Analysis
-
max time kernel
148s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
20-05-2024 09:40
Behavioral task
behavioral1
Sample
bde2456b4af6893faf7b20b252151e17_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
bde2456b4af6893faf7b20b252151e17_NeikiAnalytics.exe
-
Size
68KB
-
MD5
bde2456b4af6893faf7b20b252151e17
-
SHA1
5c0055289b2fbd7db3c96d62630421c86a3fdcae
-
SHA256
3cddb6eafc76ba5194f776a68411b44a9c55b2846dcf10b3ab618d3ce31e5c3f
-
SHA512
84614e61b038b42b173b0c77cb6bf9a433f88ef8903fad858572906ec1c1c43224c89986ccff04e802dbf86464b8b6a652ed6ac30ec26b2f3ef040a60bc74205
-
SSDEEP
1536:Td9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:TdseIOMEZEyFjEOFqTiQm5l/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 2632 omsecor.exe 1308 omsecor.exe 572 omsecor.exe -
Loads dropped DLL 6 IoCs
Processes:
bde2456b4af6893faf7b20b252151e17_NeikiAnalytics.exeomsecor.exeomsecor.exepid process 2812 bde2456b4af6893faf7b20b252151e17_NeikiAnalytics.exe 2812 bde2456b4af6893faf7b20b252151e17_NeikiAnalytics.exe 2632 omsecor.exe 2632 omsecor.exe 1308 omsecor.exe 1308 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
bde2456b4af6893faf7b20b252151e17_NeikiAnalytics.exeomsecor.exeomsecor.exedescription pid process target process PID 2812 wrote to memory of 2632 2812 bde2456b4af6893faf7b20b252151e17_NeikiAnalytics.exe omsecor.exe PID 2812 wrote to memory of 2632 2812 bde2456b4af6893faf7b20b252151e17_NeikiAnalytics.exe omsecor.exe PID 2812 wrote to memory of 2632 2812 bde2456b4af6893faf7b20b252151e17_NeikiAnalytics.exe omsecor.exe PID 2812 wrote to memory of 2632 2812 bde2456b4af6893faf7b20b252151e17_NeikiAnalytics.exe omsecor.exe PID 2632 wrote to memory of 1308 2632 omsecor.exe omsecor.exe PID 2632 wrote to memory of 1308 2632 omsecor.exe omsecor.exe PID 2632 wrote to memory of 1308 2632 omsecor.exe omsecor.exe PID 2632 wrote to memory of 1308 2632 omsecor.exe omsecor.exe PID 1308 wrote to memory of 572 1308 omsecor.exe omsecor.exe PID 1308 wrote to memory of 572 1308 omsecor.exe omsecor.exe PID 1308 wrote to memory of 572 1308 omsecor.exe omsecor.exe PID 1308 wrote to memory of 572 1308 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bde2456b4af6893faf7b20b252151e17_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\bde2456b4af6893faf7b20b252151e17_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
PID:572
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
68KB
MD5a5f1f428a14291d4542031b7fc3e21a4
SHA17fef04a0f9b6d20aba8226e151b25a1d358b5ee5
SHA256d4abc8cac66c4ad88b4f96cb7aa934d5cb720e68e85da090c2328509e77881fb
SHA5124888c99b0cb3aab27742eb6897434c7c2ac10206364ca749777b09782a0dd0f39f0f53c853a73dd352b328ce141224ae4a13c7c47676c2cf9d42c5b90279e83a
-
Filesize
68KB
MD53d8fa1dd5bb94aa011af6cbd006ce05c
SHA1d919f82b01cbad384ed1d8a3e5c4130726bb15f3
SHA25688dbb7c3f1ae75cf3053104a251861fbe86fee400647d8e48727fc2c81be751d
SHA5125554dd5bdf35d156e1e3bad6615bbf317cb7fba12af88a7d79eb14f1032dab3e336faacbe75e4406fb1a408fb91a072f51ef55afa7e20887ca8701182f12da01
-
Filesize
68KB
MD5ac55632bc24b5b240bc085f5a3bd7301
SHA1cb106086736fedc5f34c8a886541ea1e9bf0402b
SHA2561eaab479dde21111f3bce9e0d6f1003ce0fc9f2da2a2f7db87d0eeb698f1b703
SHA512405ac9104d25657d2bcf33eeb3f0729f8dfe5c0f41c4c9f60de4b14d4437526119427d614339fb66fca8007d13e388360b991e227c097859c22f6ff44534aade