Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20-05-2024 04:18
Behavioral task
behavioral1
Sample
aa8ba803152da70d5a426f82e0f3e200_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
aa8ba803152da70d5a426f82e0f3e200_NeikiAnalytics.exe
-
Size
72KB
-
MD5
aa8ba803152da70d5a426f82e0f3e200
-
SHA1
a69df5d028ef3b1d9b6c597be3053f517192a5d4
-
SHA256
2caab932d8930e900fe8c88f3802505e79e2d0d59bd1d420feb2222bdc68cb05
-
SHA512
5c6e486b148b5e636290ce229c1ba7ca17a7546803859af530135b7bb69e6afb41098e49db8020e309808d34e1fc5001b04dd00a8d4b9f4249dbed3d05b7df31
-
SSDEEP
768:4MEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAW:4bIvYvZEyFKF6N4yS+AQmZTl/5O
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 4404 omsecor.exe 4444 omsecor.exe 4400 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
aa8ba803152da70d5a426f82e0f3e200_NeikiAnalytics.exeomsecor.exeomsecor.exedescription pid process target process PID 2664 wrote to memory of 4404 2664 aa8ba803152da70d5a426f82e0f3e200_NeikiAnalytics.exe omsecor.exe PID 2664 wrote to memory of 4404 2664 aa8ba803152da70d5a426f82e0f3e200_NeikiAnalytics.exe omsecor.exe PID 2664 wrote to memory of 4404 2664 aa8ba803152da70d5a426f82e0f3e200_NeikiAnalytics.exe omsecor.exe PID 4404 wrote to memory of 4444 4404 omsecor.exe omsecor.exe PID 4404 wrote to memory of 4444 4404 omsecor.exe omsecor.exe PID 4404 wrote to memory of 4444 4404 omsecor.exe omsecor.exe PID 4444 wrote to memory of 4400 4444 omsecor.exe omsecor.exe PID 4444 wrote to memory of 4400 4444 omsecor.exe omsecor.exe PID 4444 wrote to memory of 4400 4444 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa8ba803152da70d5a426f82e0f3e200_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\aa8ba803152da70d5a426f82e0f3e200_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
PID:4400
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
72KB
MD574aa86ee0cb281f2667c11459a0836ea
SHA16d14abd37bbdcb56009bb748b0cde82af37e8863
SHA256d78a63d33e80e0c9f3e97b649448f6a3de705739326f13f477bff92428b0a454
SHA512617816f73cad9580b51fa720c1e7e82051cfd7eb3caeb2ca52df741e077a5982090ebc2b514fea707f180107f518e171907e99424d6071054becafb54db1ad97
-
Filesize
72KB
MD5495c130f882705049903606f970ec4c0
SHA1666953aef41b81aa4896362ec85e0065f37cf4f9
SHA2569658aadb231c62de3ed5ea0f7f9c77edb6541964be96252e59ab600a7eba16f5
SHA512b6db103a743dfb5bd3dccdb053a4b2d75348d2a5ce8196b22812987cdf78f483d05734e457edd38fe15cea86dc08de625969c135a1e7239cf3a4d6171f29198f
-
Filesize
72KB
MD5911380773498707632a5e733145ed4a1
SHA1aebef8cdc74e818424be57d316eb39fe4e897b51
SHA256d3b5ee12ce81d0d3942217d2822f45697163838fac635a3bb1f4799ed384bd35
SHA5127d0945239bb128a91b7a43c3fdbd78b4a2cf5b4cdd521d599f0d4642b082f4f66fb1c31449be3163fff48f55782f223707c223428981691f88a6649af6856b9a