Analysis
-
max time kernel
145s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20-05-2024 07:24
Behavioral task
behavioral1
Sample
d0efb5497c7eebd213ef6ff801d16fa0_NeikiAnalytics.exe
Resource
win7-20240419-en
General
-
Target
d0efb5497c7eebd213ef6ff801d16fa0_NeikiAnalytics.exe
-
Size
92KB
-
MD5
d0efb5497c7eebd213ef6ff801d16fa0
-
SHA1
e148ff316600c1562af98b7d5ba2b81cfb4a1aa0
-
SHA256
b6855800b7590ffff020758f8debf87cd93fc1eed7524647f2322e8cad9ac2ae
-
SHA512
8db71ca7e4b11fa5c0aa585d352ceaf38b3c82c11fa732dc8cb0913058696195bb44237f6b2d1da407c13bcfd54944196346176c34f21b2ec4f7c20a24cdf0c4
-
SSDEEP
768:XMTIvFGvZEh8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:XUIvYvZEgFKF6N4yS+AQmZTl/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
omsecor.exeomsecor.exepid process 1876 omsecor.exe 3760 omsecor.exe -
Drops file in System32 directory 2 IoCs
Processes:
omsecor.exeomsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe File opened for modification C:\Windows\SysWOW64\merocz.xc6 omsecor.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
d0efb5497c7eebd213ef6ff801d16fa0_NeikiAnalytics.exeomsecor.exedescription pid process target process PID 4248 wrote to memory of 1876 4248 d0efb5497c7eebd213ef6ff801d16fa0_NeikiAnalytics.exe omsecor.exe PID 4248 wrote to memory of 1876 4248 d0efb5497c7eebd213ef6ff801d16fa0_NeikiAnalytics.exe omsecor.exe PID 4248 wrote to memory of 1876 4248 d0efb5497c7eebd213ef6ff801d16fa0_NeikiAnalytics.exe omsecor.exe PID 1876 wrote to memory of 3760 1876 omsecor.exe omsecor.exe PID 1876 wrote to memory of 3760 1876 omsecor.exe omsecor.exe PID 1876 wrote to memory of 3760 1876 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d0efb5497c7eebd213ef6ff801d16fa0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\d0efb5497c7eebd213ef6ff801d16fa0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4248 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3760
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD59d83235880b393306ce82a8312bcb6d8
SHA19619b2513fafd662bc267d4e1f9a1385a5e835eb
SHA256995faf9ddc9a560bbdf5c9a8158659424e736093f07f91b2c60d9001e1b01259
SHA5126f600fd6a71325ede580af8d19a9eb321fc4069df58b87a127bd3a9c7338e58f2009223cb5c656505d611a395da4cd65704a82513ca4b13240ea8c170b0f0832
-
Filesize
92KB
MD57ac7e1b65a156deb571a0235c56bc734
SHA1183cddbb99d9164d9e6bf3143afb6e2175a84c9a
SHA2566241430bacc027c3d69d05162cd13e19ef504665d1f9f92e9e41ed3e43a99d99
SHA51250c61276ff07fff7159e7b3eac05a47cd7b4d56cc12f92a5c5380796e10c6c46c659f8370ba7e355fcd4ed6c5e963b9de0346997b5e3fcecacdb0251b857e6a3