Analysis
-
max time kernel
145s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
20-05-2024 03:25
Behavioral task
behavioral1
Sample
9f73b46138b08037195e76e5180649a0_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
9f73b46138b08037195e76e5180649a0_NeikiAnalytics.exe
-
Size
80KB
-
MD5
9f73b46138b08037195e76e5180649a0
-
SHA1
e4b6b8b84b5c59ff4110e3f38e5f4c954d98e88d
-
SHA256
07bc9db7d5ea8998be8ae0783c0ccadc510866d4c953a3ded51314c0b57828aa
-
SHA512
d39352c6a8bd6a136adf1e59ece1d9fe47cec94c0ea49f22611e764b756e6cab7e5bfe4a59dd7c20af8a3c06dd6f7c4d8648d37ca06e3b0ce16f55f627aa5036
-
SSDEEP
768:3fMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:3fbIvYvZEyFKF6N4yS+AQmZTl/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 2184 omsecor.exe 2972 omsecor.exe 1228 omsecor.exe -
Loads dropped DLL 6 IoCs
Processes:
9f73b46138b08037195e76e5180649a0_NeikiAnalytics.exeomsecor.exeomsecor.exepid process 2192 9f73b46138b08037195e76e5180649a0_NeikiAnalytics.exe 2192 9f73b46138b08037195e76e5180649a0_NeikiAnalytics.exe 2184 omsecor.exe 2184 omsecor.exe 2972 omsecor.exe 2972 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
9f73b46138b08037195e76e5180649a0_NeikiAnalytics.exeomsecor.exeomsecor.exedescription pid process target process PID 2192 wrote to memory of 2184 2192 9f73b46138b08037195e76e5180649a0_NeikiAnalytics.exe omsecor.exe PID 2192 wrote to memory of 2184 2192 9f73b46138b08037195e76e5180649a0_NeikiAnalytics.exe omsecor.exe PID 2192 wrote to memory of 2184 2192 9f73b46138b08037195e76e5180649a0_NeikiAnalytics.exe omsecor.exe PID 2192 wrote to memory of 2184 2192 9f73b46138b08037195e76e5180649a0_NeikiAnalytics.exe omsecor.exe PID 2184 wrote to memory of 2972 2184 omsecor.exe omsecor.exe PID 2184 wrote to memory of 2972 2184 omsecor.exe omsecor.exe PID 2184 wrote to memory of 2972 2184 omsecor.exe omsecor.exe PID 2184 wrote to memory of 2972 2184 omsecor.exe omsecor.exe PID 2972 wrote to memory of 1228 2972 omsecor.exe omsecor.exe PID 2972 wrote to memory of 1228 2972 omsecor.exe omsecor.exe PID 2972 wrote to memory of 1228 2972 omsecor.exe omsecor.exe PID 2972 wrote to memory of 1228 2972 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9f73b46138b08037195e76e5180649a0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\9f73b46138b08037195e76e5180649a0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
PID:1228
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
80KB
MD57fbdf871bf91153ecff8d044ed40c37a
SHA17b4b0d5de867f6b6444b79580abb345785af434e
SHA25635352d475ffe0a44217dae8569fd6b770297a0aee28b337f39ca76529051bc11
SHA512bf950d2f0bb65cbd89dd61ef3e5bbd3cb2f357f934cb20a653069bd4a172d9f6476cd4a1a2c9f2daa8815fc94afd05b28c9de0af046ac73b5982876919956799
-
Filesize
80KB
MD5d7d6da61c3b35b9eec8ad0bd156e1a4f
SHA1e8096104d8c3828e53a5df7178a7343d915c35f0
SHA256c0d1c815839b1c7a0dcc9d7599123f6f47e7fa4ea1acabe98f6826efbf5d774a
SHA512c56f124b1fa1ede0486400117f3002d4c2f40963ec0c351365f9a8bf7796959dc3a90a1b1997dd1df71099525654b7b078e1663a41faf63752c0855ec60e02c5
-
Filesize
80KB
MD5358d44aa331c69b76389328366e924ec
SHA1d99ef7c4f95a55f91ad02fac49d83b71405f2e29
SHA256fc3d8f316613bf676f790a10763592679a4493359e69a396c3376a2b7193c857
SHA512e7691fd4220d2a936dbc839406d67185a5e8721e1a96d08598f59e5dde2ee311be5593c3583ad1c76fb1aec40f8ede0838965bb21cfb49ed2c72f674772e12a5