Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
19-05-2024 21:22
Behavioral task
behavioral1
Sample
3d0b3b6e5fd1fc7c2c71c954e69b60b0_NeikiAnalytics.exe
Resource
win7-20240508-en
General
-
Target
3d0b3b6e5fd1fc7c2c71c954e69b60b0_NeikiAnalytics.exe
-
Size
62KB
-
MD5
3d0b3b6e5fd1fc7c2c71c954e69b60b0
-
SHA1
2d01e12c954def7d6a04e2f9359d4b7a89238262
-
SHA256
a7938f49caef03c60b55d5d71e1673c67537f8ad1c64744ee615dd83bea11b8e
-
SHA512
a2c3132337c66e23ca5a3f6bf465cc67321f7d5a747ccdf1ccc1d3c543a88999e8db5386e29a0495229fdd79dfea63660cf92b4c42c68713ca80f5116739768e
-
SSDEEP
768:PMEIvFGvZEr8LFK0ic46N47eSdYAHwmZQp6JXXlaa5uA:PbIvYvZEyFKF6N4yS+AQmZtl/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 1684 omsecor.exe 1556 omsecor.exe 1816 omsecor.exe -
Loads dropped DLL 6 IoCs
Processes:
3d0b3b6e5fd1fc7c2c71c954e69b60b0_NeikiAnalytics.exeomsecor.exeomsecor.exepid process 1700 3d0b3b6e5fd1fc7c2c71c954e69b60b0_NeikiAnalytics.exe 1700 3d0b3b6e5fd1fc7c2c71c954e69b60b0_NeikiAnalytics.exe 1684 omsecor.exe 1684 omsecor.exe 1556 omsecor.exe 1556 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
3d0b3b6e5fd1fc7c2c71c954e69b60b0_NeikiAnalytics.exeomsecor.exeomsecor.exedescription pid process target process PID 1700 wrote to memory of 1684 1700 3d0b3b6e5fd1fc7c2c71c954e69b60b0_NeikiAnalytics.exe omsecor.exe PID 1700 wrote to memory of 1684 1700 3d0b3b6e5fd1fc7c2c71c954e69b60b0_NeikiAnalytics.exe omsecor.exe PID 1700 wrote to memory of 1684 1700 3d0b3b6e5fd1fc7c2c71c954e69b60b0_NeikiAnalytics.exe omsecor.exe PID 1700 wrote to memory of 1684 1700 3d0b3b6e5fd1fc7c2c71c954e69b60b0_NeikiAnalytics.exe omsecor.exe PID 1684 wrote to memory of 1556 1684 omsecor.exe omsecor.exe PID 1684 wrote to memory of 1556 1684 omsecor.exe omsecor.exe PID 1684 wrote to memory of 1556 1684 omsecor.exe omsecor.exe PID 1684 wrote to memory of 1556 1684 omsecor.exe omsecor.exe PID 1556 wrote to memory of 1816 1556 omsecor.exe omsecor.exe PID 1556 wrote to memory of 1816 1556 omsecor.exe omsecor.exe PID 1556 wrote to memory of 1816 1556 omsecor.exe omsecor.exe PID 1556 wrote to memory of 1816 1556 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3d0b3b6e5fd1fc7c2c71c954e69b60b0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3d0b3b6e5fd1fc7c2c71c954e69b60b0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
PID:1816
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
62KB
MD5c16c23cb422e27e6288b2e9795b13c69
SHA164330f456ed162c016ed4f184022d3bab5aff088
SHA256f0c01af3149a18f869ab44b4ba73461c013c18c60505eab2eecdd5fc060543b6
SHA512dac7840b0148627db36ab23fede7e02cc8296930baebf89667243279bd5b272b71a10636641a282521a0add78442da0d5789fc481da915ba1f6944b26ed1f4bb
-
Filesize
62KB
MD5d1309edc22952e245c3c610668b9ad0c
SHA18a0274c1fb6979773a3a61c040bbaa06440c26d6
SHA256c8b349f88ae43b0d2a1c01cf191ee990c8e6e5dfd859d7de4a40c8ec74092bf3
SHA512a4782cd5d576cd79857b820813dc81143b930163e34debaffbefcd0fefcc79d95d5a21cd520fc1741472caba50be1c568021bcfaa606376530c409a565c5b661
-
Filesize
62KB
MD560ee484a10ee4f8ea5e8fab8305aeef8
SHA13f73a8abcdd9ea51bc33b1404e57d6e92aa14d33
SHA256c5077413784f6757d3dacc97f0380ee5c908a13eeabb04726ef5e480d7d7ed84
SHA51278388d4e92ec68d7ab497c89589489807b1d5fa183c51a116a8b7f44b5e4035402effa60f77d1b66d34550d8bc7c583cd264757d8d3e32e64cf152f6a95a09f9