Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
26/05/2024, 09:12
Behavioral task
behavioral1
Sample
a3c865f8aaebac9423eaacfa147e5b10_NeikiAnalytics.exe
Resource
win7-20240508-en
General
-
Target
a3c865f8aaebac9423eaacfa147e5b10_NeikiAnalytics.exe
-
Size
88KB
-
MD5
a3c865f8aaebac9423eaacfa147e5b10
-
SHA1
c2d70c2edee43c9e8d7cbaf29abeba333b838033
-
SHA256
a93dc0df74c3802331cb3071a6b6fede81223aab056e9c54f72522816d4b65be
-
SHA512
a192e7a046bef5c53475748e03bd24db95a7e4874a55606ea622f123f105e15965022a1f16ea239521f96f296439473108be993a2918b892e8ea7d2fa2ffe438
-
SSDEEP
768:+MEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:+bIvYvZEyFKF6N4yS+AQmZTl/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 3068 omsecor.exe 2856 omsecor.exe 3004 omsecor.exe -
Loads dropped DLL 6 IoCs
pid Process 2956 a3c865f8aaebac9423eaacfa147e5b10_NeikiAnalytics.exe 2956 a3c865f8aaebac9423eaacfa147e5b10_NeikiAnalytics.exe 3068 omsecor.exe 3068 omsecor.exe 2856 omsecor.exe 2856 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2956 wrote to memory of 3068 2956 a3c865f8aaebac9423eaacfa147e5b10_NeikiAnalytics.exe 28 PID 2956 wrote to memory of 3068 2956 a3c865f8aaebac9423eaacfa147e5b10_NeikiAnalytics.exe 28 PID 2956 wrote to memory of 3068 2956 a3c865f8aaebac9423eaacfa147e5b10_NeikiAnalytics.exe 28 PID 2956 wrote to memory of 3068 2956 a3c865f8aaebac9423eaacfa147e5b10_NeikiAnalytics.exe 28 PID 3068 wrote to memory of 2856 3068 omsecor.exe 32 PID 3068 wrote to memory of 2856 3068 omsecor.exe 32 PID 3068 wrote to memory of 2856 3068 omsecor.exe 32 PID 3068 wrote to memory of 2856 3068 omsecor.exe 32 PID 2856 wrote to memory of 3004 2856 omsecor.exe 33 PID 2856 wrote to memory of 3004 2856 omsecor.exe 33 PID 2856 wrote to memory of 3004 2856 omsecor.exe 33 PID 2856 wrote to memory of 3004 2856 omsecor.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\a3c865f8aaebac9423eaacfa147e5b10_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\a3c865f8aaebac9423eaacfa147e5b10_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
PID:3004
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
88KB
MD52504d2a7777077f3afb7fb7df1ec343e
SHA1c26d2abec5b105256d029b5c4698a51365b418d4
SHA256f62894e7bad95d59d5878c2dbd7c156190007222c17931d2e4be6698ec5b7dba
SHA512b13d014e232c9b1bbdded3d7dca2b41f6d16e7198ea4138f213f4129d7f8ae78c15169a5dbcea6bb826ec8707859fe6d84b767ce2a61f673244fe6537785b6e9
-
Filesize
88KB
MD573184ee3eae4e13d13183214d8d8ef4b
SHA1150d80fd00f4816596fb031b718bd93bfad935f3
SHA2560b6d359d91e23e90581414fca728660e08d702a3d4d1f5cc2a11f0d1fbbb2c5c
SHA512ba540f16534e6516ada3930f7f9da054bb3d1daff120389ca3a8f9f1ef3594a1e7d3a349725f50785a454241ca57fd59bee355ca79ebbd717d5f675dbc15bd9f
-
Filesize
88KB
MD5b3f92ceef0d100db3ae185fec261a8dc
SHA1435fd1da08c5b7772123a7bb6961b66143e2bb54
SHA256855c209b5026ae7747b5cc93d1afa56e2efa02b16ae253a85178a4512374b511
SHA512a62ff457123a38333cd2e6673e8f25a86abc1aeb83d654b627837d9cfe22d7000d7a016906366d03f8ea75a926e4179de90afefd719dcb1608153df565b295bc