Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26/05/2024, 23:14
Behavioral task
behavioral1
Sample
0b291e1681d27801782c43013bc35810_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
0b291e1681d27801782c43013bc35810_NeikiAnalytics.exe
-
Size
65KB
-
MD5
0b291e1681d27801782c43013bc35810
-
SHA1
cfd1e8cf2953456f8041da203ea9f9e1b046aa22
-
SHA256
6ed443366a00b45ba405dc7e710f8fceb34683d97ddf14d1f3e79f113206be94
-
SHA512
0f6f52598ca9e571957e0d027031cd00afd1779ea9ede642d3f26dabc6c8957b5ee2a58d8d1b6a026f82ff90852067aa7b81c6e576145f44fa64b63b7efb88c8
-
SSDEEP
1536:Td9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZcl/5:TdseIO+EZEyFjEOFqTiQmOl/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 2820 omsecor.exe 1460 omsecor.exe 2192 omsecor.exe -
Loads dropped DLL 6 IoCs
pid Process 1736 0b291e1681d27801782c43013bc35810_NeikiAnalytics.exe 1736 0b291e1681d27801782c43013bc35810_NeikiAnalytics.exe 2820 omsecor.exe 2820 omsecor.exe 1460 omsecor.exe 1460 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1736 wrote to memory of 2820 1736 0b291e1681d27801782c43013bc35810_NeikiAnalytics.exe 28 PID 1736 wrote to memory of 2820 1736 0b291e1681d27801782c43013bc35810_NeikiAnalytics.exe 28 PID 1736 wrote to memory of 2820 1736 0b291e1681d27801782c43013bc35810_NeikiAnalytics.exe 28 PID 1736 wrote to memory of 2820 1736 0b291e1681d27801782c43013bc35810_NeikiAnalytics.exe 28 PID 2820 wrote to memory of 1460 2820 omsecor.exe 32 PID 2820 wrote to memory of 1460 2820 omsecor.exe 32 PID 2820 wrote to memory of 1460 2820 omsecor.exe 32 PID 2820 wrote to memory of 1460 2820 omsecor.exe 32 PID 1460 wrote to memory of 2192 1460 omsecor.exe 33 PID 1460 wrote to memory of 2192 1460 omsecor.exe 33 PID 1460 wrote to memory of 2192 1460 omsecor.exe 33 PID 1460 wrote to memory of 2192 1460 omsecor.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b291e1681d27801782c43013bc35810_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\0b291e1681d27801782c43013bc35810_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
PID:2192
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD53a7831a502100176e93d9db3044dd6c6
SHA1be46c6a2dbfefdbf7aaad2d37460612bddf7edcd
SHA256b91b6ff99bf4e4ea5c0247b9790c1604b8057abd77b78f575162b82f6cb2c8a5
SHA5129172cd6723c2921a6c38c683b1e5832ea492a045379d89408d091c016c4debfc4fe6e991a574072757755d6aaff862147b9ccf4df343361cccbff43d5390a68a
-
Filesize
65KB
MD5417cf13f32493e44602d8d206c3fa1c6
SHA10532f3156ec3d14a328f3aba79aeb0ee0d0974ac
SHA2562c21c624765fb503a40f588e0a1a80e12745d785c6b2b18c2917a1b7ff87b369
SHA512f5e651aa27c0614437f8924d4447b73c1ff8053cb17b302e4f6f843eb6878a3149fc126aa611ad8284d0ae2a4ff67dd72212f579cac141aabc3d47a9b81aa447
-
Filesize
65KB
MD5356c48e0cc37b7851335867384703f31
SHA126b0aa2711aef2374caf23b8a71d2d8f270baf66
SHA256eb9b9b512c5653ca0bb60c2d16b6d39e3660fa3a559451e5a11bfdc9f8ac96a6
SHA5121f26474389f38ba7c35f17d4d8d495833bb9b1e1107d1356a58355b55f9212ad99048a01822898d2bbe6a3a1e3dc8ffde06921c2fbbdd144c251ad581d16efb9