Analysis
-
max time kernel
121s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
20-05-2024 00:37
Behavioral task
behavioral1
Sample
706c96ef2f50e22a23524c700d8788a0_NeikiAnalytics.exe
Resource
win7-20240419-en
General
-
Target
706c96ef2f50e22a23524c700d8788a0_NeikiAnalytics.exe
-
Size
76KB
-
MD5
706c96ef2f50e22a23524c700d8788a0
-
SHA1
7cf44ff9a24e173cb866fd5f70c2f0cfc8446b79
-
SHA256
aa69c0e2a0bfc94d014b1fa0fac463d2c4db3b1998a19ac546f6124c2f0eeebe
-
SHA512
4f105f09d199060ab788f6c67261ce3ad2bc9c20bf6cde9e6cfe6a7be58d6e6ba5da084fbf94b8af60da63fd5c1b5bb0254abd3696683468cd85829e77827ef2
-
SSDEEP
1536:0d9dseIOcE93dIvYvZEyF4EEOF6N4yS+AQmZTl/5011:MdseIOKEZEyFjEOFqTiQm5l/5011
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 2120 omsecor.exe 2276 omsecor.exe 1956 omsecor.exe -
Loads dropped DLL 6 IoCs
Processes:
706c96ef2f50e22a23524c700d8788a0_NeikiAnalytics.exeomsecor.exeomsecor.exepid process 2220 706c96ef2f50e22a23524c700d8788a0_NeikiAnalytics.exe 2220 706c96ef2f50e22a23524c700d8788a0_NeikiAnalytics.exe 2120 omsecor.exe 2120 omsecor.exe 2276 omsecor.exe 2276 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
706c96ef2f50e22a23524c700d8788a0_NeikiAnalytics.exeomsecor.exeomsecor.exedescription pid process target process PID 2220 wrote to memory of 2120 2220 706c96ef2f50e22a23524c700d8788a0_NeikiAnalytics.exe omsecor.exe PID 2220 wrote to memory of 2120 2220 706c96ef2f50e22a23524c700d8788a0_NeikiAnalytics.exe omsecor.exe PID 2220 wrote to memory of 2120 2220 706c96ef2f50e22a23524c700d8788a0_NeikiAnalytics.exe omsecor.exe PID 2220 wrote to memory of 2120 2220 706c96ef2f50e22a23524c700d8788a0_NeikiAnalytics.exe omsecor.exe PID 2120 wrote to memory of 2276 2120 omsecor.exe omsecor.exe PID 2120 wrote to memory of 2276 2120 omsecor.exe omsecor.exe PID 2120 wrote to memory of 2276 2120 omsecor.exe omsecor.exe PID 2120 wrote to memory of 2276 2120 omsecor.exe omsecor.exe PID 2276 wrote to memory of 1956 2276 omsecor.exe omsecor.exe PID 2276 wrote to memory of 1956 2276 omsecor.exe omsecor.exe PID 2276 wrote to memory of 1956 2276 omsecor.exe omsecor.exe PID 2276 wrote to memory of 1956 2276 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\706c96ef2f50e22a23524c700d8788a0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\706c96ef2f50e22a23524c700d8788a0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
PID:1956
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
76KB
MD520e8bed9e68c38b88094f5f83c479997
SHA12d9dd064010a88b0eb2e4064306d03471c61f9b7
SHA2568334c2c133b872ef3dfa01f8bed531f1f6c7b1d26478206925018bba2e7237b6
SHA512f009588cba82af36b7f50fd7adee641d802c676c2b025d7f35f2479e519bad9f87a9bbfe74941468677398f0159876211d950606c1eba6c49ef67dc1e69674a0
-
Filesize
76KB
MD5f3bb2cb15f052ef337541416e2b818df
SHA1854174c27427c16ffcb21d94ae7199b870a97dc9
SHA25693ec7342cc4f1ea4dc2d18fc986c23151b7ebf48436d8dcf9eb47bd1a555783e
SHA512c9484dd7bd1d2d8a80e49aab5ecc90eb60924f9246bbd5e09f2d88b77778b84b9b0429ad64ebb4f6215994237fc24fcd5556e18541d2847f99fe3efe7ba79764
-
Filesize
76KB
MD5fe0a4105723cc43552e5f41bf64ebe51
SHA183bb927ea6500c603fefd3959f2d8d18cf31aecc
SHA25619729763b77dd061dd94f74dd78073d16a2bfa7493bdda4fcb45e932e28a1485
SHA51213faca7c45499833e11e4acd26118657b45a45bb1158df4adeb9534cd4ec932302a2a6153568ac481067b6abdfdacd8871335478ffe3cdf2c5ca0b70910656f6