45946f74b8c43e
SHA5120d390538e171fd4ecd9b19c1750e72af3b3d4a4aab7125ff31892e2a16e106ead92bc205e6780a51545f2ecf075798818635c0a73c80be5946b820b8f3071015