Analysis
-
max time kernel
145s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 00:38
Behavioral task
behavioral1
Sample
63b80b78b63f5395cec182e54926d640_NeikiAnalytics.exe
Resource
win7-20240508-en
General
-
Target
63b80b78b63f5395cec182e54926d640_NeikiAnalytics.exe
-
Size
88KB
-
MD5
63b80b78b63f5395cec182e54926d640
-
SHA1
cb2a5edfdc7172d4080a5d63055c5c28a80cfd09
-
SHA256
e68c40371975dd0c13314b7e51ae4a64738a5f77c4ddf9709194cb94b4b6ed85
-
SHA512
b3d0a9ac632499c3493f0049ec128a29ac7b5f6eb65387a74e6db394e499873ca38c4e9e6f8dbb401d088c06b83025437f44eb6a3f3972f2d8fe277d8f3399bd
-
SSDEEP
1536:zd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:zdseIOMEZEyFjEOFqTiQm5l/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 2424 omsecor.exe 3004 omsecor.exe 1944 omsecor.exe -
Loads dropped DLL 6 IoCs
Processes:
63b80b78b63f5395cec182e54926d640_NeikiAnalytics.exeomsecor.exeomsecor.exepid process 2228 63b80b78b63f5395cec182e54926d640_NeikiAnalytics.exe 2228 63b80b78b63f5395cec182e54926d640_NeikiAnalytics.exe 2424 omsecor.exe 2424 omsecor.exe 3004 omsecor.exe 3004 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
63b80b78b63f5395cec182e54926d640_NeikiAnalytics.exeomsecor.exeomsecor.exedescription pid process target process PID 2228 wrote to memory of 2424 2228 63b80b78b63f5395cec182e54926d640_NeikiAnalytics.exe omsecor.exe PID 2228 wrote to memory of 2424 2228 63b80b78b63f5395cec182e54926d640_NeikiAnalytics.exe omsecor.exe PID 2228 wrote to memory of 2424 2228 63b80b78b63f5395cec182e54926d640_NeikiAnalytics.exe omsecor.exe PID 2228 wrote to memory of 2424 2228 63b80b78b63f5395cec182e54926d640_NeikiAnalytics.exe omsecor.exe PID 2424 wrote to memory of 3004 2424 omsecor.exe omsecor.exe PID 2424 wrote to memory of 3004 2424 omsecor.exe omsecor.exe PID 2424 wrote to memory of 3004 2424 omsecor.exe omsecor.exe PID 2424 wrote to memory of 3004 2424 omsecor.exe omsecor.exe PID 3004 wrote to memory of 1944 3004 omsecor.exe omsecor.exe PID 3004 wrote to memory of 1944 3004 omsecor.exe omsecor.exe PID 3004 wrote to memory of 1944 3004 omsecor.exe omsecor.exe PID 3004 wrote to memory of 1944 3004 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\63b80b78b63f5395cec182e54926d640_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\63b80b78b63f5395cec182e54926d640_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\omsecor.exeFilesize
88KB
MD51fbf51b03b55cc679b5f22db8cd6df90
SHA1a9d6d9e9e59e26dedc35390111c57174fa9cef8d
SHA256c15fb70b6b50fff98fc89ea4f068e2202aa1cfbf1e0057041e1485278b9ac625
SHA512b8173d7785626f65b43bfd2ac4066c04643b2728615cdf81daa093f652f982c657df1b1f42e8909797507d7f020e243b4740d0dc6bab1fbcff22f15f24ec8665
-
C:\Users\Admin\AppData\Roaming\omsecor.exeFilesize
88KB
MD5b8c56e0fdc4837f16918af417eac64b9
SHA1724db549af5582a3704fa3f9e8dcebc6151503da
SHA2564c70e245e85212c4c1b5952d97ec84c1df7354a1d69b98911f57feefc08f26d3
SHA51237aaf2379fe9271ba9a250e28b4ff28efd8f02c8150531e901b8319f4290e6e297db7c85a742cab954b6009a2349e797d8ede05b2657632c6042d727a042658d
-
\Windows\SysWOW64\omsecor.exeFilesize
88KB
MD5fc260a8fef7306b4614b0bd4168e8f17
SHA123c37f25cb4dc0db788cb3eb0a251e0bbd05efad
SHA256ba317091c63cca3c624e274ecee87cae26144d43868d512782fd33f4fb044b46
SHA512a6fbdec9b8f25810cc35667a02d1f5ec1c72d3c37e3c8445fcdce4a5379730d97236112a78854308db4335d9cb16b1cb3faff02dcec351b282be4e327647f971