Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
09/06/2024, 08:19
Behavioral task
behavioral1
Sample
175042bbe00a4a4a19ff0a5350a75220_NeikiAnalytics.exe
Resource
win7-20240220-en
General
-
Target
175042bbe00a4a4a19ff0a5350a75220_NeikiAnalytics.exe
-
Size
35KB
-
MD5
175042bbe00a4a4a19ff0a5350a75220
-
SHA1
3417d6ca602ed86e42277504cc9ee324559d8a15
-
SHA256
d3892ab51867b39296f5e3dbf80326ac26af2f694951bbc359142989e1e00968
-
SHA512
5f5902d697c3cb563b9c512fececb2897742846aea52fb2a004acec49e8b6845c38a795270ae70c8f80e8dea90bbed8b6f32619eb18b5ca812ce94bec6d3ff9c
-
SSDEEP
768:C6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:x8Z0kA7FHlO2OwOTUtKjpB
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 1792 omsecor.exe 1804 omsecor.exe 1752 omsecor.exe -
resource yara_rule behavioral2/memory/2836-0-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/files/0x000a0000000232ae-3.dat upx behavioral2/memory/2836-6-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/1792-7-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/1792-8-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/1792-11-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/1792-14-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/1792-15-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/files/0x000a0000000232ae-28.dat upx behavioral2/memory/1752-27-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/1804-26-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/1804-21-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/files/0x000c000000021793-20.dat upx behavioral2/memory/1792-19-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/1752-29-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral2/memory/1752-32-0x0000000000400000-0x000000000042D000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2836 wrote to memory of 1792 2836 175042bbe00a4a4a19ff0a5350a75220_NeikiAnalytics.exe 83 PID 2836 wrote to memory of 1792 2836 175042bbe00a4a4a19ff0a5350a75220_NeikiAnalytics.exe 83 PID 2836 wrote to memory of 1792 2836 175042bbe00a4a4a19ff0a5350a75220_NeikiAnalytics.exe 83 PID 1792 wrote to memory of 1804 1792 omsecor.exe 95 PID 1792 wrote to memory of 1804 1792 omsecor.exe 95 PID 1792 wrote to memory of 1804 1792 omsecor.exe 95 PID 1804 wrote to memory of 1752 1804 omsecor.exe 96 PID 1804 wrote to memory of 1752 1804 omsecor.exe 96 PID 1804 wrote to memory of 1752 1804 omsecor.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\175042bbe00a4a4a19ff0a5350a75220_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\175042bbe00a4a4a19ff0a5350a75220_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
PID:1752
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
35KB
MD5a547a57f5e55bd9c921fb644715efcf0
SHA1f19c6d51523c662ee3efd9cfa384445a51f6400e
SHA256e20103bd3142d568e408b762a3fdce2663948cd4d8c0d00f44f6a87756e045ba
SHA5121f383ea46872b97b7eff6035db8a6caebaea642db9d6e43156fb701477bdd0b3643487b1069180d81f1d3fe7455167743196250ce8f4109eb61f7a49374634ab
-
Filesize
35KB
MD56915932c28c0b1e6603592398e25b5d4
SHA1e403b1b7b58e57af03ac6bc803d0d2c6f7a30879
SHA256b56a8f0a56ff26cbd2617b77293d8bd067a915d6996a8aab6bc9a24297094f57
SHA512fd1ee9f8f6f9c83791219d589176ad7a93c69ede542df1ec4ff8b91aa75b8773d16cfef8e4be65179b026bc56661f2ba9ffd7f1e4808feb24dcc8528cf8b3a86
-
Filesize
35KB
MD583c8ac7f85c968f71382571518e6f1d8
SHA1ee371b6ef8ed69f02c8476b0b4587591341b415d
SHA2562eea9920c86c7999b8d4e440991b8e62cde1bc9885f25bef24c000da4c1b4372
SHA512127fb87d275a6df1306bc3638dc5b28decca201ba6e00b548d53580547459770fe2b89a524db1b1a3547f7582244df14e1e134a698d4c55055e010b5ce7a84f2