Analysis
-
max time kernel
139s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 01:47
Behavioral task
behavioral1
Sample
70ff0a388a2f4b11613b8e14915caf80_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
70ff0a388a2f4b11613b8e14915caf80_NeikiAnalytics.exe
-
Size
72KB
-
MD5
70ff0a388a2f4b11613b8e14915caf80
-
SHA1
979b71a89232da68f34423dd3d59d87c17b2c07a
-
SHA256
94715f5fa671f0dfa29eba6ecee76ac1eec3c36dfb87991f285b8581297ef0e2
-
SHA512
8ad803e0b73781b63ba02d0c65e87a5e96ecffbb981b0d623d85725352059f9638a6c574e587f3e13fc4f2f48310c7cda988b05b6c0d79ccb68443196840ab42
-
SSDEEP
1536:Id9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5211:4dseIOMEZEyFjEOFqTiQm5l/5211
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
omsecor.exeomsecor.exepid process 532 omsecor.exe 2120 omsecor.exe -
Drops file in System32 directory 2 IoCs
Processes:
omsecor.exeomsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe File opened for modification C:\Windows\SysWOW64\merocz.xc6 omsecor.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
70ff0a388a2f4b11613b8e14915caf80_NeikiAnalytics.exeomsecor.exedescription pid process target process PID 4112 wrote to memory of 532 4112 70ff0a388a2f4b11613b8e14915caf80_NeikiAnalytics.exe omsecor.exe PID 4112 wrote to memory of 532 4112 70ff0a388a2f4b11613b8e14915caf80_NeikiAnalytics.exe omsecor.exe PID 4112 wrote to memory of 532 4112 70ff0a388a2f4b11613b8e14915caf80_NeikiAnalytics.exe omsecor.exe PID 532 wrote to memory of 2120 532 omsecor.exe omsecor.exe PID 532 wrote to memory of 2120 532 omsecor.exe omsecor.exe PID 532 wrote to memory of 2120 532 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\70ff0a388a2f4b11613b8e14915caf80_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\70ff0a388a2f4b11613b8e14915caf80_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3984 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\omsecor.exeFilesize
72KB
MD566d88d261c2449bf09783438ea9f3b4a
SHA18b408014293c1b66f6f06f9e19e95fb91031b364
SHA256b28a52ee5ebde7c7335ad2428ee4c7e26cc8fba026645f4825e969e447963cc9
SHA512362a18575d0098434e0e706dc208412d0ebad63e5f2e6cfbe9335dba49e4beb28690ca51a40ee2299f4a97351ea298d16ac2e92dfc996e4b44d92f67726b2b65
-
C:\Windows\SysWOW64\omsecor.exeFilesize
72KB
MD501caff62c64eca4aca27696a8a9de999
SHA1ecc8b4dc0dfac22ef8edfcbbdb0fd855c6d782d5
SHA2564fb4f376cb7603ff7e19d571d65a84055c8dfe25880c18ff58cf07c439220070
SHA512a2a0cd95001b7d1cb697757f0e6c7217dcbb0c910389072c3baee37f14abb444288148f457015f1940c6c82d331d7f0a7d7e3ce817186e2a5a27db0060bd7352