Analysis
-
max time kernel
146s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
19-05-2024 23:24
Static task
static1
Behavioral task
behavioral1
Sample
5afd94cc31a233536072343ff517f3a0_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
5afd94cc31a233536072343ff517f3a0_NeikiAnalytics.exe
-
Size
134KB
-
MD5
5afd94cc31a233536072343ff517f3a0
-
SHA1
1151a1bdec480b1bb013d6a0e1b59055cfee6688
-
SHA256
335afed6ffd674bbcaa384fbbcb5f34d6bd3dd1dea45dbd043b58faea73b2195
-
SHA512
2b0d844036c0b4c98625b92a08ae64d464e6ad5bc92c081cf953e30041ea7c64f3e39877eeb149bda5f1b1739ea06c2ed40e693eba2dc7158b44edde807288aa
-
SSDEEP
1536:ODfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCia:wiRTeH0iqAW6J6f1tqF6dngNmaZCia
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 6 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exepid process 1980 omsecor.exe 2596 omsecor.exe 1448 omsecor.exe 2696 omsecor.exe 1052 omsecor.exe 1692 omsecor.exe -
Loads dropped DLL 7 IoCs
Processes:
5afd94cc31a233536072343ff517f3a0_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exepid process 2980 5afd94cc31a233536072343ff517f3a0_NeikiAnalytics.exe 2980 5afd94cc31a233536072343ff517f3a0_NeikiAnalytics.exe 1980 omsecor.exe 2596 omsecor.exe 2596 omsecor.exe 2696 omsecor.exe 2696 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
5afd94cc31a233536072343ff517f3a0_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exedescription pid process target process PID 2932 set thread context of 2980 2932 5afd94cc31a233536072343ff517f3a0_NeikiAnalytics.exe 5afd94cc31a233536072343ff517f3a0_NeikiAnalytics.exe PID 1980 set thread context of 2596 1980 omsecor.exe omsecor.exe PID 1448 set thread context of 2696 1448 omsecor.exe omsecor.exe PID 1052 set thread context of 1692 1052 omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
5afd94cc31a233536072343ff517f3a0_NeikiAnalytics.exe5afd94cc31a233536072343ff517f3a0_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exedescription pid process target process PID 2932 wrote to memory of 2980 2932 5afd94cc31a233536072343ff517f3a0_NeikiAnalytics.exe 5afd94cc31a233536072343ff517f3a0_NeikiAnalytics.exe PID 2932 wrote to memory of 2980 2932 5afd94cc31a233536072343ff517f3a0_NeikiAnalytics.exe 5afd94cc31a233536072343ff517f3a0_NeikiAnalytics.exe PID 2932 wrote to memory of 2980 2932 5afd94cc31a233536072343ff517f3a0_NeikiAnalytics.exe 5afd94cc31a233536072343ff517f3a0_NeikiAnalytics.exe PID 2932 wrote to memory of 2980 2932 5afd94cc31a233536072343ff517f3a0_NeikiAnalytics.exe 5afd94cc31a233536072343ff517f3a0_NeikiAnalytics.exe PID 2932 wrote to memory of 2980 2932 5afd94cc31a233536072343ff517f3a0_NeikiAnalytics.exe 5afd94cc31a233536072343ff517f3a0_NeikiAnalytics.exe PID 2932 wrote to memory of 2980 2932 5afd94cc31a233536072343ff517f3a0_NeikiAnalytics.exe 5afd94cc31a233536072343ff517f3a0_NeikiAnalytics.exe PID 2980 wrote to memory of 1980 2980 5afd94cc31a233536072343ff517f3a0_NeikiAnalytics.exe omsecor.exe PID 2980 wrote to memory of 1980 2980 5afd94cc31a233536072343ff517f3a0_NeikiAnalytics.exe omsecor.exe PID 2980 wrote to memory of 1980 2980 5afd94cc31a233536072343ff517f3a0_NeikiAnalytics.exe omsecor.exe PID 2980 wrote to memory of 1980 2980 5afd94cc31a233536072343ff517f3a0_NeikiAnalytics.exe omsecor.exe PID 1980 wrote to memory of 2596 1980 omsecor.exe omsecor.exe PID 1980 wrote to memory of 2596 1980 omsecor.exe omsecor.exe PID 1980 wrote to memory of 2596 1980 omsecor.exe omsecor.exe PID 1980 wrote to memory of 2596 1980 omsecor.exe omsecor.exe PID 1980 wrote to memory of 2596 1980 omsecor.exe omsecor.exe PID 1980 wrote to memory of 2596 1980 omsecor.exe omsecor.exe PID 2596 wrote to memory of 1448 2596 omsecor.exe omsecor.exe PID 2596 wrote to memory of 1448 2596 omsecor.exe omsecor.exe PID 2596 wrote to memory of 1448 2596 omsecor.exe omsecor.exe PID 2596 wrote to memory of 1448 2596 omsecor.exe omsecor.exe PID 1448 wrote to memory of 2696 1448 omsecor.exe omsecor.exe PID 1448 wrote to memory of 2696 1448 omsecor.exe omsecor.exe PID 1448 wrote to memory of 2696 1448 omsecor.exe omsecor.exe PID 1448 wrote to memory of 2696 1448 omsecor.exe omsecor.exe PID 1448 wrote to memory of 2696 1448 omsecor.exe omsecor.exe PID 1448 wrote to memory of 2696 1448 omsecor.exe omsecor.exe PID 2696 wrote to memory of 1052 2696 omsecor.exe omsecor.exe PID 2696 wrote to memory of 1052 2696 omsecor.exe omsecor.exe PID 2696 wrote to memory of 1052 2696 omsecor.exe omsecor.exe PID 2696 wrote to memory of 1052 2696 omsecor.exe omsecor.exe PID 1052 wrote to memory of 1692 1052 omsecor.exe omsecor.exe PID 1052 wrote to memory of 1692 1052 omsecor.exe omsecor.exe PID 1052 wrote to memory of 1692 1052 omsecor.exe omsecor.exe PID 1052 wrote to memory of 1692 1052 omsecor.exe omsecor.exe PID 1052 wrote to memory of 1692 1052 omsecor.exe omsecor.exe PID 1052 wrote to memory of 1692 1052 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5afd94cc31a233536072343ff517f3a0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5afd94cc31a233536072343ff517f3a0_NeikiAnalytics.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Users\Admin\AppData\Local\Temp\5afd94cc31a233536072343ff517f3a0_NeikiAnalytics.exeC:\Users\Admin\AppData\Local\Temp\5afd94cc31a233536072343ff517f3a0_NeikiAnalytics.exe2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
PID:1692
-
-
-
-
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
134KB
MD53136f87d558f19234dffde62f80fc053
SHA109aa0482fe1fd731f0aba2d9218a16bed9a56f28
SHA25687dd713da95cf6f0999f11dc98f227036ca2047e630fa3df9e7ee64dff65f1bb
SHA512202f55c5583f0f55f2d5b765665c5ec1d8ad96d3711230e627a23d8570b6a36d800954c649985b5a27be1367dd42368d744b44f292177dfe31aab26cbd849a6d
-
Filesize
134KB
MD5cd122130f44a2bab5c08af4485bcc65f
SHA1e3a7800003f05abf11b0468830ec1c6494c621e4
SHA256b452ce4d7ac524f363cc1705379c363fcef637d7dad8ca922dc0ea06d8d38f0b
SHA5127d887b083d10ddafcac182622d50f9e31447f5f4e44ae6acd988601bfd0be3d800e4a9600c2cfef057461a93ca494e0cab06c8b6e99a7c1102b43df89047125e
-
Filesize
134KB
MD52cfbe889c7a79e8ca18a2c6212821250
SHA1a388a76a78ac93a323f8e8d6617573f13f669550
SHA256482df5b147ce292bfef53e1c80725516430bf91c24cd4046e83ade0285f0f726
SHA512192843e46a2256fe1b1ac4ae9fdce860ae4015ddf78101713209b70c72cf847f21b95b969b1395c694be1d06059ee615febca6dfa6e0a4d37e699dd127d43a95