Analysis
-
max time kernel
145s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
20-05-2024 04:38
Behavioral task
behavioral1
Sample
aef02de0f9c4496cc3875fe85fbf65a0_NeikiAnalytics.exe
Resource
win7-20240220-en
General
-
Target
aef02de0f9c4496cc3875fe85fbf65a0_NeikiAnalytics.exe
-
Size
88KB
-
MD5
aef02de0f9c4496cc3875fe85fbf65a0
-
SHA1
fce7ae0220abaf0bb8e1cfd9ee05c4c4e1ab5551
-
SHA256
c0cff68c65ff635d976ea2fb6da9aeaab3c9a5385c9ed7bda38a6231cb324ba8
-
SHA512
3ee7436e9c81c7eaa1a2b9d5b3fe12b531aedc6639b33248fed53b46c9e9e00e8dac8a9bd5510c859a71b1d51e8e00bfaa1931f09357facd2920f4b3dac806ed
-
SSDEEP
1536:Hd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:vdseIOMEZEyFjEOFqTiQm5l/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 1792 omsecor.exe 2904 omsecor.exe 3040 omsecor.exe -
Loads dropped DLL 6 IoCs
Processes:
aef02de0f9c4496cc3875fe85fbf65a0_NeikiAnalytics.exeomsecor.exeomsecor.exepid process 2360 aef02de0f9c4496cc3875fe85fbf65a0_NeikiAnalytics.exe 2360 aef02de0f9c4496cc3875fe85fbf65a0_NeikiAnalytics.exe 1792 omsecor.exe 1792 omsecor.exe 2904 omsecor.exe 2904 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
aef02de0f9c4496cc3875fe85fbf65a0_NeikiAnalytics.exeomsecor.exeomsecor.exedescription pid process target process PID 2360 wrote to memory of 1792 2360 aef02de0f9c4496cc3875fe85fbf65a0_NeikiAnalytics.exe omsecor.exe PID 2360 wrote to memory of 1792 2360 aef02de0f9c4496cc3875fe85fbf65a0_NeikiAnalytics.exe omsecor.exe PID 2360 wrote to memory of 1792 2360 aef02de0f9c4496cc3875fe85fbf65a0_NeikiAnalytics.exe omsecor.exe PID 2360 wrote to memory of 1792 2360 aef02de0f9c4496cc3875fe85fbf65a0_NeikiAnalytics.exe omsecor.exe PID 1792 wrote to memory of 2904 1792 omsecor.exe omsecor.exe PID 1792 wrote to memory of 2904 1792 omsecor.exe omsecor.exe PID 1792 wrote to memory of 2904 1792 omsecor.exe omsecor.exe PID 1792 wrote to memory of 2904 1792 omsecor.exe omsecor.exe PID 2904 wrote to memory of 3040 2904 omsecor.exe omsecor.exe PID 2904 wrote to memory of 3040 2904 omsecor.exe omsecor.exe PID 2904 wrote to memory of 3040 2904 omsecor.exe omsecor.exe PID 2904 wrote to memory of 3040 2904 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aef02de0f9c4496cc3875fe85fbf65a0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\aef02de0f9c4496cc3875fe85fbf65a0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
PID:3040
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
88KB
MD5fd9b331d26f32185f358fa75ed32d942
SHA13dcc9fb98b984d34aae8385829e640191c8830f0
SHA2567002847d545ea2a227b9fa91677a3eb52d513e4bf8aead863f73dcce3a725835
SHA512f7325ff112820aa3935a1b113e7e5eeabd2e98d10a3d47a021563b328443c3190b285f7231c2fb8c09f4550c4f9d6f504c0a9db65e0aaa2c7a3007f05f67e96b
-
Filesize
88KB
MD5685f73db4f86d8b5a77fb1b128c9cdcb
SHA1f5dc2fb8721ac09254070d30b678ad5034543419
SHA256719c785a442e63c8a0098563fa982365ee7a19729f7ebb0f004f907a0064e201
SHA51247d8f5fa0d7eca518446b4bb9207eaa73fe0b6834f4bfe72cb246bf425147d10267902f4acc3f19cfff38c41ccfa61b05b9053c841c278a2e7ef7f3375a04175
-
Filesize
88KB
MD560445a44f3f27259654221641038bd3f
SHA163dc2ac6b60e4c812efbdc18cff73043a0e8cf40
SHA256d81893a11d76fa25789a5364772f88a093b1846fb3a80473103e799f9df02cc9
SHA5128bcc10df57954050aa740637b1158034529e0412b97086aef9df8f652ef98f06daae23ccec560aa02dd316d65020a26c6d59308d458225fca14a5f949b5a28d9