Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20-05-2024 04:45
Behavioral task
behavioral1
Sample
b09a521906d1eed8c0989d0f2e9e75b0_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
b09a521906d1eed8c0989d0f2e9e75b0_NeikiAnalytics.exe
-
Size
80KB
-
MD5
b09a521906d1eed8c0989d0f2e9e75b0
-
SHA1
1cfc08fd78c4fd8cfa5bf61f5a3e54d9c8145276
-
SHA256
e73eaeafa6e84acb88b422d6e340f5da99a13e64b3e2616fa444e5129faf86a8
-
SHA512
b32bbba650e10c2b15dbe3e75e7f0f894bf4f295db573f95842a0d071972507456b481e9f43dca900e581af518acf8432e1888a9f827ad183fbc104b4efc4b49
-
SSDEEP
768:KfMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:KfbIvYvZEyFKF6N4yS+AQmZTl/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 2536 omsecor.exe 2248 omsecor.exe 4300 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
b09a521906d1eed8c0989d0f2e9e75b0_NeikiAnalytics.exeomsecor.exeomsecor.exedescription pid process target process PID 1396 wrote to memory of 2536 1396 b09a521906d1eed8c0989d0f2e9e75b0_NeikiAnalytics.exe omsecor.exe PID 1396 wrote to memory of 2536 1396 b09a521906d1eed8c0989d0f2e9e75b0_NeikiAnalytics.exe omsecor.exe PID 1396 wrote to memory of 2536 1396 b09a521906d1eed8c0989d0f2e9e75b0_NeikiAnalytics.exe omsecor.exe PID 2536 wrote to memory of 2248 2536 omsecor.exe omsecor.exe PID 2536 wrote to memory of 2248 2536 omsecor.exe omsecor.exe PID 2536 wrote to memory of 2248 2536 omsecor.exe omsecor.exe PID 2248 wrote to memory of 4300 2248 omsecor.exe omsecor.exe PID 2248 wrote to memory of 4300 2248 omsecor.exe omsecor.exe PID 2248 wrote to memory of 4300 2248 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b09a521906d1eed8c0989d0f2e9e75b0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\b09a521906d1eed8c0989d0f2e9e75b0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
PID:4300
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
80KB
MD546d9678b4487e84c516b34e71a4029d7
SHA174884c7f09c0fe1f6a171c58555cd19f192d6450
SHA256cf8b28f90832105463531dad6751cf038ee50ebe35d838432294238342444e8f
SHA51246c1ec87ccc2eae539d0a6d0255373dd61cd209ac99927f4f063a916db22b9561d40c5fb5997a391eae6e07d4c4c5f36556878793104d7b2081b4700a333e215
-
Filesize
80KB
MD587a34cd5cbff2557af7ddfb672e3b2fa
SHA1b723170993ab887d205a4f8da695395c2b24889d
SHA256b497f0117e0f4fd2d6f76749480d13798e35029a58d7e7bd9c594c35ad2cedb1
SHA5126499deab1a8d5106917559402f15c3fbd9fbaed11b8257443bab20b443c3436db1dba3035326f7a90d817afe3d94c06e7d53db212cf3658df09181332aacb579
-
Filesize
80KB
MD5fd01891cfcf022bbf245744d90a3e451
SHA1454691a7464b9db7be8cc420f799887df58d9875
SHA25664509b5009bb1ebf4d82a8284058d9c899c3c0b6df843755b58691ebe76e0419
SHA512cdce6763cce128ae0a49d2cecaa966e054eef6ecbf1c915bc17b8d2b2f54e632158fbadc7f5bc2d0a0b415ce07855b46d42a94a9c68d95383d2d43055bd470e9