Analysis
-
max time kernel
146s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
19-05-2024 15:30
Static task
static1
Behavioral task
behavioral1
Sample
e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe
-
Size
134KB
-
MD5
e444da3b42335ab84fedf3405c40c630
-
SHA1
5dfeda8113e9f94a4b87c6e71c34206aa3426dba
-
SHA256
e4d80583e99b1a56c5b4029c7403eddd1aeb098378337e297892d17b7436219e
-
SHA512
b83c3c02505708bc3737d17f1f96a6882ec97b3d07ea99e3a83886c116b29294c77b8fff1eb48d12dcafeadb261185b811f3ef050d638bf8e1a8ed37c17159d5
-
SSDEEP
1536:oDfDbhERTatPLTH0NqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwC7M:OiRTeH0NqAW6J6f1tqF6dngNmaZC7M
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 6 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exepid process 2340 omsecor.exe 2392 omsecor.exe 2336 omsecor.exe 2736 omsecor.exe 2316 omsecor.exe 1748 omsecor.exe -
Loads dropped DLL 7 IoCs
Processes:
e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exepid process 2008 e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe 2008 e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe 2340 omsecor.exe 2392 omsecor.exe 2392 omsecor.exe 2736 omsecor.exe 2736 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exedescription pid process target process PID 2348 set thread context of 2008 2348 e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe PID 2340 set thread context of 2392 2340 omsecor.exe omsecor.exe PID 2336 set thread context of 2736 2336 omsecor.exe omsecor.exe PID 2316 set thread context of 1748 2316 omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exee444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exedescription pid process target process PID 2348 wrote to memory of 2008 2348 e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe PID 2348 wrote to memory of 2008 2348 e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe PID 2348 wrote to memory of 2008 2348 e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe PID 2348 wrote to memory of 2008 2348 e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe PID 2348 wrote to memory of 2008 2348 e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe PID 2348 wrote to memory of 2008 2348 e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe PID 2008 wrote to memory of 2340 2008 e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe omsecor.exe PID 2008 wrote to memory of 2340 2008 e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe omsecor.exe PID 2008 wrote to memory of 2340 2008 e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe omsecor.exe PID 2008 wrote to memory of 2340 2008 e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe omsecor.exe PID 2340 wrote to memory of 2392 2340 omsecor.exe omsecor.exe PID 2340 wrote to memory of 2392 2340 omsecor.exe omsecor.exe PID 2340 wrote to memory of 2392 2340 omsecor.exe omsecor.exe PID 2340 wrote to memory of 2392 2340 omsecor.exe omsecor.exe PID 2340 wrote to memory of 2392 2340 omsecor.exe omsecor.exe PID 2340 wrote to memory of 2392 2340 omsecor.exe omsecor.exe PID 2392 wrote to memory of 2336 2392 omsecor.exe omsecor.exe PID 2392 wrote to memory of 2336 2392 omsecor.exe omsecor.exe PID 2392 wrote to memory of 2336 2392 omsecor.exe omsecor.exe PID 2392 wrote to memory of 2336 2392 omsecor.exe omsecor.exe PID 2336 wrote to memory of 2736 2336 omsecor.exe omsecor.exe PID 2336 wrote to memory of 2736 2336 omsecor.exe omsecor.exe PID 2336 wrote to memory of 2736 2336 omsecor.exe omsecor.exe PID 2336 wrote to memory of 2736 2336 omsecor.exe omsecor.exe PID 2336 wrote to memory of 2736 2336 omsecor.exe omsecor.exe PID 2336 wrote to memory of 2736 2336 omsecor.exe omsecor.exe PID 2736 wrote to memory of 2316 2736 omsecor.exe omsecor.exe PID 2736 wrote to memory of 2316 2736 omsecor.exe omsecor.exe PID 2736 wrote to memory of 2316 2736 omsecor.exe omsecor.exe PID 2736 wrote to memory of 2316 2736 omsecor.exe omsecor.exe PID 2316 wrote to memory of 1748 2316 omsecor.exe omsecor.exe PID 2316 wrote to memory of 1748 2316 omsecor.exe omsecor.exe PID 2316 wrote to memory of 1748 2316 omsecor.exe omsecor.exe PID 2316 wrote to memory of 1748 2316 omsecor.exe omsecor.exe PID 2316 wrote to memory of 1748 2316 omsecor.exe omsecor.exe PID 2316 wrote to memory of 1748 2316 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Users\Admin\AppData\Local\Temp\e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exeC:\Users\Admin\AppData\Local\Temp\e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
PID:1748
-
-
-
-
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
134KB
MD5ebff5912f487cc7e8043af0b5faaf6d8
SHA1d3b9cec1654186356d365fb12ea2f51757ebaa27
SHA256e0a350f734b2f31399610bcf6d1c2df7e1a688b108a272484ab801c24f9680d8
SHA51240cc008fbdb0dd16b5667d0ddb51ad04bbd1644ffc1e58108fffe1ce34bce59645eeb1f4189f0458cfa9f122e5fc0d1e1c4eadaa3d7fe91c1151a4f09fda54f1
-
Filesize
134KB
MD5793639c796fb24909caabea9a4bce7b3
SHA1e6b83345985ffd053fd8e42848dbb55bc5f18904
SHA2568eba1c25c82682945b78366c25fbc40567c592866a5003d22c0499191ef0f174
SHA512d0b184668b7bf662e6cf804fce8668e2f5f6759a7674112badd409b1530e09d3727b0563285b1cf6fb8c980a51fb86e01260a8016af9c3f19db89e4babce23d8
-
Filesize
134KB
MD5c1094d6d09679c1dc736197caffcd561
SHA1cae01aaa7f6ab91a86f6033e50c921f6bc60afae
SHA25679534e61998ab5234b03021774dda379976ce64729bf17a7e0f9e007fc581bc8
SHA512d887c7e7e85e7ff584641a40186f554665961ad7129a7887e7594d781b9bad42b75b24812eaf1a8d8c376fc556a7822b62ab864634d6fdce68d1af6a0522d47e