Analysis
-
max time kernel
145s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2024 18:44
Behavioral task
behavioral1
Sample
1918d9b514799d520138f35cd790f970_NeikiAnalytics.exe
Resource
win7-20240508-en
General
-
Target
1918d9b514799d520138f35cd790f970_NeikiAnalytics.exe
-
Size
92KB
-
MD5
1918d9b514799d520138f35cd790f970
-
SHA1
56878704a2c83fc1b24a1e7fe11e509e2a760d3b
-
SHA256
8da2f608528331dbd1ddcc3500575fcb54ebeab692b5865b22166f84e18285b3
-
SHA512
2d9504c220125d9ac29004723f0f87ccfc92b3d6eec0a607e776e81a13ee9852986f2ee3bfbd3bc9526de024f56d8c7eeb62ed586685192b34bb70e185e210d3
-
SSDEEP
768:MMEIvFGvoEr8LFK0ic46N47eSvYAHwmZGp6JXXlaa5uA:MbIvYvoEyFKF6N4ySAAQmZTl/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 1516 omsecor.exe 3364 omsecor.exe 4620 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
1918d9b514799d520138f35cd790f970_NeikiAnalytics.exeomsecor.exeomsecor.exedescription pid process target process PID 1528 wrote to memory of 1516 1528 1918d9b514799d520138f35cd790f970_NeikiAnalytics.exe omsecor.exe PID 1528 wrote to memory of 1516 1528 1918d9b514799d520138f35cd790f970_NeikiAnalytics.exe omsecor.exe PID 1528 wrote to memory of 1516 1528 1918d9b514799d520138f35cd790f970_NeikiAnalytics.exe omsecor.exe PID 1516 wrote to memory of 3364 1516 omsecor.exe omsecor.exe PID 1516 wrote to memory of 3364 1516 omsecor.exe omsecor.exe PID 1516 wrote to memory of 3364 1516 omsecor.exe omsecor.exe PID 3364 wrote to memory of 4620 3364 omsecor.exe omsecor.exe PID 3364 wrote to memory of 4620 3364 omsecor.exe omsecor.exe PID 3364 wrote to memory of 4620 3364 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1918d9b514799d520138f35cd790f970_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\1918d9b514799d520138f35cd790f970_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3364 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
PID:4620
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD53e89e5c0df78fd2d446fe4f4f6cd3f09
SHA13fb09031c2660ad56544c0e52585e7b1f97e731f
SHA256ba402fb1a953309bbc16b24d8bce2bb3848f3117904b3c291aad3e41a0ea5f3f
SHA5122202cf1dc7b3ef2b9c8271e0e47a2570b0cf8bff7d85f68e248d382ac238e62d4117c3514627beedcceff506de98b72dbca050d37e20d5cb6949115dc0b2cae1
-
Filesize
92KB
MD548c25827d0468c208437fd2523217c7f
SHA1be7409cd8d43516fe108aa9975cce1f82f8bb4b1
SHA256ad8565a16403aa4239029694ace79a6c4ed9939d76263fdf58acd88a1c9c2ba7
SHA512535ac55f9d3e4fa83a4b26219db80564a372e25347c7f0921958597bc8478f28955291d4d9d40bbf49bfd6cce44e745bfbf6e40c2b710fb7c0bdc46f6f65f1b0
-
Filesize
92KB
MD56f99c4dd71ec20667f75a9cc6f533892
SHA15ebdbe0278560852d1b50513c6a0a5250d650976
SHA256337b3f4a3e5722ff07c943c22e7e453b64fe23cd6d210125a24c57475874e11e
SHA512ce1e597855cba128ad23af3635361f0f7973c38dbe170282479f55bd96192256879df392da8e0b7e1e05c51976b4b3afb8149199b933945e14a40cfc8410180a