Analysis
-
max time kernel
146s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2024 15:30
Static task
static1
Behavioral task
behavioral1
Sample
e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe
-
Size
134KB
-
MD5
e444da3b42335ab84fedf3405c40c630
-
SHA1
5dfeda8113e9f94a4b87c6e71c34206aa3426dba
-
SHA256
e4d80583e99b1a56c5b4029c7403eddd1aeb098378337e297892d17b7436219e
-
SHA512
b83c3c02505708bc3737d17f1f96a6882ec97b3d07ea99e3a83886c116b29294c77b8fff1eb48d12dcafeadb261185b811f3ef050d638bf8e1a8ed37c17159d5
-
SSDEEP
1536:oDfDbhERTatPLTH0NqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwC7M:OiRTeH0NqAW6J6f1tqF6dngNmaZC7M
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 6 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exepid process 4088 omsecor.exe 1032 omsecor.exe 3704 omsecor.exe 2908 omsecor.exe 612 omsecor.exe 2328 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exedescription pid process target process PID 1692 set thread context of 100 1692 e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe PID 4088 set thread context of 1032 4088 omsecor.exe omsecor.exe PID 3704 set thread context of 2908 3704 omsecor.exe omsecor.exe PID 612 set thread context of 2328 612 omsecor.exe omsecor.exe -
Program crash 4 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 2928 1692 WerFault.exe e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe 3076 4088 WerFault.exe omsecor.exe 2488 3704 WerFault.exe omsecor.exe 5108 612 WerFault.exe omsecor.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exee444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exedescription pid process target process PID 1692 wrote to memory of 100 1692 e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe PID 1692 wrote to memory of 100 1692 e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe PID 1692 wrote to memory of 100 1692 e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe PID 1692 wrote to memory of 100 1692 e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe PID 1692 wrote to memory of 100 1692 e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe PID 100 wrote to memory of 4088 100 e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe omsecor.exe PID 100 wrote to memory of 4088 100 e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe omsecor.exe PID 100 wrote to memory of 4088 100 e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe omsecor.exe PID 4088 wrote to memory of 1032 4088 omsecor.exe omsecor.exe PID 4088 wrote to memory of 1032 4088 omsecor.exe omsecor.exe PID 4088 wrote to memory of 1032 4088 omsecor.exe omsecor.exe PID 4088 wrote to memory of 1032 4088 omsecor.exe omsecor.exe PID 4088 wrote to memory of 1032 4088 omsecor.exe omsecor.exe PID 1032 wrote to memory of 3704 1032 omsecor.exe omsecor.exe PID 1032 wrote to memory of 3704 1032 omsecor.exe omsecor.exe PID 1032 wrote to memory of 3704 1032 omsecor.exe omsecor.exe PID 3704 wrote to memory of 2908 3704 omsecor.exe omsecor.exe PID 3704 wrote to memory of 2908 3704 omsecor.exe omsecor.exe PID 3704 wrote to memory of 2908 3704 omsecor.exe omsecor.exe PID 3704 wrote to memory of 2908 3704 omsecor.exe omsecor.exe PID 3704 wrote to memory of 2908 3704 omsecor.exe omsecor.exe PID 2908 wrote to memory of 612 2908 omsecor.exe omsecor.exe PID 2908 wrote to memory of 612 2908 omsecor.exe omsecor.exe PID 2908 wrote to memory of 612 2908 omsecor.exe omsecor.exe PID 612 wrote to memory of 2328 612 omsecor.exe omsecor.exe PID 612 wrote to memory of 2328 612 omsecor.exe omsecor.exe PID 612 wrote to memory of 2328 612 omsecor.exe omsecor.exe PID 612 wrote to memory of 2328 612 omsecor.exe omsecor.exe PID 612 wrote to memory of 2328 612 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Users\Admin\AppData\Local\Temp\e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exeC:\Users\Admin\AppData\Local\Temp\e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe2⤵
- Suspicious use of WriteProcessMemory
PID:100 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3704 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:612 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
PID:2328
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 612 -s 2568⤵
- Program crash
PID:5108
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3704 -s 2926⤵
- Program crash
PID:2488
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 3004⤵
- Program crash
PID:3076
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 3002⤵
- Program crash
PID:2928
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1692 -ip 16921⤵PID:1892
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4088 -ip 40881⤵PID:1416
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3704 -ip 37041⤵PID:4732
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 612 -ip 6121⤵PID:4456
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
134KB
MD50f154eced2a2b23e12ecb237fe45871f
SHA1f69e3d5e98acaeea58bb00b29d841daf800cc14f
SHA256bb39e083cb60b1a7265ca8567f3f9db7c3d41d352f463099f052ae4c2915b9a7
SHA5127912e164bc90c79ce9b8088c8145cd0031796a6eca14264ef9ae07b5babdf97bf4ebb1725f655aa3547e6af1adb8479906aaeb74935b46ced2eb577ed41b1774
-
Filesize
134KB
MD5ebff5912f487cc7e8043af0b5faaf6d8
SHA1d3b9cec1654186356d365fb12ea2f51757ebaa27
SHA256e0a350f734b2f31399610bcf6d1c2df7e1a688b108a272484ab801c24f9680d8
SHA51240cc008fbdb0dd16b5667d0ddb51ad04bbd1644ffc1e58108fffe1ce34bce59645eeb1f4189f0458cfa9f122e5fc0d1e1c4eadaa3d7fe91c1151a4f09fda54f1
-
Filesize
134KB
MD5587936a000a0e3afd4c1e5065fddfdc3
SHA1736404da9138778268c7f78c3e60f2243afb791b
SHA2565482ad467d66a648b500de9ab6621be5f74b175c07081e00a42bd32f7967ccac
SHA512c8addec36b69cf80cf9ef733e86de25a9e70d944e057cfad50116153d0fbacb1e18c602f5ac667cad9cecafce808678cb3b7d345408b6f6e5ecfa128eac08ddd