Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
20-05-2024 07:24
Behavioral task
behavioral1
Sample
d0efb5497c7eebd213ef6ff801d16fa0_NeikiAnalytics.exe
Resource
win7-20240419-en
General
-
Target
d0efb5497c7eebd213ef6ff801d16fa0_NeikiAnalytics.exe
-
Size
92KB
-
MD5
d0efb5497c7eebd213ef6ff801d16fa0
-
SHA1
e148ff316600c1562af98b7d5ba2b81cfb4a1aa0
-
SHA256
b6855800b7590ffff020758f8debf87cd93fc1eed7524647f2322e8cad9ac2ae
-
SHA512
8db71ca7e4b11fa5c0aa585d352ceaf38b3c82c11fa732dc8cb0913058696195bb44237f6b2d1da407c13bcfd54944196346176c34f21b2ec4f7c20a24cdf0c4
-
SSDEEP
768:XMTIvFGvZEh8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:XUIvYvZEgFKF6N4yS+AQmZTl/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 2328 omsecor.exe 2784 omsecor.exe 1636 omsecor.exe -
Loads dropped DLL 6 IoCs
Processes:
d0efb5497c7eebd213ef6ff801d16fa0_NeikiAnalytics.exeomsecor.exeomsecor.exepid process 2128 d0efb5497c7eebd213ef6ff801d16fa0_NeikiAnalytics.exe 2128 d0efb5497c7eebd213ef6ff801d16fa0_NeikiAnalytics.exe 2328 omsecor.exe 2328 omsecor.exe 2784 omsecor.exe 2784 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
d0efb5497c7eebd213ef6ff801d16fa0_NeikiAnalytics.exeomsecor.exeomsecor.exedescription pid process target process PID 2128 wrote to memory of 2328 2128 d0efb5497c7eebd213ef6ff801d16fa0_NeikiAnalytics.exe omsecor.exe PID 2128 wrote to memory of 2328 2128 d0efb5497c7eebd213ef6ff801d16fa0_NeikiAnalytics.exe omsecor.exe PID 2128 wrote to memory of 2328 2128 d0efb5497c7eebd213ef6ff801d16fa0_NeikiAnalytics.exe omsecor.exe PID 2128 wrote to memory of 2328 2128 d0efb5497c7eebd213ef6ff801d16fa0_NeikiAnalytics.exe omsecor.exe PID 2328 wrote to memory of 2784 2328 omsecor.exe omsecor.exe PID 2328 wrote to memory of 2784 2328 omsecor.exe omsecor.exe PID 2328 wrote to memory of 2784 2328 omsecor.exe omsecor.exe PID 2328 wrote to memory of 2784 2328 omsecor.exe omsecor.exe PID 2784 wrote to memory of 1636 2784 omsecor.exe omsecor.exe PID 2784 wrote to memory of 1636 2784 omsecor.exe omsecor.exe PID 2784 wrote to memory of 1636 2784 omsecor.exe omsecor.exe PID 2784 wrote to memory of 1636 2784 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d0efb5497c7eebd213ef6ff801d16fa0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\d0efb5497c7eebd213ef6ff801d16fa0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
PID:1636
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD59d83235880b393306ce82a8312bcb6d8
SHA19619b2513fafd662bc267d4e1f9a1385a5e835eb
SHA256995faf9ddc9a560bbdf5c9a8158659424e736093f07f91b2c60d9001e1b01259
SHA5126f600fd6a71325ede580af8d19a9eb321fc4069df58b87a127bd3a9c7338e58f2009223cb5c656505d611a395da4cd65704a82513ca4b13240ea8c170b0f0832
-
Filesize
92KB
MD53461ef828525235e423cbe16e827c75e
SHA13a76a0bc08ecb118f44f6e34d071271b3395b98c
SHA256ddc67cb2ed7b19a3cb4149c499016640494c73a97dc90f5a1efcf6efbee0a3e3
SHA5121bb3b3b478a6b47322f154bc80d73c18ede6b9fd616690ae5753c4ed21e9ac22381d0787bca59f19f60248bdf71c0e6843ce6de39ace576aeef4e8e54ae009f4
-
Filesize
92KB
MD5db32eababb23dfeac2151d4e3d2b532b
SHA14c23ccecebb36e8897935c60bd7925fd15df0c74
SHA256296b5fe0cf128174e61e9c49dc036ce0ee18810147aa78eb5afd00dfbe4700a5
SHA512468d2ca9997643057cdc47599d13201c7d691fa0aa2bbef32515734c89d711ebdeb8ddd6972959bb3bde78dc8dac74e4fa0e059e272140f591bb8b5e4d1ab4d5