Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
25/05/2024, 07:26
Behavioral task
behavioral1
Sample
afbb7bec4957278a457404553dd653c0_NeikiAnalytics.exe
Resource
win7-20240220-en
General
-
Target
afbb7bec4957278a457404553dd653c0_NeikiAnalytics.exe
-
Size
35KB
-
MD5
afbb7bec4957278a457404553dd653c0
-
SHA1
a5a833b252e36a9abfaaab1fe69de162fb46218a
-
SHA256
47ab902eec098f0bc032806dc1a398f97ce489a16fdefd9a45a3e9797b14f1e0
-
SHA512
59489ed4e084134b0567964ee97dd43ff6b201832c06636b25267f84e9a3d087fb92c45906cd9bb56f1b9debcc621c94aadbd3f0e053aaef23e0e3ab59e20d1d
-
SSDEEP
768:i6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:R8Z0kA7FHlO2OwOTUtKjpB
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 900 omsecor.exe 1048 omsecor.exe 2612 omsecor.exe -
resource yara_rule behavioral2/memory/3968-0-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/3968-5-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/files/0x000a0000000233d8-3.dat upx behavioral2/memory/900-7-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/900-8-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/900-11-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/900-14-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/900-15-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/files/0x0008000000023409-18.dat upx behavioral2/memory/900-20-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/files/0x000a0000000233d8-25.dat upx behavioral2/memory/1048-23-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/2612-27-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/2612-29-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/2612-32-0x0000000000400000-0x000000000042D000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3968 wrote to memory of 900 3968 afbb7bec4957278a457404553dd653c0_NeikiAnalytics.exe 82 PID 3968 wrote to memory of 900 3968 afbb7bec4957278a457404553dd653c0_NeikiAnalytics.exe 82 PID 3968 wrote to memory of 900 3968 afbb7bec4957278a457404553dd653c0_NeikiAnalytics.exe 82 PID 900 wrote to memory of 1048 900 omsecor.exe 95 PID 900 wrote to memory of 1048 900 omsecor.exe 95 PID 900 wrote to memory of 1048 900 omsecor.exe 95 PID 1048 wrote to memory of 2612 1048 omsecor.exe 96 PID 1048 wrote to memory of 2612 1048 omsecor.exe 96 PID 1048 wrote to memory of 2612 1048 omsecor.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\afbb7bec4957278a457404553dd653c0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\afbb7bec4957278a457404553dd653c0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:900 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
PID:2612
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
35KB
MD5dfc8310be30664404dc4e58d4d70bed4
SHA193786a3baeb6aa438b641b53b6ccec9a9659a27a
SHA256c595d6bfdbdf6609eff054369cfeae26c9d33c4bf131849dda6711c3070e066b
SHA512bbf0820b3f8401f4e9156db98718a8004611fae69cb1c3f575a5849694f89726b05e86d63545edad4197b723ec003f709ca0323deaea9775433426e5ce27cbef
-
Filesize
35KB
MD53b656d2e78fc5933bee0e2a7ba8e7d68
SHA1f840ed74e47e4f4c72767a07eafd94c4c09b1858
SHA25649e11a9bcc4bff373a6d1ba94792bbeb8fbcc08cb8e3e9c829462f67ddae3044
SHA512c5a5d85dafbf0c5273555678ea8017884ada5a96f05cc13beebf8718fdcd50b851a3737bca2a6ab031fc59c32c8fa0934f471a075626e469e691c48cb5213ba5
-
Filesize
35KB
MD563c9f699d013bcbb11101971969ec462
SHA1422c9c4e6fbde81b7efd387d863b1cb39af0e290
SHA256bb6935ec95515e4148d09d90f17e360c974741d8ea9ce88facbec084282996e8
SHA512d668ea5a588afd14cce7548ca58fb9f44ed6ab884497c43efa110dbf88377e2d33e8f8bc14917898f6c42b4585e1f0b114d14c298295240c9977643ce43edbd0