Analysis
-
max time kernel
145s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
20-05-2024 00:37
Behavioral task
behavioral1
Sample
706c96ef2f50e22a23524c700d8788a0_NeikiAnalytics.exe
Resource
win7-20240419-en
General
-
Target
706c96ef2f50e22a23524c700d8788a0_NeikiAnalytics.exe
-
Size
76KB
-
MD5
706c96ef2f50e22a23524c700d8788a0
-
SHA1
7cf44ff9a24e173cb866fd5f70c2f0cfc8446b79
-
SHA256
aa69c0e2a0bfc94d014b1fa0fac463d2c4db3b1998a19ac546f6124c2f0eeebe
-
SHA512
4f105f09d199060ab788f6c67261ce3ad2bc9c20bf6cde9e6cfe6a7be58d6e6ba5da084fbf94b8af60da63fd5c1b5bb0254abd3696683468cd85829e77827ef2
-
SSDEEP
1536:0d9dseIOcE93dIvYvZEyF4EEOF6N4yS+AQmZTl/5011:MdseIOKEZEyFjEOFqTiQm5l/5011
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 3792 omsecor.exe 2052 omsecor.exe 2896 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
706c96ef2f50e22a23524c700d8788a0_NeikiAnalytics.exeomsecor.exeomsecor.exedescription pid process target process PID 404 wrote to memory of 3792 404 706c96ef2f50e22a23524c700d8788a0_NeikiAnalytics.exe omsecor.exe PID 404 wrote to memory of 3792 404 706c96ef2f50e22a23524c700d8788a0_NeikiAnalytics.exe omsecor.exe PID 404 wrote to memory of 3792 404 706c96ef2f50e22a23524c700d8788a0_NeikiAnalytics.exe omsecor.exe PID 3792 wrote to memory of 2052 3792 omsecor.exe omsecor.exe PID 3792 wrote to memory of 2052 3792 omsecor.exe omsecor.exe PID 3792 wrote to memory of 2052 3792 omsecor.exe omsecor.exe PID 2052 wrote to memory of 2896 2052 omsecor.exe omsecor.exe PID 2052 wrote to memory of 2896 2052 omsecor.exe omsecor.exe PID 2052 wrote to memory of 2896 2052 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\706c96ef2f50e22a23524c700d8788a0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\706c96ef2f50e22a23524c700d8788a0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3792 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
PID:2896
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
76KB
MD572e02c826aaa25e83f6649c02ec3c895
SHA1828f1dba0a2a12df7402544a604066b6a10ac6e5
SHA256005e45f3f2c1e553117497a629e793cac4a8eca8a077490da7b1bebce94d0beb
SHA5129c562d8cc968caee269294cfa44b13bda9ab53e67dc12ce571b6a9b4647703a8315ed233885bea76aa9ddcb942f4273dd4992ac5f5f0332e0b192fc77638755c
-
Filesize
76KB
MD520e8bed9e68c38b88094f5f83c479997
SHA12d9dd064010a88b0eb2e4064306d03471c61f9b7
SHA2568334c2c133b872ef3dfa01f8bed531f1f6c7b1d26478206925018bba2e7237b6
SHA512f009588cba82af36b7f50fd7adee641d802c676c2b025d7f35f2479e519bad9f87a9bbfe74941468677398f0159876211d950606c1eba6c49ef67dc1e69674a0
-
Filesize
76KB
MD583a8bd93fb1a307b2058e272d55983e9
SHA123ff5e278f0a6d7157058cd78a94cb540e6a2129
SHA25631924652140324fbbe7d011630d11504438e8aca83bcc9ea67d166b489b6be39
SHA51244cd40eb0ae3bd9f4a1ba24f1ab437fbb9a65cfd1aec00cd07c9194677d07a7c96426c0b4ea178b0e8465acfb76e0c9fde8e7552f031973c3370702af0388aff