Analysis
-
max time kernel
146s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
20-05-2024 04:18
Behavioral task
behavioral1
Sample
aa8ba803152da70d5a426f82e0f3e200_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
aa8ba803152da70d5a426f82e0f3e200_NeikiAnalytics.exe
-
Size
72KB
-
MD5
aa8ba803152da70d5a426f82e0f3e200
-
SHA1
a69df5d028ef3b1d9b6c597be3053f517192a5d4
-
SHA256
2caab932d8930e900fe8c88f3802505e79e2d0d59bd1d420feb2222bdc68cb05
-
SHA512
5c6e486b148b5e636290ce229c1ba7ca17a7546803859af530135b7bb69e6afb41098e49db8020e309808d34e1fc5001b04dd00a8d4b9f4249dbed3d05b7df31
-
SSDEEP
768:4MEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAW:4bIvYvZEyFKF6N4yS+AQmZTl/5O
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 2940 omsecor.exe 1308 omsecor.exe 572 omsecor.exe -
Loads dropped DLL 6 IoCs
Processes:
aa8ba803152da70d5a426f82e0f3e200_NeikiAnalytics.exeomsecor.exeomsecor.exepid process 2812 aa8ba803152da70d5a426f82e0f3e200_NeikiAnalytics.exe 2812 aa8ba803152da70d5a426f82e0f3e200_NeikiAnalytics.exe 2940 omsecor.exe 2940 omsecor.exe 1308 omsecor.exe 1308 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
aa8ba803152da70d5a426f82e0f3e200_NeikiAnalytics.exeomsecor.exeomsecor.exedescription pid process target process PID 2812 wrote to memory of 2940 2812 aa8ba803152da70d5a426f82e0f3e200_NeikiAnalytics.exe omsecor.exe PID 2812 wrote to memory of 2940 2812 aa8ba803152da70d5a426f82e0f3e200_NeikiAnalytics.exe omsecor.exe PID 2812 wrote to memory of 2940 2812 aa8ba803152da70d5a426f82e0f3e200_NeikiAnalytics.exe omsecor.exe PID 2812 wrote to memory of 2940 2812 aa8ba803152da70d5a426f82e0f3e200_NeikiAnalytics.exe omsecor.exe PID 2940 wrote to memory of 1308 2940 omsecor.exe omsecor.exe PID 2940 wrote to memory of 1308 2940 omsecor.exe omsecor.exe PID 2940 wrote to memory of 1308 2940 omsecor.exe omsecor.exe PID 2940 wrote to memory of 1308 2940 omsecor.exe omsecor.exe PID 1308 wrote to memory of 572 1308 omsecor.exe omsecor.exe PID 1308 wrote to memory of 572 1308 omsecor.exe omsecor.exe PID 1308 wrote to memory of 572 1308 omsecor.exe omsecor.exe PID 1308 wrote to memory of 572 1308 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa8ba803152da70d5a426f82e0f3e200_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\aa8ba803152da70d5a426f82e0f3e200_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
PID:572
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
72KB
MD5495c130f882705049903606f970ec4c0
SHA1666953aef41b81aa4896362ec85e0065f37cf4f9
SHA2569658aadb231c62de3ed5ea0f7f9c77edb6541964be96252e59ab600a7eba16f5
SHA512b6db103a743dfb5bd3dccdb053a4b2d75348d2a5ce8196b22812987cdf78f483d05734e457edd38fe15cea86dc08de625969c135a1e7239cf3a4d6171f29198f
-
Filesize
72KB
MD5a165baf30f0b198487f30e660c0fd156
SHA1ae251ff3b8fe3e50380654fff54642126ec5c052
SHA256ee3396b41e4d3901383402bdd56a165979cce617af4bf8dcb7844f59b549680c
SHA5121f908421f5c1bb1f3630937265a5ecd27fc62b5d77c7329d938f295e1d8684ee86cc1141940bbe660dec45e75638fdfb44090186e43b7c34d00a5be5cccdc695
-
Filesize
72KB
MD59257a70066fa238f3350b6cef692cb74
SHA1719ed791f370d70db834796c2975297cac446d9f
SHA2567b3b4a37f408608c7eca3e41b42d52180c35359ad4ea1edcee59c89dfd904156
SHA512d7b43d474fea8575443e704125dac6966a77ea62565b8a105d0fdf4681483011dab146a16e6a26d4451e5e1ce03026e0e588f33fd198dad23d27a231c90ccdc8