Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
25/05/2024, 17:21
Behavioral task
behavioral1
Sample
6cb482fdcf5eafb514dace02f1266020_NeikiAnalytics.exe
Resource
win7-20240419-en
General
-
Target
6cb482fdcf5eafb514dace02f1266020_NeikiAnalytics.exe
-
Size
72KB
-
MD5
6cb482fdcf5eafb514dace02f1266020
-
SHA1
16775995cc52f175c343ab4174e2c6afcfeea569
-
SHA256
caad4e0d449f083f66be0075e858b452f5aefb8cf05a8edff32fc17f0762c74f
-
SHA512
7382728b1beefe1945d4c98cac0dbd8dd6dbbefca87a64ee3889a786a59b2d5a31f20fc373a21847e57bfc790d48bc10eca763e09a600fbd210c0959286eefad
-
SSDEEP
768:MMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAW:MbIvYvZEyFKF6N4yS+AQmZTl/5O
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 3000 omsecor.exe 1680 omsecor.exe 3168 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 5108 wrote to memory of 3000 5108 6cb482fdcf5eafb514dace02f1266020_NeikiAnalytics.exe 83 PID 5108 wrote to memory of 3000 5108 6cb482fdcf5eafb514dace02f1266020_NeikiAnalytics.exe 83 PID 5108 wrote to memory of 3000 5108 6cb482fdcf5eafb514dace02f1266020_NeikiAnalytics.exe 83 PID 3000 wrote to memory of 1680 3000 omsecor.exe 98 PID 3000 wrote to memory of 1680 3000 omsecor.exe 98 PID 3000 wrote to memory of 1680 3000 omsecor.exe 98 PID 1680 wrote to memory of 3168 1680 omsecor.exe 99 PID 1680 wrote to memory of 3168 1680 omsecor.exe 99 PID 1680 wrote to memory of 3168 1680 omsecor.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\6cb482fdcf5eafb514dace02f1266020_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\6cb482fdcf5eafb514dace02f1266020_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
PID:3168
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
72KB
MD5ecda00f5a5266acf0d5c74adabbd2cd7
SHA17dba25b3cb98c8d2dbda302b1625edd3e7a9afad
SHA256e256147cfd3d01dfba291580daa1d003f247c82163ab7fdf205f236c449896f6
SHA5124e035a470974abf0181d4b3b22128c3749afdedbbff3d51609d4a3697f74cefdbb9ed5dd0a562262fca3b60d3e471dbc287d6d8b76e3bb65fecc1595572eed91
-
Filesize
72KB
MD5c2b58aed5b502435639debdedb89a3be
SHA1be75620f07b1f3ea8deca000389c12cb3165892e
SHA256d9f31f7764703968d592d8768f8d731ea5fb8505d7fccb29dbda4c68281a1ba6
SHA512cea465b9187b028b7bb043f278db8dd8581edd5670bb353712c49c1a73379485b793d3c38411adec33b2781cd69831d8efb76373ae357b2615e1510362b8f7b3
-
Filesize
72KB
MD5a6c56c7536fdd61295043798cd56681b
SHA1511da4cd398f02791da1cd5b4730c8d3b262709d
SHA256f54769c8a30ece53777abac75820e1b520f07c9f2f4a4eff1a604ea2ef077d71
SHA512427f9f2fd79338097bb194452038eeccf8f0f3e485bc0f342c53c250fcca7432bd7fc3a2a269944f1fee7c3b41cd3b7758027a8a0a639363e641cc39a2752236