Analysis
-
max time kernel
145s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20-05-2024 04:38
Behavioral task
behavioral1
Sample
aef02de0f9c4496cc3875fe85fbf65a0_NeikiAnalytics.exe
Resource
win7-20240220-en
General
-
Target
aef02de0f9c4496cc3875fe85fbf65a0_NeikiAnalytics.exe
-
Size
88KB
-
MD5
aef02de0f9c4496cc3875fe85fbf65a0
-
SHA1
fce7ae0220abaf0bb8e1cfd9ee05c4c4e1ab5551
-
SHA256
c0cff68c65ff635d976ea2fb6da9aeaab3c9a5385c9ed7bda38a6231cb324ba8
-
SHA512
3ee7436e9c81c7eaa1a2b9d5b3fe12b531aedc6639b33248fed53b46c9e9e00e8dac8a9bd5510c859a71b1d51e8e00bfaa1931f09357facd2920f4b3dac806ed
-
SSDEEP
1536:Hd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:vdseIOMEZEyFjEOFqTiQm5l/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
omsecor.exeomsecor.exepid process 1428 omsecor.exe 4772 omsecor.exe -
Drops file in System32 directory 2 IoCs
Processes:
omsecor.exeomsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe File opened for modification C:\Windows\SysWOW64\merocz.xc6 omsecor.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
aef02de0f9c4496cc3875fe85fbf65a0_NeikiAnalytics.exeomsecor.exedescription pid process target process PID 4940 wrote to memory of 1428 4940 aef02de0f9c4496cc3875fe85fbf65a0_NeikiAnalytics.exe omsecor.exe PID 4940 wrote to memory of 1428 4940 aef02de0f9c4496cc3875fe85fbf65a0_NeikiAnalytics.exe omsecor.exe PID 4940 wrote to memory of 1428 4940 aef02de0f9c4496cc3875fe85fbf65a0_NeikiAnalytics.exe omsecor.exe PID 1428 wrote to memory of 4772 1428 omsecor.exe omsecor.exe PID 1428 wrote to memory of 4772 1428 omsecor.exe omsecor.exe PID 1428 wrote to memory of 4772 1428 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aef02de0f9c4496cc3875fe85fbf65a0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\aef02de0f9c4496cc3875fe85fbf65a0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4772
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
88KB
MD5fd9b331d26f32185f358fa75ed32d942
SHA13dcc9fb98b984d34aae8385829e640191c8830f0
SHA2567002847d545ea2a227b9fa91677a3eb52d513e4bf8aead863f73dcce3a725835
SHA512f7325ff112820aa3935a1b113e7e5eeabd2e98d10a3d47a021563b328443c3190b285f7231c2fb8c09f4550c4f9d6f504c0a9db65e0aaa2c7a3007f05f67e96b
-
Filesize
88KB
MD536797dc7ed377a32e271f58f732dd92c
SHA18d604e067801ae31962a8a7f18ced63c65d0a662
SHA2561bae5321133d76aad1e0f8bf56438eb9d60aacb0e5dfe983d79aa4794d0aac50
SHA512493cd258626d65f326dbc7aa56d55b11bd9ca95eedc85bc64250cfd25febd2249a0ee23e0891292cee02fa0c68b3cda8843181ad3e262f643e6fb29a03dd3ac7