Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
20-05-2024 06:14
Behavioral task
behavioral1
Sample
c217dc2771eccec57d3517399278b380_NeikiAnalytics.exe
Resource
win7-20240508-en
General
-
Target
c217dc2771eccec57d3517399278b380_NeikiAnalytics.exe
-
Size
84KB
-
MD5
c217dc2771eccec57d3517399278b380
-
SHA1
adc01a4a404773422d0c9295fdb2d6686605d885
-
SHA256
2049fae0e816dd8535ff4a5741a4c756aad67d3c8f3bdff1388a64936bb40ca1
-
SHA512
db0165db0376b429d463c02ba950be8e2a38645042ab8bad16b7b61fa58379b519946628dcb62e70461f510f3ff94d9ba0ede65af7a3bfc9f43e52d758aeb128
-
SSDEEP
1536:Id9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:4dseIOMEZEyFjEOFqTiQm5l/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 1988 omsecor.exe 1380 omsecor.exe 2480 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
c217dc2771eccec57d3517399278b380_NeikiAnalytics.exeomsecor.exeomsecor.exedescription pid process target process PID 1688 wrote to memory of 1988 1688 c217dc2771eccec57d3517399278b380_NeikiAnalytics.exe omsecor.exe PID 1688 wrote to memory of 1988 1688 c217dc2771eccec57d3517399278b380_NeikiAnalytics.exe omsecor.exe PID 1688 wrote to memory of 1988 1688 c217dc2771eccec57d3517399278b380_NeikiAnalytics.exe omsecor.exe PID 1988 wrote to memory of 1380 1988 omsecor.exe omsecor.exe PID 1988 wrote to memory of 1380 1988 omsecor.exe omsecor.exe PID 1988 wrote to memory of 1380 1988 omsecor.exe omsecor.exe PID 1380 wrote to memory of 2480 1380 omsecor.exe omsecor.exe PID 1380 wrote to memory of 2480 1380 omsecor.exe omsecor.exe PID 1380 wrote to memory of 2480 1380 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c217dc2771eccec57d3517399278b380_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\c217dc2771eccec57d3517399278b380_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
PID:2480
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
84KB
MD5396138bc74915807de0bd583ffc328d0
SHA185eba9dfef4956f9f341ed963fc31d217386fe8c
SHA2562ec86a68fd039a91e30562f7e27f4c1d765564d5bf2820056be4aabc6836144b
SHA51284016c3a805356b93da1cceefbd45574e1ce523c7560073d54955dba763918479efbae2b9e68ca2d814d47a5107d28a89e8d752ee82bf263d3e148cc539fcf09
-
Filesize
84KB
MD586721caf55312093a96bbc9c93391b07
SHA199b36d00be3af7ce775824f3aa49c3f8cd6bc382
SHA25652af109af3ccfaf95f1284e0ef659c6e379080b558dbd096bf3e4c8064b8e6da
SHA5124d81fb2639836513c00a34e7803c1838ae43dc6b179d7f802c24dd98bb7da3cca6ad6fcb0664743a18fd09893a0cf0d2a1cda452770a67db4f2ea52200aaf6e8
-
Filesize
84KB
MD58b1a6fae3c4120dfa5902bb722e5373e
SHA1ad61e7e1e96c104bc12a4fb5f5847484566da5ad
SHA256efee8ac0b393ae9215fde343b854c608dff271972c14cb1cdec8cb3186f7842d
SHA51219581161d41e5375226763b83c4400d4a3d85a5c2ee4aab806dba491a639d0e1c667901bcd0b83caf2877aebee744631842352a99f9415d5d9e7e18317cb724d