Analysis
-
max time kernel
145s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
19-05-2024 20:37
Behavioral task
behavioral1
Sample
33853b1d020011dc876783e07d8b7230_NeikiAnalytics.exe
Resource
win7-20240419-en
General
-
Target
33853b1d020011dc876783e07d8b7230_NeikiAnalytics.exe
-
Size
73KB
-
MD5
33853b1d020011dc876783e07d8b7230
-
SHA1
8dc8ccde95fd883250957c7e36d60343be0c1934
-
SHA256
c6c1b6c6b2c8b4a507d4eb4ecda9cfeb0cfb66c4dcdea0a44eb655e9d841292e
-
SHA512
c98df728ed61b666ed8a9fdec1e64c799cb4fbdfd5ed47264d43373dfd4ec8b3f8f2db2ee41bc6af27beca20058ebf7d5ded71d8049305542b6c3fec0f53ecd0
-
SSDEEP
1536:ud9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:2dseIOMEZEyFjEOFqTiQm5l/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 2292 omsecor.exe 2636 omsecor.exe 3020 omsecor.exe -
Loads dropped DLL 6 IoCs
Processes:
33853b1d020011dc876783e07d8b7230_NeikiAnalytics.exeomsecor.exeomsecor.exepid process 2288 33853b1d020011dc876783e07d8b7230_NeikiAnalytics.exe 2288 33853b1d020011dc876783e07d8b7230_NeikiAnalytics.exe 2292 omsecor.exe 2292 omsecor.exe 2636 omsecor.exe 2636 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
33853b1d020011dc876783e07d8b7230_NeikiAnalytics.exeomsecor.exeomsecor.exedescription pid process target process PID 2288 wrote to memory of 2292 2288 33853b1d020011dc876783e07d8b7230_NeikiAnalytics.exe omsecor.exe PID 2288 wrote to memory of 2292 2288 33853b1d020011dc876783e07d8b7230_NeikiAnalytics.exe omsecor.exe PID 2288 wrote to memory of 2292 2288 33853b1d020011dc876783e07d8b7230_NeikiAnalytics.exe omsecor.exe PID 2288 wrote to memory of 2292 2288 33853b1d020011dc876783e07d8b7230_NeikiAnalytics.exe omsecor.exe PID 2292 wrote to memory of 2636 2292 omsecor.exe omsecor.exe PID 2292 wrote to memory of 2636 2292 omsecor.exe omsecor.exe PID 2292 wrote to memory of 2636 2292 omsecor.exe omsecor.exe PID 2292 wrote to memory of 2636 2292 omsecor.exe omsecor.exe PID 2636 wrote to memory of 3020 2636 omsecor.exe omsecor.exe PID 2636 wrote to memory of 3020 2636 omsecor.exe omsecor.exe PID 2636 wrote to memory of 3020 2636 omsecor.exe omsecor.exe PID 2636 wrote to memory of 3020 2636 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\33853b1d020011dc876783e07d8b7230_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\33853b1d020011dc876783e07d8b7230_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
PID:3020
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
73KB
MD5ce9c4280dd4ff278815e58d38638c24a
SHA102c2e5d37527af5281e6b358ba9d8e139de31d2c
SHA2566540ec62a6824fd7f0085f0b5dfc71e86db5dd16c167a634f7e5367a126624ba
SHA51234792c79b02fd9dc3aac3980a3477bfc99c3fc7f4360a7a9d2e989ffe5ce99dd96d64f5cc70906bc2cad9ef23c4723f19ce81c19e4a45db6554dda87cb0af1c6
-
Filesize
73KB
MD5c7df93f110b623c5beaa22b96dfe63a6
SHA1bb47f351b89c0a0d4ce40444242327fdd6923dd3
SHA25657c1cce8db1f3f66aaf876e4f04293f2543293511057e136c3524005b597f685
SHA5124967bd8a8740636dca28593678f80724d9a8b54fa856abf7486a4dfa5ec984678db1b059425256b7ff6c26711f688fd89075adfdbe5bef68564d0d781608625c
-
Filesize
73KB
MD533b0d0d54a1068a7c379e6c615772a17
SHA13c8431d6d51dbabf4c599b2e367e59948b44f4bf
SHA25626fb046da3497da0c88d7b0104bfcddfb2e3971f19ff96b71d1e97fd512bf4a1
SHA512383891758d5f1765b99e6c4b1edb46ded432b911cc6fc894535e082c95315bf6a612ed753505564e7ee6ab8f9223a4ae2fe85efe783514de46fee408697235bf