Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
25/05/2024, 17:21
Behavioral task
behavioral1
Sample
6cb482fdcf5eafb514dace02f1266020_NeikiAnalytics.exe
Resource
win7-20240419-en
General
-
Target
6cb482fdcf5eafb514dace02f1266020_NeikiAnalytics.exe
-
Size
72KB
-
MD5
6cb482fdcf5eafb514dace02f1266020
-
SHA1
16775995cc52f175c343ab4174e2c6afcfeea569
-
SHA256
caad4e0d449f083f66be0075e858b452f5aefb8cf05a8edff32fc17f0762c74f
-
SHA512
7382728b1beefe1945d4c98cac0dbd8dd6dbbefca87a64ee3889a786a59b2d5a31f20fc373a21847e57bfc790d48bc10eca763e09a600fbd210c0959286eefad
-
SSDEEP
768:MMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAW:MbIvYvZEyFKF6N4yS+AQmZTl/5O
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 1520 omsecor.exe 2920 omsecor.exe 2720 omsecor.exe -
Loads dropped DLL 6 IoCs
pid Process 2172 6cb482fdcf5eafb514dace02f1266020_NeikiAnalytics.exe 2172 6cb482fdcf5eafb514dace02f1266020_NeikiAnalytics.exe 1520 omsecor.exe 1520 omsecor.exe 2920 omsecor.exe 2920 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2172 wrote to memory of 1520 2172 6cb482fdcf5eafb514dace02f1266020_NeikiAnalytics.exe 28 PID 2172 wrote to memory of 1520 2172 6cb482fdcf5eafb514dace02f1266020_NeikiAnalytics.exe 28 PID 2172 wrote to memory of 1520 2172 6cb482fdcf5eafb514dace02f1266020_NeikiAnalytics.exe 28 PID 2172 wrote to memory of 1520 2172 6cb482fdcf5eafb514dace02f1266020_NeikiAnalytics.exe 28 PID 1520 wrote to memory of 2920 1520 omsecor.exe 32 PID 1520 wrote to memory of 2920 1520 omsecor.exe 32 PID 1520 wrote to memory of 2920 1520 omsecor.exe 32 PID 1520 wrote to memory of 2920 1520 omsecor.exe 32 PID 2920 wrote to memory of 2720 2920 omsecor.exe 33 PID 2920 wrote to memory of 2720 2920 omsecor.exe 33 PID 2920 wrote to memory of 2720 2920 omsecor.exe 33 PID 2920 wrote to memory of 2720 2920 omsecor.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\6cb482fdcf5eafb514dace02f1266020_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\6cb482fdcf5eafb514dace02f1266020_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
PID:2720
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
72KB
MD5c2b58aed5b502435639debdedb89a3be
SHA1be75620f07b1f3ea8deca000389c12cb3165892e
SHA256d9f31f7764703968d592d8768f8d731ea5fb8505d7fccb29dbda4c68281a1ba6
SHA512cea465b9187b028b7bb043f278db8dd8581edd5670bb353712c49c1a73379485b793d3c38411adec33b2781cd69831d8efb76373ae357b2615e1510362b8f7b3
-
Filesize
72KB
MD594ac29ae95efb34ea778781d5e910179
SHA172b32c01cc25aebbcf31e877f7ba1fad88d8e88c
SHA256d15e4a7b48682218c3e1f0e033adaca5dbe7aa48b47310fc61ef8e55629bf023
SHA512f98f4e181163511eb00521d7ef2850afc1b73dded69d61973656b341ae4b49575c822dadc10263cc1af1f6e579ae84a40948b4abbce15119acd1ffd4507da9ec
-
Filesize
72KB
MD5ba37e74f23744bf7c106da67afd241f3
SHA14c39409c09be21e3a50840a9fedd8a665ed0302d
SHA2564e9de5e38e31ee627a80bf0529f7f59b2344fa7e30e83b03fe28ffb83867f48e
SHA512bb8312f15db73d34f0559010203fa69c16eb13042d1261dd30b50d42d26a594445418e8346234e725eaf3933ae1bed1b2d34e844f0825a5dc3567cd4a60af70d