Analysis
-
max time kernel
146s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 08:32
Behavioral task
behavioral1
Sample
3dae0b8e7aaa90368482f1c5b475d330_NeikiAnalytics.exe
Resource
win7-20240508-en
General
-
Target
3dae0b8e7aaa90368482f1c5b475d330_NeikiAnalytics.exe
-
Size
80KB
-
MD5
3dae0b8e7aaa90368482f1c5b475d330
-
SHA1
a72a2487ed1e473b78bab544e56a7582feb0ea88
-
SHA256
bb298dc0bd16e09c8e916c339bdebfd12002d645745371d61f27f5dc48f8b7f5
-
SHA512
36fa22d2214d689f2bbf8a0bbf836a72d74ac71172609a05e1138c6364b65375429bac3397814d3f9a35719f8e01d6b4f8368dc220c015fa87277a8259eff61c
-
SSDEEP
768:zfMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:zfbIvYvZEyFKF6N4yS+AQmZTl/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exepid process 408 omsecor.exe 3356 omsecor.exe 3016 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
3dae0b8e7aaa90368482f1c5b475d330_NeikiAnalytics.exeomsecor.exeomsecor.exedescription pid process target process PID 3480 wrote to memory of 408 3480 3dae0b8e7aaa90368482f1c5b475d330_NeikiAnalytics.exe omsecor.exe PID 3480 wrote to memory of 408 3480 3dae0b8e7aaa90368482f1c5b475d330_NeikiAnalytics.exe omsecor.exe PID 3480 wrote to memory of 408 3480 3dae0b8e7aaa90368482f1c5b475d330_NeikiAnalytics.exe omsecor.exe PID 408 wrote to memory of 3356 408 omsecor.exe omsecor.exe PID 408 wrote to memory of 3356 408 omsecor.exe omsecor.exe PID 408 wrote to memory of 3356 408 omsecor.exe omsecor.exe PID 3356 wrote to memory of 3016 3356 omsecor.exe omsecor.exe PID 3356 wrote to memory of 3016 3356 omsecor.exe omsecor.exe PID 3356 wrote to memory of 3016 3356 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3dae0b8e7aaa90368482f1c5b475d330_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3dae0b8e7aaa90368482f1c5b475d330_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\omsecor.exeFilesize
80KB
MD5d57fab3d03ba2c057422b6cadc68d008
SHA11e5bd0e2ae3716e51f4e182c7557910b5b536959
SHA2563a9ca99328a6dcbf319ceeff23809576d187e90e1e735f46884ac32050f03d74
SHA5128f6edfe7bc42800e0f13c5ac81f161f21f1d0cc90334879921a7d2d9953c3f0c9b465ae674f12291ccfa84cda02fa0674d81bab31ce591d097e6a9e7849e26f5
-
C:\Users\Admin\AppData\Roaming\omsecor.exeFilesize
80KB
MD52a4a0d460e9d7a1460c538fd54a33af7
SHA157296acc3a5fdf9534938272e04f45049087ccdd
SHA256a5632f961a61ba10cd7995ae9fa87fbf413cc5b090f61d7e977e8840af7b5076
SHA512298263efe431e59c183c710f08f0046056164d0e095b145279fc66aafee564c1a2420a6990e284b43a86dd05da4e76f2d2877be1dcdf98a2adcb73d881e6e02a
-
C:\Windows\SysWOW64\omsecor.exeFilesize
80KB
MD536961316c43c8ee6ba6e9896df651986
SHA1daffbbf0bb5be65e21ace925bc1a2ec31e6661bf
SHA2568ff26a6d0b07e32ed60749924c440bf7d8f734eda940a31477c93ca85fb5528d
SHA512de061992b0127071e7613f345a1911dc501c01c23ad437766759746c1b1610159eef0d9e5044db760100bfc0e80ef79070aa88e088b7be2220327c36f0a4e859