Analysis
-
max time kernel
145s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2024 21:13
Behavioral task
behavioral1
Sample
3b02bba4c58e5212c09826fb09efa7d0_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
3b02bba4c58e5212c09826fb09efa7d0_NeikiAnalytics.exe
-
Size
92KB
-
MD5
3b02bba4c58e5212c09826fb09efa7d0
-
SHA1
b7942475df016d6169a951907d004a3bea9e4652
-
SHA256
37db7492dfe068914d41761817ca7312e8445bc1f18f0cc724630d78b09434b8
-
SHA512
27ac421f89556e7095a4d738cc01f94b18e7fc6e7e2dbffc62f5d779201677b8ec41d0112e11a12e3c62dd7352c5c6cf6176a54dcf53f25f633a151a70c7242f
-
SSDEEP
1536:1d9dseIOcEE3bIvYvZEyF4EEOF6N4yS+AQmZTl/5:9dseIO/EZEyFjEOFqTiQm5l/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 1204 omsecor.exe 2916 omsecor.exe 4804 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
3b02bba4c58e5212c09826fb09efa7d0_NeikiAnalytics.exeomsecor.exeomsecor.exedescription pid process target process PID 4888 wrote to memory of 1204 4888 3b02bba4c58e5212c09826fb09efa7d0_NeikiAnalytics.exe omsecor.exe PID 4888 wrote to memory of 1204 4888 3b02bba4c58e5212c09826fb09efa7d0_NeikiAnalytics.exe omsecor.exe PID 4888 wrote to memory of 1204 4888 3b02bba4c58e5212c09826fb09efa7d0_NeikiAnalytics.exe omsecor.exe PID 1204 wrote to memory of 2916 1204 omsecor.exe omsecor.exe PID 1204 wrote to memory of 2916 1204 omsecor.exe omsecor.exe PID 1204 wrote to memory of 2916 1204 omsecor.exe omsecor.exe PID 2916 wrote to memory of 4804 2916 omsecor.exe omsecor.exe PID 2916 wrote to memory of 4804 2916 omsecor.exe omsecor.exe PID 2916 wrote to memory of 4804 2916 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b02bba4c58e5212c09826fb09efa7d0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3b02bba4c58e5212c09826fb09efa7d0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
PID:4804
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD5fa3c68960f854f5304484f9b66f3dcaf
SHA14bb65e71e0a2040e4e6f75832429b22a52fae056
SHA256c17b487a8c23edf61436b718d80e0758cee73f333342bd1100aa706e31b9f72e
SHA512eaeb3f03d506c6065886128797b0e512666322bde1b0dc040abd61ccb91a6cf17253c469d317b402572eb41e4460a02c41d68b3d54b534d69804ca494a2249c6
-
Filesize
92KB
MD5ef577c001ff20b8074164ab79b5c48ca
SHA160b79da473dd53ca037d88b6d6907ce72c400b96
SHA25694d95e36314f5af9b1701ac327ebb6d4f2545837593c5a2ed22660ea2e3a5da3
SHA5122842446db993b16ddabd08762ac1abda7a9080f95e9c920a167883602ca5588c0556642766f6f382a768d3cafb46acb162ffedd5373e90604e08fa43b9a68a4f
-
Filesize
92KB
MD58c2fd002ab339ca6e92683ebd11ea5db
SHA1820d18cf0dc6e4552c96d2e7d03fb362528ae6f1
SHA256d87a95a1fa4f526ab41efc247f419df67de4d42ad1a29ef0188fd56a780feb53
SHA5129175ac573c3f0c3ded4bfda1836d34e54c802e0dd017afa061b3d38155958bdba673d0a1975f9c2ec7fcd1ac75dca26d611e132c15ea2ed25b20b002f18b31eb