Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
20-05-2024 04:45
Behavioral task
behavioral1
Sample
b09a521906d1eed8c0989d0f2e9e75b0_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
b09a521906d1eed8c0989d0f2e9e75b0_NeikiAnalytics.exe
-
Size
80KB
-
MD5
b09a521906d1eed8c0989d0f2e9e75b0
-
SHA1
1cfc08fd78c4fd8cfa5bf61f5a3e54d9c8145276
-
SHA256
e73eaeafa6e84acb88b422d6e340f5da99a13e64b3e2616fa444e5129faf86a8
-
SHA512
b32bbba650e10c2b15dbe3e75e7f0f894bf4f295db573f95842a0d071972507456b481e9f43dca900e581af518acf8432e1888a9f827ad183fbc104b4efc4b49
-
SSDEEP
768:KfMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:KfbIvYvZEyFKF6N4yS+AQmZTl/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 2760 omsecor.exe 2820 omsecor.exe 3044 omsecor.exe -
Loads dropped DLL 6 IoCs
Processes:
b09a521906d1eed8c0989d0f2e9e75b0_NeikiAnalytics.exeomsecor.exeomsecor.exepid process 1656 b09a521906d1eed8c0989d0f2e9e75b0_NeikiAnalytics.exe 1656 b09a521906d1eed8c0989d0f2e9e75b0_NeikiAnalytics.exe 2760 omsecor.exe 2760 omsecor.exe 2820 omsecor.exe 2820 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
b09a521906d1eed8c0989d0f2e9e75b0_NeikiAnalytics.exeomsecor.exeomsecor.exedescription pid process target process PID 1656 wrote to memory of 2760 1656 b09a521906d1eed8c0989d0f2e9e75b0_NeikiAnalytics.exe omsecor.exe PID 1656 wrote to memory of 2760 1656 b09a521906d1eed8c0989d0f2e9e75b0_NeikiAnalytics.exe omsecor.exe PID 1656 wrote to memory of 2760 1656 b09a521906d1eed8c0989d0f2e9e75b0_NeikiAnalytics.exe omsecor.exe PID 1656 wrote to memory of 2760 1656 b09a521906d1eed8c0989d0f2e9e75b0_NeikiAnalytics.exe omsecor.exe PID 2760 wrote to memory of 2820 2760 omsecor.exe omsecor.exe PID 2760 wrote to memory of 2820 2760 omsecor.exe omsecor.exe PID 2760 wrote to memory of 2820 2760 omsecor.exe omsecor.exe PID 2760 wrote to memory of 2820 2760 omsecor.exe omsecor.exe PID 2820 wrote to memory of 3044 2820 omsecor.exe omsecor.exe PID 2820 wrote to memory of 3044 2820 omsecor.exe omsecor.exe PID 2820 wrote to memory of 3044 2820 omsecor.exe omsecor.exe PID 2820 wrote to memory of 3044 2820 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b09a521906d1eed8c0989d0f2e9e75b0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\b09a521906d1eed8c0989d0f2e9e75b0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
PID:3044
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
80KB
MD587a34cd5cbff2557af7ddfb672e3b2fa
SHA1b723170993ab887d205a4f8da695395c2b24889d
SHA256b497f0117e0f4fd2d6f76749480d13798e35029a58d7e7bd9c594c35ad2cedb1
SHA5126499deab1a8d5106917559402f15c3fbd9fbaed11b8257443bab20b443c3436db1dba3035326f7a90d817afe3d94c06e7d53db212cf3658df09181332aacb579
-
Filesize
80KB
MD5720e279f2e6f6aff51c9193add0ac6a2
SHA12568cc8769b9d0effd735eb25fdfdaba278a2975
SHA2560c69ab57d833e6a3645153a6656257e5130f0f1d233d7526bf267725e01b20e4
SHA5126b157331cb3651766d0228fa57316052e53d324b5e2e653af5a8b93cbf93bbbdbdbb5d6c9717d8b3ded1bdae6c815bf8c1ebefdf7a450f0a78439025b34c53d0
-
Filesize
80KB
MD5c79035d95bf6c0d3d7e8370651b24e49
SHA1f1238cbf29c9151fb5df59b30270cdf10e99bbb3
SHA256a61e2b7ba21b979115149e4053d16b68208e0aec56009c18e383db307dd61db8
SHA51202f188889822a134058ac8a09ff88face1610a2700ad76d6e2f72091f1ca09e22f0c0f5305fa4ff6b027fca7c1da28ed3da14fd0cd25ef076bc735d56a00d356