Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20-05-2024 09:40
Behavioral task
behavioral1
Sample
bde2456b4af6893faf7b20b252151e17_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
bde2456b4af6893faf7b20b252151e17_NeikiAnalytics.exe
-
Size
68KB
-
MD5
bde2456b4af6893faf7b20b252151e17
-
SHA1
5c0055289b2fbd7db3c96d62630421c86a3fdcae
-
SHA256
3cddb6eafc76ba5194f776a68411b44a9c55b2846dcf10b3ab618d3ce31e5c3f
-
SHA512
84614e61b038b42b173b0c77cb6bf9a433f88ef8903fad858572906ec1c1c43224c89986ccff04e802dbf86464b8b6a652ed6ac30ec26b2f3ef040a60bc74205
-
SSDEEP
1536:Td9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:TdseIOMEZEyFjEOFqTiQm5l/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 1460 omsecor.exe 4360 omsecor.exe 3596 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
bde2456b4af6893faf7b20b252151e17_NeikiAnalytics.exeomsecor.exeomsecor.exedescription pid process target process PID 232 wrote to memory of 1460 232 bde2456b4af6893faf7b20b252151e17_NeikiAnalytics.exe omsecor.exe PID 232 wrote to memory of 1460 232 bde2456b4af6893faf7b20b252151e17_NeikiAnalytics.exe omsecor.exe PID 232 wrote to memory of 1460 232 bde2456b4af6893faf7b20b252151e17_NeikiAnalytics.exe omsecor.exe PID 1460 wrote to memory of 4360 1460 omsecor.exe omsecor.exe PID 1460 wrote to memory of 4360 1460 omsecor.exe omsecor.exe PID 1460 wrote to memory of 4360 1460 omsecor.exe omsecor.exe PID 4360 wrote to memory of 3596 4360 omsecor.exe omsecor.exe PID 4360 wrote to memory of 3596 4360 omsecor.exe omsecor.exe PID 4360 wrote to memory of 3596 4360 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bde2456b4af6893faf7b20b252151e17_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\bde2456b4af6893faf7b20b252151e17_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:232 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4360 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
PID:3596
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
68KB
MD54d9848c8ce6ee6f0420571b0e876c81d
SHA12c37a9c4660b5aa63f425fa3a9bc5b69be3115f6
SHA2565893c589eae13af440c13c7eced69a8a96e290cbc7fad3966f09f4ce8b86b310
SHA512c11cc593a8771b0dd08d9f91e6e10560bb66be755cbe6220118ba13fa4df7de87655223e0c05e32da0e31214812f90815b886c4cd6667da3d07e68c8648bd956
-
Filesize
68KB
MD5a5f1f428a14291d4542031b7fc3e21a4
SHA17fef04a0f9b6d20aba8226e151b25a1d358b5ee5
SHA256d4abc8cac66c4ad88b4f96cb7aa934d5cb720e68e85da090c2328509e77881fb
SHA5124888c99b0cb3aab27742eb6897434c7c2ac10206364ca749777b09782a0dd0f39f0f53c853a73dd352b328ce141224ae4a13c7c47676c2cf9d42c5b90279e83a
-
Filesize
68KB
MD55259573e918621e493ffc1176e3d2677
SHA104b7f701fd4456adc3f0899e9d042420626b0edf
SHA256858ac469f899393d8c705d0e8d65422d506c5e6eb67e54507e8c2e631576390e
SHA5126eeaf484ab42a39a97b68d33b4c9f89327ddc7283a0c43b12c17308efe9f8443e24cc40d46ef358678b06ae8e6919490d122de9b760436d884c2f2586f0f59c5