Analysis
-
max time kernel
145s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20-05-2024 10:19
Behavioral task
behavioral1
Sample
e6e85280c32c67b3cbf2173a45634660_NeikiAnalytics.exe
Resource
win7-20231129-en
General
-
Target
e6e85280c32c67b3cbf2173a45634660_NeikiAnalytics.exe
-
Size
35KB
-
MD5
e6e85280c32c67b3cbf2173a45634660
-
SHA1
fa08ceda7b30e98146c1a19d74d3daf8d82af136
-
SHA256
0a414484d848703889fb77fbbcb497e5fb9743425bd2dce94abe5f307a8353a1
-
SHA512
dc9a0e6f9548d240e06928d2489698de0237fa4d2238154f29f6fbf04c84c1fa0a7b9feb089e8c68b3dc75b76e8edb5017a8e68195b6c93e1ceb87e3cfd52640
-
SSDEEP
768:L6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:28Z0kA7FHlO2OwOTUtKjpB
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 1904 omsecor.exe 3780 omsecor.exe 2392 omsecor.exe -
Processes:
resource yara_rule behavioral2/memory/2372-1-0x0000000000400000-0x000000000042D000-memory.dmp upx C:\Users\Admin\AppData\Roaming\omsecor.exe upx behavioral2/memory/2372-5-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/1904-7-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/1904-8-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/1904-11-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/1904-14-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/1904-15-0x0000000000400000-0x000000000042D000-memory.dmp upx C:\Windows\SysWOW64\omsecor.exe upx behavioral2/memory/1904-20-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/3780-23-0x0000000000400000-0x000000000042D000-memory.dmp upx C:\Users\Admin\AppData\Roaming\omsecor.exe upx behavioral2/memory/2392-27-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/2392-29-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/2392-32-0x0000000000400000-0x000000000042D000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
e6e85280c32c67b3cbf2173a45634660_NeikiAnalytics.exeomsecor.exeomsecor.exedescription pid process target process PID 2372 wrote to memory of 1904 2372 e6e85280c32c67b3cbf2173a45634660_NeikiAnalytics.exe omsecor.exe PID 2372 wrote to memory of 1904 2372 e6e85280c32c67b3cbf2173a45634660_NeikiAnalytics.exe omsecor.exe PID 2372 wrote to memory of 1904 2372 e6e85280c32c67b3cbf2173a45634660_NeikiAnalytics.exe omsecor.exe PID 1904 wrote to memory of 3780 1904 omsecor.exe omsecor.exe PID 1904 wrote to memory of 3780 1904 omsecor.exe omsecor.exe PID 1904 wrote to memory of 3780 1904 omsecor.exe omsecor.exe PID 3780 wrote to memory of 2392 3780 omsecor.exe omsecor.exe PID 3780 wrote to memory of 2392 3780 omsecor.exe omsecor.exe PID 3780 wrote to memory of 2392 3780 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e6e85280c32c67b3cbf2173a45634660_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\e6e85280c32c67b3cbf2173a45634660_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
PID:2392
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
35KB
MD53a86badba8706b241d53fbb6038ca5c2
SHA14cb96dcb8ef741f8c0d13516e07c10b1be0dca2f
SHA2564a3177b3a1f5d2268e6cb59a1cda945b6d5cd959b793e159d53318b442659509
SHA51224dbebc85bd997ee83472b4d46ece6fc90b508de2f8ef844dc8b7d64d9adc62788774605a56db4f48b9bc16470043e3cece0643d94f974cc09af41da6a2807d8
-
Filesize
35KB
MD507fdbbbd4d926e08644248958682c718
SHA1dd04b05687f739af49b4c3f2feb88a1bd2a38642
SHA256a79eb03db3da8357f1186b1fd5774db3bfcaf6eeb71b8d7b3964ed83cac0448d
SHA512d7c4cc8a4a498f2e99e544ea24987e605f54b11039edaeabeac5d2899372535707a9431382ccf6fe49ba885a00c0a41cfe586f415a31f73158e3a2a4e0d3cc69
-
Filesize
35KB
MD55e4e00f30bce6955b044415575ec3b77
SHA10a1a348a90f0afb1bf5b71a62e7a6ddbb22b2bb1
SHA25624532aee4ece65cda4dd3e4181f31ed07f9615aa6950e44d030af4a443e4cc71
SHA51243d76d486752258567e66fbd59dd10d99f74ccc98493a109c20c8564c52e87e83cd959c230a14fd5f9ec663fbc9e91504ed6a1850b4df5f0405e46c71bc3da19