Analysis
-
max time kernel
145s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2024 21:22
Behavioral task
behavioral1
Sample
3d0b3b6e5fd1fc7c2c71c954e69b60b0_NeikiAnalytics.exe
Resource
win7-20240508-en
General
-
Target
3d0b3b6e5fd1fc7c2c71c954e69b60b0_NeikiAnalytics.exe
-
Size
62KB
-
MD5
3d0b3b6e5fd1fc7c2c71c954e69b60b0
-
SHA1
2d01e12c954def7d6a04e2f9359d4b7a89238262
-
SHA256
a7938f49caef03c60b55d5d71e1673c67537f8ad1c64744ee615dd83bea11b8e
-
SHA512
a2c3132337c66e23ca5a3f6bf465cc67321f7d5a747ccdf1ccc1d3c543a88999e8db5386e29a0495229fdd79dfea63660cf92b4c42c68713ca80f5116739768e
-
SSDEEP
768:PMEIvFGvZEr8LFK0ic46N47eSdYAHwmZQp6JXXlaa5uA:PbIvYvZEyFKF6N4yS+AQmZtl/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 2996 omsecor.exe 1152 omsecor.exe 4772 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
3d0b3b6e5fd1fc7c2c71c954e69b60b0_NeikiAnalytics.exeomsecor.exeomsecor.exedescription pid process target process PID 1624 wrote to memory of 2996 1624 3d0b3b6e5fd1fc7c2c71c954e69b60b0_NeikiAnalytics.exe omsecor.exe PID 1624 wrote to memory of 2996 1624 3d0b3b6e5fd1fc7c2c71c954e69b60b0_NeikiAnalytics.exe omsecor.exe PID 1624 wrote to memory of 2996 1624 3d0b3b6e5fd1fc7c2c71c954e69b60b0_NeikiAnalytics.exe omsecor.exe PID 2996 wrote to memory of 1152 2996 omsecor.exe omsecor.exe PID 2996 wrote to memory of 1152 2996 omsecor.exe omsecor.exe PID 2996 wrote to memory of 1152 2996 omsecor.exe omsecor.exe PID 1152 wrote to memory of 4772 1152 omsecor.exe omsecor.exe PID 1152 wrote to memory of 4772 1152 omsecor.exe omsecor.exe PID 1152 wrote to memory of 4772 1152 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3d0b3b6e5fd1fc7c2c71c954e69b60b0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3d0b3b6e5fd1fc7c2c71c954e69b60b0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
PID:4772
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
62KB
MD5d878db040db9df6428f7bf8e39797aaf
SHA15fe04fb5c3967f32c6432c0ab61362e98cbede80
SHA256a8e1bdb08f7d9ef82901f4d1853d9887722b4a5c29595d589c5a2088efbfe50a
SHA51267c3ee0235820ff09aeec299be67cbd10dee4ecf6d0b5ba7536ee6a6487289605b4f6e94276253a73cc58b266355f071f3dcfa3fc237b58128f21940e26bed71
-
Filesize
62KB
MD5c16c23cb422e27e6288b2e9795b13c69
SHA164330f456ed162c016ed4f184022d3bab5aff088
SHA256f0c01af3149a18f869ab44b4ba73461c013c18c60505eab2eecdd5fc060543b6
SHA512dac7840b0148627db36ab23fede7e02cc8296930baebf89667243279bd5b272b71a10636641a282521a0add78442da0d5789fc481da915ba1f6944b26ed1f4bb
-
Filesize
62KB
MD537523b60fd94ef3b783fb1fc33d12ba4
SHA1c2abb44bea434c2aad6b7470889dd2d7a1758e94
SHA256278aa43c80dd3cb5393532b6b0648c4d201cf1abab0009ae1d27235d88a08860
SHA51291e60e92f4c87cd961953b98fa8695f78c19647198ff52900e2f0e17524d34c0988b8f52e3710db8b8b0505acf2436388f6b33d3804a2ac948f633a25bd67473