Analysis
-
max time kernel
145s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20-05-2024 03:25
Behavioral task
behavioral1
Sample
9f73b46138b08037195e76e5180649a0_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
9f73b46138b08037195e76e5180649a0_NeikiAnalytics.exe
-
Size
80KB
-
MD5
9f73b46138b08037195e76e5180649a0
-
SHA1
e4b6b8b84b5c59ff4110e3f38e5f4c954d98e88d
-
SHA256
07bc9db7d5ea8998be8ae0783c0ccadc510866d4c953a3ded51314c0b57828aa
-
SHA512
d39352c6a8bd6a136adf1e59ece1d9fe47cec94c0ea49f22611e764b756e6cab7e5bfe4a59dd7c20af8a3c06dd6f7c4d8648d37ca06e3b0ce16f55f627aa5036
-
SSDEEP
768:3fMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:3fbIvYvZEyFKF6N4yS+AQmZTl/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 2344 omsecor.exe 716 omsecor.exe 2460 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
9f73b46138b08037195e76e5180649a0_NeikiAnalytics.exeomsecor.exeomsecor.exedescription pid process target process PID 528 wrote to memory of 2344 528 9f73b46138b08037195e76e5180649a0_NeikiAnalytics.exe omsecor.exe PID 528 wrote to memory of 2344 528 9f73b46138b08037195e76e5180649a0_NeikiAnalytics.exe omsecor.exe PID 528 wrote to memory of 2344 528 9f73b46138b08037195e76e5180649a0_NeikiAnalytics.exe omsecor.exe PID 2344 wrote to memory of 716 2344 omsecor.exe omsecor.exe PID 2344 wrote to memory of 716 2344 omsecor.exe omsecor.exe PID 2344 wrote to memory of 716 2344 omsecor.exe omsecor.exe PID 716 wrote to memory of 2460 716 omsecor.exe omsecor.exe PID 716 wrote to memory of 2460 716 omsecor.exe omsecor.exe PID 716 wrote to memory of 2460 716 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9f73b46138b08037195e76e5180649a0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\9f73b46138b08037195e76e5180649a0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:528 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:716 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
PID:2460
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
80KB
MD5c8ab7ff887bd58e43482969667b2b41c
SHA1d2f69efab22f07d94e26e02aa6845ae4004ca60f
SHA256733a1bac5c2f21e339512cf98c980349492630c2aa6a811bc70293bee5ff821d
SHA5128af6876529142f1a1740d76e8c9d4ad1e0d46a6301275257a725ab8cd00ce46f7b8e6200c9606cee7ca873af0cb5e61e09b1f16741fbf5b295a6d3b6fa70767c
-
Filesize
80KB
MD57fbdf871bf91153ecff8d044ed40c37a
SHA17b4b0d5de867f6b6444b79580abb345785af434e
SHA25635352d475ffe0a44217dae8569fd6b770297a0aee28b337f39ca76529051bc11
SHA512bf950d2f0bb65cbd89dd61ef3e5bbd3cb2f357f934cb20a653069bd4a172d9f6476cd4a1a2c9f2daa8815fc94afd05b28c9de0af046ac73b5982876919956799
-
Filesize
80KB
MD5b961e68449d82e9914c6877ec7a1a3cf
SHA17d05ec87c42a431482c0a72ffd0ff141e978709e
SHA256ce34ebe99f2009a3dc461c15feddf693e4644f4b093059042ecd4d6fafaa3f4e
SHA512e39e1950c3785e094697c0456c47a620a19b4d4a52b72aeed98a35ff247a721980403cd007056493deb63f200044482c79c6aef3a6c2e580d3a5fccdd64657df