Analysis
-
max time kernel
145s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
20-05-2024 06:14
Behavioral task
behavioral1
Sample
c217dc2771eccec57d3517399278b380_NeikiAnalytics.exe
Resource
win7-20240508-en
General
-
Target
c217dc2771eccec57d3517399278b380_NeikiAnalytics.exe
-
Size
84KB
-
MD5
c217dc2771eccec57d3517399278b380
-
SHA1
adc01a4a404773422d0c9295fdb2d6686605d885
-
SHA256
2049fae0e816dd8535ff4a5741a4c756aad67d3c8f3bdff1388a64936bb40ca1
-
SHA512
db0165db0376b429d463c02ba950be8e2a38645042ab8bad16b7b61fa58379b519946628dcb62e70461f510f3ff94d9ba0ede65af7a3bfc9f43e52d758aeb128
-
SSDEEP
1536:Id9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:4dseIOMEZEyFjEOFqTiQm5l/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 2176 omsecor.exe 1752 omsecor.exe 1832 omsecor.exe -
Loads dropped DLL 6 IoCs
Processes:
c217dc2771eccec57d3517399278b380_NeikiAnalytics.exeomsecor.exeomsecor.exepid process 2068 c217dc2771eccec57d3517399278b380_NeikiAnalytics.exe 2068 c217dc2771eccec57d3517399278b380_NeikiAnalytics.exe 2176 omsecor.exe 2176 omsecor.exe 1752 omsecor.exe 1752 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
c217dc2771eccec57d3517399278b380_NeikiAnalytics.exeomsecor.exeomsecor.exedescription pid process target process PID 2068 wrote to memory of 2176 2068 c217dc2771eccec57d3517399278b380_NeikiAnalytics.exe omsecor.exe PID 2068 wrote to memory of 2176 2068 c217dc2771eccec57d3517399278b380_NeikiAnalytics.exe omsecor.exe PID 2068 wrote to memory of 2176 2068 c217dc2771eccec57d3517399278b380_NeikiAnalytics.exe omsecor.exe PID 2068 wrote to memory of 2176 2068 c217dc2771eccec57d3517399278b380_NeikiAnalytics.exe omsecor.exe PID 2176 wrote to memory of 1752 2176 omsecor.exe omsecor.exe PID 2176 wrote to memory of 1752 2176 omsecor.exe omsecor.exe PID 2176 wrote to memory of 1752 2176 omsecor.exe omsecor.exe PID 2176 wrote to memory of 1752 2176 omsecor.exe omsecor.exe PID 1752 wrote to memory of 1832 1752 omsecor.exe omsecor.exe PID 1752 wrote to memory of 1832 1752 omsecor.exe omsecor.exe PID 1752 wrote to memory of 1832 1752 omsecor.exe omsecor.exe PID 1752 wrote to memory of 1832 1752 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c217dc2771eccec57d3517399278b380_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\c217dc2771eccec57d3517399278b380_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
PID:1832
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
84KB
MD586721caf55312093a96bbc9c93391b07
SHA199b36d00be3af7ce775824f3aa49c3f8cd6bc382
SHA25652af109af3ccfaf95f1284e0ef659c6e379080b558dbd096bf3e4c8064b8e6da
SHA5124d81fb2639836513c00a34e7803c1838ae43dc6b179d7f802c24dd98bb7da3cca6ad6fcb0664743a18fd09893a0cf0d2a1cda452770a67db4f2ea52200aaf6e8
-
Filesize
84KB
MD58a738c7474431d9afe188839535612bc
SHA1494275f83679f5015a8ac4e2864497e41bc9cefe
SHA25671cefe3354cfdf65e0d9117037f42bfc079405c6fa55061acf96bbcd8e695be8
SHA512f88db01fb520d30c0a3bdc05603a8b396db4d8f65a80d0b5345ad9eb73ba5d8cb467d97725b0baaff87b6e6f16feb1499c269c47e91efe57691fca95884744f1
-
Filesize
84KB
MD54253861b8f458ec98f099919ecfef6ab
SHA177eef3889ee2005c998d7f2ce187da61f513379b
SHA2565a77527622b9095bdadb6f81c75c50c55c8c8a25ab83198c203730942ef2421b
SHA512fed9294229865f018ca790d4c1a3076bd6810a55b2ba637f09106f318acd8ce8154a5a617fdb1a1f702445ca791cbda353ace03870130da7ca1da3d624e52a6f