Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2024 23:24
Static task
static1
Behavioral task
behavioral1
Sample
5afd94cc31a233536072343ff517f3a0_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
5afd94cc31a233536072343ff517f3a0_NeikiAnalytics.exe
-
Size
134KB
-
MD5
5afd94cc31a233536072343ff517f3a0
-
SHA1
1151a1bdec480b1bb013d6a0e1b59055cfee6688
-
SHA256
335afed6ffd674bbcaa384fbbcb5f34d6bd3dd1dea45dbd043b58faea73b2195
-
SHA512
2b0d844036c0b4c98625b92a08ae64d464e6ad5bc92c081cf953e30041ea7c64f3e39877eeb149bda5f1b1739ea06c2ed40e693eba2dc7158b44edde807288aa
-
SSDEEP
1536:ODfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCia:wiRTeH0iqAW6J6f1tqF6dngNmaZCia
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 6 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exepid process 1800 omsecor.exe 1772 omsecor.exe 628 omsecor.exe 3692 omsecor.exe 2372 omsecor.exe 4384 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
5afd94cc31a233536072343ff517f3a0_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exedescription pid process target process PID 960 set thread context of 1724 960 5afd94cc31a233536072343ff517f3a0_NeikiAnalytics.exe 5afd94cc31a233536072343ff517f3a0_NeikiAnalytics.exe PID 1800 set thread context of 1772 1800 omsecor.exe omsecor.exe PID 628 set thread context of 3692 628 omsecor.exe omsecor.exe PID 2372 set thread context of 4384 2372 omsecor.exe omsecor.exe -
Program crash 4 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 4508 960 WerFault.exe 5afd94cc31a233536072343ff517f3a0_NeikiAnalytics.exe 628 1800 WerFault.exe omsecor.exe 2540 628 WerFault.exe omsecor.exe 1404 2372 WerFault.exe omsecor.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
5afd94cc31a233536072343ff517f3a0_NeikiAnalytics.exe5afd94cc31a233536072343ff517f3a0_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exedescription pid process target process PID 960 wrote to memory of 1724 960 5afd94cc31a233536072343ff517f3a0_NeikiAnalytics.exe 5afd94cc31a233536072343ff517f3a0_NeikiAnalytics.exe PID 960 wrote to memory of 1724 960 5afd94cc31a233536072343ff517f3a0_NeikiAnalytics.exe 5afd94cc31a233536072343ff517f3a0_NeikiAnalytics.exe PID 960 wrote to memory of 1724 960 5afd94cc31a233536072343ff517f3a0_NeikiAnalytics.exe 5afd94cc31a233536072343ff517f3a0_NeikiAnalytics.exe PID 960 wrote to memory of 1724 960 5afd94cc31a233536072343ff517f3a0_NeikiAnalytics.exe 5afd94cc31a233536072343ff517f3a0_NeikiAnalytics.exe PID 960 wrote to memory of 1724 960 5afd94cc31a233536072343ff517f3a0_NeikiAnalytics.exe 5afd94cc31a233536072343ff517f3a0_NeikiAnalytics.exe PID 1724 wrote to memory of 1800 1724 5afd94cc31a233536072343ff517f3a0_NeikiAnalytics.exe omsecor.exe PID 1724 wrote to memory of 1800 1724 5afd94cc31a233536072343ff517f3a0_NeikiAnalytics.exe omsecor.exe PID 1724 wrote to memory of 1800 1724 5afd94cc31a233536072343ff517f3a0_NeikiAnalytics.exe omsecor.exe PID 1800 wrote to memory of 1772 1800 omsecor.exe omsecor.exe PID 1800 wrote to memory of 1772 1800 omsecor.exe omsecor.exe PID 1800 wrote to memory of 1772 1800 omsecor.exe omsecor.exe PID 1800 wrote to memory of 1772 1800 omsecor.exe omsecor.exe PID 1800 wrote to memory of 1772 1800 omsecor.exe omsecor.exe PID 1772 wrote to memory of 628 1772 omsecor.exe omsecor.exe PID 1772 wrote to memory of 628 1772 omsecor.exe omsecor.exe PID 1772 wrote to memory of 628 1772 omsecor.exe omsecor.exe PID 628 wrote to memory of 3692 628 omsecor.exe omsecor.exe PID 628 wrote to memory of 3692 628 omsecor.exe omsecor.exe PID 628 wrote to memory of 3692 628 omsecor.exe omsecor.exe PID 628 wrote to memory of 3692 628 omsecor.exe omsecor.exe PID 628 wrote to memory of 3692 628 omsecor.exe omsecor.exe PID 3692 wrote to memory of 2372 3692 omsecor.exe omsecor.exe PID 3692 wrote to memory of 2372 3692 omsecor.exe omsecor.exe PID 3692 wrote to memory of 2372 3692 omsecor.exe omsecor.exe PID 2372 wrote to memory of 4384 2372 omsecor.exe omsecor.exe PID 2372 wrote to memory of 4384 2372 omsecor.exe omsecor.exe PID 2372 wrote to memory of 4384 2372 omsecor.exe omsecor.exe PID 2372 wrote to memory of 4384 2372 omsecor.exe omsecor.exe PID 2372 wrote to memory of 4384 2372 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5afd94cc31a233536072343ff517f3a0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5afd94cc31a233536072343ff517f3a0_NeikiAnalytics.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Users\Admin\AppData\Local\Temp\5afd94cc31a233536072343ff517f3a0_NeikiAnalytics.exeC:\Users\Admin\AppData\Local\Temp\5afd94cc31a233536072343ff517f3a0_NeikiAnalytics.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
PID:4384
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 2688⤵
- Program crash
PID:1404
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 2926⤵
- Program crash
PID:2540
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2724⤵
- Program crash
PID:628
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 960 -s 2882⤵
- Program crash
PID:4508
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 960 -ip 9601⤵PID:4512
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1800 -ip 18001⤵PID:1308
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 628 -ip 6281⤵PID:1732
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2372 -ip 23721⤵PID:4720
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
134KB
MD5cf4de8c7e946c26c2efdee3bb1f253a9
SHA13a70ee1a1a379cabda0597ca3f15418e3b462772
SHA256f3ddf4dc76ccb30729025c9a72bf2eea14c83f9e9aee61e2c115ff481f9d806a
SHA512d270f11b23a2af23a1fef10c14844a8498010034ac782849d1cf9290a13b1a0bd8a4e308eb898a1051ff9bec2f1eba0850f5c34300efd9b9a5293ba6fdd88ee8
-
Filesize
134KB
MD53136f87d558f19234dffde62f80fc053
SHA109aa0482fe1fd731f0aba2d9218a16bed9a56f28
SHA25687dd713da95cf6f0999f11dc98f227036ca2047e630fa3df9e7ee64dff65f1bb
SHA512202f55c5583f0f55f2d5b765665c5ec1d8ad96d3711230e627a23d8570b6a36d800954c649985b5a27be1367dd42368d744b44f292177dfe31aab26cbd849a6d
-
Filesize
134KB
MD5d01a07a65c805485a3448a937fb573f3
SHA1ef4593b5efe12dfc5f3509ad7e8b1787c94ce2d2
SHA256cf9d4e5b13aedcd5f40b74745b7ceea884993332829cae3229db5a8bd2489227
SHA51280f24a10f6a4c3b6e7e6da94164aaa739d047b463f15928eddea0c955b3515d4ae76921654ee52451afea775dcba977ad2216a51c13967082f22682839096e5d