Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 00:38
Behavioral task
behavioral1
Sample
63b80b78b63f5395cec182e54926d640_NeikiAnalytics.exe
Resource
win7-20240508-en
General
-
Target
63b80b78b63f5395cec182e54926d640_NeikiAnalytics.exe
-
Size
88KB
-
MD5
63b80b78b63f5395cec182e54926d640
-
SHA1
cb2a5edfdc7172d4080a5d63055c5c28a80cfd09
-
SHA256
e68c40371975dd0c13314b7e51ae4a64738a5f77c4ddf9709194cb94b4b6ed85
-
SHA512
b3d0a9ac632499c3493f0049ec128a29ac7b5f6eb65387a74e6db394e499873ca38c4e9e6f8dbb401d088c06b83025437f44eb6a3f3972f2d8fe277d8f3399bd
-
SSDEEP
1536:zd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:zdseIOMEZEyFjEOFqTiQm5l/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
omsecor.exeomsecor.exepid process 1804 omsecor.exe 3904 omsecor.exe -
Drops file in System32 directory 2 IoCs
Processes:
omsecor.exeomsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe File opened for modification C:\Windows\SysWOW64\merocz.xc6 omsecor.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
63b80b78b63f5395cec182e54926d640_NeikiAnalytics.exeomsecor.exedescription pid process target process PID 5064 wrote to memory of 1804 5064 63b80b78b63f5395cec182e54926d640_NeikiAnalytics.exe omsecor.exe PID 5064 wrote to memory of 1804 5064 63b80b78b63f5395cec182e54926d640_NeikiAnalytics.exe omsecor.exe PID 5064 wrote to memory of 1804 5064 63b80b78b63f5395cec182e54926d640_NeikiAnalytics.exe omsecor.exe PID 1804 wrote to memory of 3904 1804 omsecor.exe omsecor.exe PID 1804 wrote to memory of 3904 1804 omsecor.exe omsecor.exe PID 1804 wrote to memory of 3904 1804 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\63b80b78b63f5395cec182e54926d640_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\63b80b78b63f5395cec182e54926d640_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\omsecor.exeFilesize
88KB
MD5b8c56e0fdc4837f16918af417eac64b9
SHA1724db549af5582a3704fa3f9e8dcebc6151503da
SHA2564c70e245e85212c4c1b5952d97ec84c1df7354a1d69b98911f57feefc08f26d3
SHA51237aaf2379fe9271ba9a250e28b4ff28efd8f02c8150531e901b8319f4290e6e297db7c85a742cab954b6009a2349e797d8ede05b2657632c6042d727a042658d
-
C:\Windows\SysWOW64\omsecor.exeFilesize
88KB
MD5f702a9bd27e5148dd3494d244b951c2e
SHA15ceceb82d31403ac83c4d1162f175fcf4d44073e
SHA256c0449a31ce1dcedeea0a7b03d31ffe090211880d433d7317ee24284fefcf834a
SHA5123188343ceb6e33fcc43222550114a46d09e393a30c3798bb294c31d43b07f012e2e98ca0291688c32665437bc530303f4006a38660280c75facb35f828257708