Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20-05-2024 07:32
Behavioral task
behavioral1
Sample
d2cd9a9616266103c033c4cd5af543a0_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
d2cd9a9616266103c033c4cd5af543a0_NeikiAnalytics.exe
-
Size
92KB
-
MD5
d2cd9a9616266103c033c4cd5af543a0
-
SHA1
297ebd574004a01108d997d73248db89dfdbf2fc
-
SHA256
011c059fa55493bf1821a870d89e7d6d3f5f1c45646c952f33194ca2770668a1
-
SHA512
02c72d5137a9f8b8536507761def77e2b1ff381fc0ca9105f56760d8ff31ef32fb72e36c9947e7a6557e763c04dfd8bf523fc7bb92eee020d0082e51bdf0c21e
-
SSDEEP
1536:/d9dseIOcEr3bIvYvZEyF4EEOF6N4yS+AQmZTl/5:3dseIOyEZEyFjEOFqTiQm5l/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 1324 omsecor.exe 2616 omsecor.exe 4404 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
d2cd9a9616266103c033c4cd5af543a0_NeikiAnalytics.exeomsecor.exedescription pid process target process PID 1328 wrote to memory of 1324 1328 d2cd9a9616266103c033c4cd5af543a0_NeikiAnalytics.exe omsecor.exe PID 1328 wrote to memory of 1324 1328 d2cd9a9616266103c033c4cd5af543a0_NeikiAnalytics.exe omsecor.exe PID 1328 wrote to memory of 1324 1328 d2cd9a9616266103c033c4cd5af543a0_NeikiAnalytics.exe omsecor.exe PID 1324 wrote to memory of 2616 1324 omsecor.exe omsecor.exe PID 1324 wrote to memory of 2616 1324 omsecor.exe omsecor.exe PID 1324 wrote to memory of 2616 1324 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d2cd9a9616266103c033c4cd5af543a0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\d2cd9a9616266103c033c4cd5af543a0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
PID:2616 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
PID:4404
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD5a00eab46c5f0ba93984257d595e6db62
SHA1b3850fc3e177a762cc3a8f5ee266c49967480b41
SHA256a130fa28aadc20d9ea3ad4c2b8a24bcaefa8c5e00e50405e2696cea02885d901
SHA512407eb1498990ac000f69770fe21a9934f374ab330263b819adb46ef83d36ccaa1cce50f89a74526c039d4e2299101dfc162a262f2768a3190c6951b16a2917d0
-
Filesize
92KB
MD584230afd5a8a2644094660f014b02995
SHA136e2352fdce75e7afd6300e7fc527232eb140ce4
SHA25678b98f9e1b0b085472a8d9c0d15b2aa44d7185859c5020b4e948cb0e72d7299c
SHA5124a8223eff219b57af9d6e603e5aad94715ed0674d4b2f87ee05573e3cf404a4491253aebf95bc9e9ba442bd1a6884ce732ed923252dbd27c81e27365733edc98
-
Filesize
92KB
MD513f49e4a4a81b2dfaa5471c3c897469e
SHA1f2edbb98b9fd5e4ab2bc68840ef22a5f49a746c9
SHA256e3eac5d9abb48a6271d0b9c3f1a870fd631e630866a3b75a72725e9ee9655235
SHA5125e472b1fb5cb3948014bf2f8f80d1feb40a1e0ec1087f275b4c3938bb5929df170aaec2b8747269cbe82fef2d5f21c6e22d6ff77b6773b80a51d07ce053f4ae7