Analysis
-
max time kernel
146s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
10-05-2024 23:23
Static task
static1
Behavioral task
behavioral1
Sample
2a621fa6ba8773b3bb819de2e1133fc0_NeikiAnalytics.exe
Resource
win7-20240508-en
General
-
Target
2a621fa6ba8773b3bb819de2e1133fc0_NeikiAnalytics.exe
-
Size
96KB
-
MD5
2a621fa6ba8773b3bb819de2e1133fc0
-
SHA1
11e6f733676b773609dbafefb8bbefcf0c453b47
-
SHA256
b898be6a3f8e1566ddf8b5fc9c35dbf0b8898dd1d8e53ae0db40157047fe3f35
-
SHA512
0bd739f1b35fdbcff36295ec23c37cfefea621106e0c99303ea90f7b3bbbccc0c870db6cbf46e906799f02fdbeeda99491a398f0c4661d5b40fbd409010391de
-
SSDEEP
1536:fnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:fGs8cd8eXlYairZYqMddH13L
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 6 IoCs
pid Process 3040 omsecor.exe 2664 omsecor.exe 836 omsecor.exe 2036 omsecor.exe 2056 omsecor.exe 2172 omsecor.exe -
Loads dropped DLL 7 IoCs
pid Process 1952 2a621fa6ba8773b3bb819de2e1133fc0_NeikiAnalytics.exe 1952 2a621fa6ba8773b3bb819de2e1133fc0_NeikiAnalytics.exe 3040 omsecor.exe 2664 omsecor.exe 2664 omsecor.exe 2036 omsecor.exe 2036 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 1616 set thread context of 1952 1616 2a621fa6ba8773b3bb819de2e1133fc0_NeikiAnalytics.exe 28 PID 3040 set thread context of 2664 3040 omsecor.exe 30 PID 836 set thread context of 2036 836 omsecor.exe 35 PID 2056 set thread context of 2172 2056 omsecor.exe 37 -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 1616 wrote to memory of 1952 1616 2a621fa6ba8773b3bb819de2e1133fc0_NeikiAnalytics.exe 28 PID 1616 wrote to memory of 1952 1616 2a621fa6ba8773b3bb819de2e1133fc0_NeikiAnalytics.exe 28 PID 1616 wrote to memory of 1952 1616 2a621fa6ba8773b3bb819de2e1133fc0_NeikiAnalytics.exe 28 PID 1616 wrote to memory of 1952 1616 2a621fa6ba8773b3bb819de2e1133fc0_NeikiAnalytics.exe 28 PID 1616 wrote to memory of 1952 1616 2a621fa6ba8773b3bb819de2e1133fc0_NeikiAnalytics.exe 28 PID 1616 wrote to memory of 1952 1616 2a621fa6ba8773b3bb819de2e1133fc0_NeikiAnalytics.exe 28 PID 1952 wrote to memory of 3040 1952 2a621fa6ba8773b3bb819de2e1133fc0_NeikiAnalytics.exe 29 PID 1952 wrote to memory of 3040 1952 2a621fa6ba8773b3bb819de2e1133fc0_NeikiAnalytics.exe 29 PID 1952 wrote to memory of 3040 1952 2a621fa6ba8773b3bb819de2e1133fc0_NeikiAnalytics.exe 29 PID 1952 wrote to memory of 3040 1952 2a621fa6ba8773b3bb819de2e1133fc0_NeikiAnalytics.exe 29 PID 3040 wrote to memory of 2664 3040 omsecor.exe 30 PID 3040 wrote to memory of 2664 3040 omsecor.exe 30 PID 3040 wrote to memory of 2664 3040 omsecor.exe 30 PID 3040 wrote to memory of 2664 3040 omsecor.exe 30 PID 3040 wrote to memory of 2664 3040 omsecor.exe 30 PID 3040 wrote to memory of 2664 3040 omsecor.exe 30 PID 2664 wrote to memory of 836 2664 omsecor.exe 34 PID 2664 wrote to memory of 836 2664 omsecor.exe 34 PID 2664 wrote to memory of 836 2664 omsecor.exe 34 PID 2664 wrote to memory of 836 2664 omsecor.exe 34 PID 836 wrote to memory of 2036 836 omsecor.exe 35 PID 836 wrote to memory of 2036 836 omsecor.exe 35 PID 836 wrote to memory of 2036 836 omsecor.exe 35 PID 836 wrote to memory of 2036 836 omsecor.exe 35 PID 836 wrote to memory of 2036 836 omsecor.exe 35 PID 836 wrote to memory of 2036 836 omsecor.exe 35 PID 2036 wrote to memory of 2056 2036 omsecor.exe 36 PID 2036 wrote to memory of 2056 2036 omsecor.exe 36 PID 2036 wrote to memory of 2056 2036 omsecor.exe 36 PID 2036 wrote to memory of 2056 2036 omsecor.exe 36 PID 2056 wrote to memory of 2172 2056 omsecor.exe 37 PID 2056 wrote to memory of 2172 2056 omsecor.exe 37 PID 2056 wrote to memory of 2172 2056 omsecor.exe 37 PID 2056 wrote to memory of 2172 2056 omsecor.exe 37 PID 2056 wrote to memory of 2172 2056 omsecor.exe 37 PID 2056 wrote to memory of 2172 2056 omsecor.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\2a621fa6ba8773b3bb819de2e1133fc0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\2a621fa6ba8773b3bb819de2e1133fc0_NeikiAnalytics.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Users\Admin\AppData\Local\Temp\2a621fa6ba8773b3bb819de2e1133fc0_NeikiAnalytics.exeC:\Users\Admin\AppData\Local\Temp\2a621fa6ba8773b3bb819de2e1133fc0_NeikiAnalytics.exe2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
PID:2172
-
-
-
-
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD50b1884d57ef9fadc43be3afae23fad93
SHA1993a78da33a90c949abfc38ea4a7ba8a812baee0
SHA25696e58d3b6ee5a8d1073fb77c2bab89df9ace97b45b08ec7c61d8d62ce726e38f
SHA5123cd9b1ae34d72a972cc4c634821c341f068c0a15bb2df78aed7058cb9daee76855bb1c6d9ea180049e0b7acb324baa953895f8bd46bbf1f9077012bb7648dde6
-
Filesize
96KB
MD5732235fcb59690c8d506ff58e3c876be
SHA1d0b659af7f7712967b3525ed29d347e229aa7b46
SHA256b5a64ddf557ba49f44ee45839de2289190927ca1f5f5d0b7acad9d7e4ff8a794
SHA512f75926c7e32c6fdea7893f6f0cc0c95046425c41a270648c10516269595b37e29dda618a4753af057367c528750d250ff734f510fc590ee991b604fc6703e24a
-
Filesize
96KB
MD59bf4c46e810663a90056fbf6b2552dff
SHA18c6b6cb3bff65a7de56c0fa9fbd1904caca54c38
SHA25632d82fb5c2b8c6aca0dad37a7c6b82936d4b05356a33b51793d474b7e71fedf8
SHA512517181fdfb0ae122e2e452594de5c7200b1e66fbdc89a388de8463dd0d75591e674077b4915abf874ad0177b6ecd132fc6709ff61d4f66d93da99b61ea8537a2