Analysis
-
max time kernel
145s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
20-05-2024 10:19
Behavioral task
behavioral1
Sample
e6e85280c32c67b3cbf2173a45634660_NeikiAnalytics.exe
Resource
win7-20231129-en
General
-
Target
e6e85280c32c67b3cbf2173a45634660_NeikiAnalytics.exe
-
Size
35KB
-
MD5
e6e85280c32c67b3cbf2173a45634660
-
SHA1
fa08ceda7b30e98146c1a19d74d3daf8d82af136
-
SHA256
0a414484d848703889fb77fbbcb497e5fb9743425bd2dce94abe5f307a8353a1
-
SHA512
dc9a0e6f9548d240e06928d2489698de0237fa4d2238154f29f6fbf04c84c1fa0a7b9feb089e8c68b3dc75b76e8edb5017a8e68195b6c93e1ceb87e3cfd52640
-
SSDEEP
768:L6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:28Z0kA7FHlO2OwOTUtKjpB
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 2992 omsecor.exe 1940 omsecor.exe 1332 omsecor.exe -
Loads dropped DLL 6 IoCs
Processes:
e6e85280c32c67b3cbf2173a45634660_NeikiAnalytics.exeomsecor.exeomsecor.exepid process 2232 e6e85280c32c67b3cbf2173a45634660_NeikiAnalytics.exe 2232 e6e85280c32c67b3cbf2173a45634660_NeikiAnalytics.exe 2992 omsecor.exe 2992 omsecor.exe 1940 omsecor.exe 1940 omsecor.exe -
Processes:
resource yara_rule behavioral1/memory/2232-0-0x0000000000400000-0x000000000042D000-memory.dmp upx \Users\Admin\AppData\Roaming\omsecor.exe upx behavioral1/memory/2992-14-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2232-12-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2232-8-0x0000000000220000-0x000000000024D000-memory.dmp upx behavioral1/memory/2992-15-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2992-18-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2992-21-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2992-24-0x0000000000400000-0x000000000042D000-memory.dmp upx \Windows\SysWOW64\omsecor.exe upx behavioral1/memory/2992-27-0x0000000002550000-0x000000000257D000-memory.dmp upx behavioral1/memory/2992-34-0x0000000000400000-0x000000000042D000-memory.dmp upx \Users\Admin\AppData\Roaming\omsecor.exe upx behavioral1/memory/1940-47-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1332-48-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1332-50-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1332-53-0x0000000000400000-0x000000000042D000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
e6e85280c32c67b3cbf2173a45634660_NeikiAnalytics.exeomsecor.exeomsecor.exedescription pid process target process PID 2232 wrote to memory of 2992 2232 e6e85280c32c67b3cbf2173a45634660_NeikiAnalytics.exe omsecor.exe PID 2232 wrote to memory of 2992 2232 e6e85280c32c67b3cbf2173a45634660_NeikiAnalytics.exe omsecor.exe PID 2232 wrote to memory of 2992 2232 e6e85280c32c67b3cbf2173a45634660_NeikiAnalytics.exe omsecor.exe PID 2232 wrote to memory of 2992 2232 e6e85280c32c67b3cbf2173a45634660_NeikiAnalytics.exe omsecor.exe PID 2992 wrote to memory of 1940 2992 omsecor.exe omsecor.exe PID 2992 wrote to memory of 1940 2992 omsecor.exe omsecor.exe PID 2992 wrote to memory of 1940 2992 omsecor.exe omsecor.exe PID 2992 wrote to memory of 1940 2992 omsecor.exe omsecor.exe PID 1940 wrote to memory of 1332 1940 omsecor.exe omsecor.exe PID 1940 wrote to memory of 1332 1940 omsecor.exe omsecor.exe PID 1940 wrote to memory of 1332 1940 omsecor.exe omsecor.exe PID 1940 wrote to memory of 1332 1940 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e6e85280c32c67b3cbf2173a45634660_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\e6e85280c32c67b3cbf2173a45634660_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
PID:1332
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
35KB
MD5fc3305325edc48a10117306a641e60ab
SHA14f56f79c51734219bb461291575952716bd33f77
SHA256d85596cec26409a0004e48bc87be2ec1a71f6cfcf5c256ecbd30a57651317eb7
SHA51256b4f7ba5008a456fd92720afe332f0d557433248f2844f907a22b1672d998967a7dd7ca1a6f76a651a32f32f5bb684d6c7005092a2c85dd095bc3866c30aea0
-
Filesize
35KB
MD507fdbbbd4d926e08644248958682c718
SHA1dd04b05687f739af49b4c3f2feb88a1bd2a38642
SHA256a79eb03db3da8357f1186b1fd5774db3bfcaf6eeb71b8d7b3964ed83cac0448d
SHA512d7c4cc8a4a498f2e99e544ea24987e605f54b11039edaeabeac5d2899372535707a9431382ccf6fe49ba885a00c0a41cfe586f415a31f73158e3a2a4e0d3cc69
-
Filesize
35KB
MD59dde4e5660df3407b83e5e2f72400c3e
SHA137ea169ff83df3305eab9679b0c3eafe8931c5d5
SHA256be35cd3d16d0d206b498feec31fab2a49dbfafc66f908796dabf96aa23a6a411
SHA5129f3b809ecc0258a22987d8383ec7a40cfc92b9a6905c917c8e7c6c5a5780980a6269c8cb2ba227c0c926d2d9d8ac72a38c27d7513a3926848db0d5418cd868ba