Analysis
-
max time kernel
147s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 08:32
Behavioral task
behavioral1
Sample
3dae0b8e7aaa90368482f1c5b475d330_NeikiAnalytics.exe
Resource
win7-20240508-en
General
-
Target
3dae0b8e7aaa90368482f1c5b475d330_NeikiAnalytics.exe
-
Size
80KB
-
MD5
3dae0b8e7aaa90368482f1c5b475d330
-
SHA1
a72a2487ed1e473b78bab544e56a7582feb0ea88
-
SHA256
bb298dc0bd16e09c8e916c339bdebfd12002d645745371d61f27f5dc48f8b7f5
-
SHA512
36fa22d2214d689f2bbf8a0bbf836a72d74ac71172609a05e1138c6364b65375429bac3397814d3f9a35719f8e01d6b4f8368dc220c015fa87277a8259eff61c
-
SSDEEP
768:zfMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:zfbIvYvZEyFKF6N4yS+AQmZTl/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 1236 omsecor.exe 2772 omsecor.exe 1640 omsecor.exe -
Loads dropped DLL 6 IoCs
Processes:
3dae0b8e7aaa90368482f1c5b475d330_NeikiAnalytics.exeomsecor.exeomsecor.exepid process 1548 3dae0b8e7aaa90368482f1c5b475d330_NeikiAnalytics.exe 1548 3dae0b8e7aaa90368482f1c5b475d330_NeikiAnalytics.exe 1236 omsecor.exe 1236 omsecor.exe 2772 omsecor.exe 2772 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
3dae0b8e7aaa90368482f1c5b475d330_NeikiAnalytics.exeomsecor.exeomsecor.exedescription pid process target process PID 1548 wrote to memory of 1236 1548 3dae0b8e7aaa90368482f1c5b475d330_NeikiAnalytics.exe omsecor.exe PID 1548 wrote to memory of 1236 1548 3dae0b8e7aaa90368482f1c5b475d330_NeikiAnalytics.exe omsecor.exe PID 1548 wrote to memory of 1236 1548 3dae0b8e7aaa90368482f1c5b475d330_NeikiAnalytics.exe omsecor.exe PID 1548 wrote to memory of 1236 1548 3dae0b8e7aaa90368482f1c5b475d330_NeikiAnalytics.exe omsecor.exe PID 1236 wrote to memory of 2772 1236 omsecor.exe omsecor.exe PID 1236 wrote to memory of 2772 1236 omsecor.exe omsecor.exe PID 1236 wrote to memory of 2772 1236 omsecor.exe omsecor.exe PID 1236 wrote to memory of 2772 1236 omsecor.exe omsecor.exe PID 2772 wrote to memory of 1640 2772 omsecor.exe omsecor.exe PID 2772 wrote to memory of 1640 2772 omsecor.exe omsecor.exe PID 2772 wrote to memory of 1640 2772 omsecor.exe omsecor.exe PID 2772 wrote to memory of 1640 2772 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3dae0b8e7aaa90368482f1c5b475d330_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3dae0b8e7aaa90368482f1c5b475d330_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Roaming\omsecor.exeFilesize
80KB
MD5d57fab3d03ba2c057422b6cadc68d008
SHA11e5bd0e2ae3716e51f4e182c7557910b5b536959
SHA2563a9ca99328a6dcbf319ceeff23809576d187e90e1e735f46884ac32050f03d74
SHA5128f6edfe7bc42800e0f13c5ac81f161f21f1d0cc90334879921a7d2d9953c3f0c9b465ae674f12291ccfa84cda02fa0674d81bab31ce591d097e6a9e7849e26f5
-
\Users\Admin\AppData\Roaming\omsecor.exeFilesize
80KB
MD500e231e402542677f82b4c994ac8efb5
SHA150509377533586ef33521ded483e0df4bbe7f53b
SHA256d9510f47fdc11e52b3509c1c263960b13adc5608d9960d34595a4133719a812d
SHA51234472f9b87ea34ce397145c6ebe71fc62df2ccbe1ca623578851c1cf6bbc3eeb4367b175c9d79efdc2e7bd8d273df313d51de1688fe5156771e98c614d1e6194
-
\Windows\SysWOW64\omsecor.exeFilesize
80KB
MD57f0afb356eb4b826e648a789807e40c3
SHA130f636ca5dcda94af6bad191f2db47f649950872
SHA256d32159a9767a3f0cb30e802c51a18f262ddefb88d38f12ddf4d695648ce4dcce
SHA512b7a235acb930566e5bb6e470fd0701a6a845609a70998bf1fc3247044b138681d9ab001725408cf8cdbed2825c76bc49a271004e8b711448bae7da5a45f95d32