Analysis
-
max time kernel
146s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 01:47
Behavioral task
behavioral1
Sample
70ff0a388a2f4b11613b8e14915caf80_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
70ff0a388a2f4b11613b8e14915caf80_NeikiAnalytics.exe
-
Size
72KB
-
MD5
70ff0a388a2f4b11613b8e14915caf80
-
SHA1
979b71a89232da68f34423dd3d59d87c17b2c07a
-
SHA256
94715f5fa671f0dfa29eba6ecee76ac1eec3c36dfb87991f285b8581297ef0e2
-
SHA512
8ad803e0b73781b63ba02d0c65e87a5e96ecffbb981b0d623d85725352059f9638a6c574e587f3e13fc4f2f48310c7cda988b05b6c0d79ccb68443196840ab42
-
SSDEEP
1536:Id9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5211:4dseIOMEZEyFjEOFqTiQm5l/5211
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 2832 omsecor.exe 1732 omsecor.exe 2300 omsecor.exe -
Loads dropped DLL 6 IoCs
Processes:
70ff0a388a2f4b11613b8e14915caf80_NeikiAnalytics.exeomsecor.exeomsecor.exepid process 2324 70ff0a388a2f4b11613b8e14915caf80_NeikiAnalytics.exe 2324 70ff0a388a2f4b11613b8e14915caf80_NeikiAnalytics.exe 2832 omsecor.exe 2832 omsecor.exe 1732 omsecor.exe 1732 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
70ff0a388a2f4b11613b8e14915caf80_NeikiAnalytics.exeomsecor.exeomsecor.exedescription pid process target process PID 2324 wrote to memory of 2832 2324 70ff0a388a2f4b11613b8e14915caf80_NeikiAnalytics.exe omsecor.exe PID 2324 wrote to memory of 2832 2324 70ff0a388a2f4b11613b8e14915caf80_NeikiAnalytics.exe omsecor.exe PID 2324 wrote to memory of 2832 2324 70ff0a388a2f4b11613b8e14915caf80_NeikiAnalytics.exe omsecor.exe PID 2324 wrote to memory of 2832 2324 70ff0a388a2f4b11613b8e14915caf80_NeikiAnalytics.exe omsecor.exe PID 2832 wrote to memory of 1732 2832 omsecor.exe omsecor.exe PID 2832 wrote to memory of 1732 2832 omsecor.exe omsecor.exe PID 2832 wrote to memory of 1732 2832 omsecor.exe omsecor.exe PID 2832 wrote to memory of 1732 2832 omsecor.exe omsecor.exe PID 1732 wrote to memory of 2300 1732 omsecor.exe omsecor.exe PID 1732 wrote to memory of 2300 1732 omsecor.exe omsecor.exe PID 1732 wrote to memory of 2300 1732 omsecor.exe omsecor.exe PID 1732 wrote to memory of 2300 1732 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\70ff0a388a2f4b11613b8e14915caf80_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\70ff0a388a2f4b11613b8e14915caf80_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Roaming\omsecor.exeFilesize
72KB
MD54268d299287702739bbbacc5004e0198
SHA17cac9db21d4462f614969865df86b86433aa8bdf
SHA256c553d8900213085be9d2ef7abf871e5f87dd7f95a3f3df62792dfdbf58352616
SHA512a910a72944645e91e62655c7e63d967c64569d4532a60428e1cd6e573b43338d73e257fc530963c19294c5daf29a35fa1636f34cd643ad6252c8ee385c0be951
-
\Users\Admin\AppData\Roaming\omsecor.exeFilesize
72KB
MD566d88d261c2449bf09783438ea9f3b4a
SHA18b408014293c1b66f6f06f9e19e95fb91031b364
SHA256b28a52ee5ebde7c7335ad2428ee4c7e26cc8fba026645f4825e969e447963cc9
SHA512362a18575d0098434e0e706dc208412d0ebad63e5f2e6cfbe9335dba49e4beb28690ca51a40ee2299f4a97351ea298d16ac2e92dfc996e4b44d92f67726b2b65
-
\Windows\SysWOW64\omsecor.exeFilesize
72KB
MD5e7870e7fc916c6b7fdd6048f1e0c250e
SHA13dd4ccfa522be6cbd5d92c3e4a1e7f8d7e8824eb
SHA256051a8a688d2917eca0dd698ee5ee682e872bed51decac56746b80f1802be9676
SHA5127aaa3a65bef0a25b334c4e577198552dcfd47ce6175c94198a85c895945893e5e5ed6be83330acc64fbf68d257d9dbe477cf6095146cdd1a004375877fdf0571