Analysis
-
max time kernel
145s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 07:41
Behavioral task
behavioral1
Sample
1889f9d2380a0b437839229a58a57910_NeikiAnalytics.exe
Resource
win7-20240508-en
General
-
Target
1889f9d2380a0b437839229a58a57910_NeikiAnalytics.exe
-
Size
64KB
-
MD5
1889f9d2380a0b437839229a58a57910
-
SHA1
e36286ca074f0ecc71523a7a332ea48f332a26b3
-
SHA256
f3f0a313306e331089a062918b7e24ca0aeb07ebaf1d0895ec8df9a8654d2f75
-
SHA512
165a935b7ddec438fad4cc749ec0e3191e51a515cf28b67b2394d9b059fd03f12fc49a817b96674772f8b5991d9a3bfadf8779201ef6eeef32d31ae505331fa9
-
SSDEEP
768:SMEIvFGvZEr8LFK0ic46N47eSdYAHwmZwSp6JXXlaa5uA:SbIvYvZEyFKF6N4yS+AQmZcl/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 3140 omsecor.exe 3168 omsecor.exe 3596 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
1889f9d2380a0b437839229a58a57910_NeikiAnalytics.exeomsecor.exeomsecor.exedescription pid process target process PID 4128 wrote to memory of 3140 4128 1889f9d2380a0b437839229a58a57910_NeikiAnalytics.exe omsecor.exe PID 4128 wrote to memory of 3140 4128 1889f9d2380a0b437839229a58a57910_NeikiAnalytics.exe omsecor.exe PID 4128 wrote to memory of 3140 4128 1889f9d2380a0b437839229a58a57910_NeikiAnalytics.exe omsecor.exe PID 3140 wrote to memory of 3168 3140 omsecor.exe omsecor.exe PID 3140 wrote to memory of 3168 3140 omsecor.exe omsecor.exe PID 3140 wrote to memory of 3168 3140 omsecor.exe omsecor.exe PID 3168 wrote to memory of 3596 3168 omsecor.exe omsecor.exe PID 3168 wrote to memory of 3596 3168 omsecor.exe omsecor.exe PID 3168 wrote to memory of 3596 3168 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1889f9d2380a0b437839229a58a57910_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\1889f9d2380a0b437839229a58a57910_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4128 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3168 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
PID:3596
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\omsecor.exeFilesize
64KB
MD5a1765f2f554a070bcf671e91c91d3e31
SHA1db72151e98bad7f6d99554c88d8bf47a95bd98f4
SHA256c57610f0f14d60015bf9303657ee31ef6d8ffac9bdc80ff439dbfe61412be66b
SHA5123be1c2efdf19a155da8a2d8bd9bcc34b463a949f42943729df6341eb5d90f4b05595c5c77b5286fcadcfbcc778c292e259112e29f0dfceb1316fd7a0bc0c2de3
-
C:\Users\Admin\AppData\Roaming\omsecor.exeFilesize
64KB
MD5c664366df778b7cb9af2defa43904937
SHA11877cad278216c47993f20d324c62ba2f7424120
SHA2561c099876cab02618c6542a209d18711d558661cd03eb96e40603355d2fcf1d73
SHA5121b615aede976e2972d2bed26e73dd068c293fb931dd972b0bd2ab7864984af8affef82394c5f751d43bec03c6bbf77930539f4fec50d388549d83dc2c97c2559
-
C:\Windows\SysWOW64\omsecor.exeFilesize
64KB
MD5c01461b4ffbc538b8e3b3b570c142f5b
SHA136da84b63d89159b0a03ebe61929584dbda67d1d
SHA25641dee656b5226921150815e37d3b8a2d110c3e76bc4d3c2c54c8077a987e1ebd
SHA512754e53aa8c45fa6587a0401caa9e8abdf2e6a9f87a8edd985ac2e3f97e80707278cfdfccfe181ed98a8751b4d3f3d957f7739f1a06cd5c7baa448e1b5858744c