Analysis
-
max time kernel
145s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2024 20:37
Behavioral task
behavioral1
Sample
33853b1d020011dc876783e07d8b7230_NeikiAnalytics.exe
Resource
win7-20240419-en
General
-
Target
33853b1d020011dc876783e07d8b7230_NeikiAnalytics.exe
-
Size
73KB
-
MD5
33853b1d020011dc876783e07d8b7230
-
SHA1
8dc8ccde95fd883250957c7e36d60343be0c1934
-
SHA256
c6c1b6c6b2c8b4a507d4eb4ecda9cfeb0cfb66c4dcdea0a44eb655e9d841292e
-
SHA512
c98df728ed61b666ed8a9fdec1e64c799cb4fbdfd5ed47264d43373dfd4ec8b3f8f2db2ee41bc6af27beca20058ebf7d5ded71d8049305542b6c3fec0f53ecd0
-
SSDEEP
1536:ud9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:2dseIOMEZEyFjEOFqTiQm5l/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 3892 omsecor.exe 2252 omsecor.exe 1236 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
33853b1d020011dc876783e07d8b7230_NeikiAnalytics.exeomsecor.exeomsecor.exedescription pid process target process PID 4916 wrote to memory of 3892 4916 33853b1d020011dc876783e07d8b7230_NeikiAnalytics.exe omsecor.exe PID 4916 wrote to memory of 3892 4916 33853b1d020011dc876783e07d8b7230_NeikiAnalytics.exe omsecor.exe PID 4916 wrote to memory of 3892 4916 33853b1d020011dc876783e07d8b7230_NeikiAnalytics.exe omsecor.exe PID 3892 wrote to memory of 2252 3892 omsecor.exe omsecor.exe PID 3892 wrote to memory of 2252 3892 omsecor.exe omsecor.exe PID 3892 wrote to memory of 2252 3892 omsecor.exe omsecor.exe PID 2252 wrote to memory of 1236 2252 omsecor.exe omsecor.exe PID 2252 wrote to memory of 1236 2252 omsecor.exe omsecor.exe PID 2252 wrote to memory of 1236 2252 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\33853b1d020011dc876783e07d8b7230_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\33853b1d020011dc876783e07d8b7230_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3892 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
PID:1236
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
73KB
MD5c5ad14a538c9584c45fb4050617364c2
SHA13358d50d96599810e4d0a7642e6b364fb26208de
SHA2561c0dba80ac3a5128396476897f538cdb76208d45b3c966c6d0cdbe1688d988ac
SHA5120b2d65d8a0d3405c64e1c78b39ae701938230d19f47146fc641736e7b9d4061e346c2f91a639b647dc09708c09c946ffbcec9e559500dd431edce6226329c931
-
Filesize
73KB
MD5ce9c4280dd4ff278815e58d38638c24a
SHA102c2e5d37527af5281e6b358ba9d8e139de31d2c
SHA2566540ec62a6824fd7f0085f0b5dfc71e86db5dd16c167a634f7e5367a126624ba
SHA51234792c79b02fd9dc3aac3980a3477bfc99c3fc7f4360a7a9d2e989ffe5ce99dd96d64f5cc70906bc2cad9ef23c4723f19ce81c19e4a45db6554dda87cb0af1c6
-
Filesize
73KB
MD57b154f209e4c10cfdeb5cbf3dac832d1
SHA1de5173061ab7e3ff3331b9fc7e53269f283513f0
SHA2567c84573635f429bd0b7d6c0a0273aceda1e2c821addd0d52ae2d06899c736801
SHA512835163bc482a3401e7bbc36263a7a45474a49f4d4d748f2b06fcee419f4cfad31592cabd4c46300fc8514d0cb947c6d34ab2eee4a91df5cf509c54ea93b2abb3