Analysis
-
max time kernel
145s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
19-05-2024 16:44
Static task
static1
Behavioral task
behavioral1
Sample
f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe
Resource
win7-20240508-en
General
-
Target
f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe
-
Size
134KB
-
MD5
f6a0b013d09974e204dea75b6b77ce90
-
SHA1
df3bcaa3fad6d501f909fa7da71eee0d51bc0a0c
-
SHA256
892b63b4b9488cc1c62d418da8b427719e392547338f175a9be072fd8bc2c619
-
SHA512
475ca9bbde7339bf9548a8d696cd271fc755c49fcd7d3961d4b97dac29096961f7b94beea68797f62e8b447575f8d54534a4bbab9f9065ec260340cedbf03493
-
SSDEEP
1536:PDfDbhERTatPLTH0NqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwC7M:7iRTeH0NqAW6J6f1tqF6dngNmaZC7M
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 6 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exepid process 2992 omsecor.exe 2804 omsecor.exe 2408 omsecor.exe 572 omsecor.exe 1000 omsecor.exe 2240 omsecor.exe -
Loads dropped DLL 7 IoCs
Processes:
f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exepid process 2032 f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe 2032 f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe 2992 omsecor.exe 2804 omsecor.exe 2804 omsecor.exe 572 omsecor.exe 572 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exedescription pid process target process PID 2892 set thread context of 2032 2892 f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe PID 2992 set thread context of 2804 2992 omsecor.exe omsecor.exe PID 2408 set thread context of 572 2408 omsecor.exe omsecor.exe PID 1000 set thread context of 2240 1000 omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exef6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exedescription pid process target process PID 2892 wrote to memory of 2032 2892 f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe PID 2892 wrote to memory of 2032 2892 f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe PID 2892 wrote to memory of 2032 2892 f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe PID 2892 wrote to memory of 2032 2892 f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe PID 2892 wrote to memory of 2032 2892 f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe PID 2892 wrote to memory of 2032 2892 f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe PID 2032 wrote to memory of 2992 2032 f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe omsecor.exe PID 2032 wrote to memory of 2992 2032 f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe omsecor.exe PID 2032 wrote to memory of 2992 2032 f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe omsecor.exe PID 2032 wrote to memory of 2992 2032 f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe omsecor.exe PID 2992 wrote to memory of 2804 2992 omsecor.exe omsecor.exe PID 2992 wrote to memory of 2804 2992 omsecor.exe omsecor.exe PID 2992 wrote to memory of 2804 2992 omsecor.exe omsecor.exe PID 2992 wrote to memory of 2804 2992 omsecor.exe omsecor.exe PID 2992 wrote to memory of 2804 2992 omsecor.exe omsecor.exe PID 2992 wrote to memory of 2804 2992 omsecor.exe omsecor.exe PID 2804 wrote to memory of 2408 2804 omsecor.exe omsecor.exe PID 2804 wrote to memory of 2408 2804 omsecor.exe omsecor.exe PID 2804 wrote to memory of 2408 2804 omsecor.exe omsecor.exe PID 2804 wrote to memory of 2408 2804 omsecor.exe omsecor.exe PID 2408 wrote to memory of 572 2408 omsecor.exe omsecor.exe PID 2408 wrote to memory of 572 2408 omsecor.exe omsecor.exe PID 2408 wrote to memory of 572 2408 omsecor.exe omsecor.exe PID 2408 wrote to memory of 572 2408 omsecor.exe omsecor.exe PID 2408 wrote to memory of 572 2408 omsecor.exe omsecor.exe PID 2408 wrote to memory of 572 2408 omsecor.exe omsecor.exe PID 572 wrote to memory of 1000 572 omsecor.exe omsecor.exe PID 572 wrote to memory of 1000 572 omsecor.exe omsecor.exe PID 572 wrote to memory of 1000 572 omsecor.exe omsecor.exe PID 572 wrote to memory of 1000 572 omsecor.exe omsecor.exe PID 1000 wrote to memory of 2240 1000 omsecor.exe omsecor.exe PID 1000 wrote to memory of 2240 1000 omsecor.exe omsecor.exe PID 1000 wrote to memory of 2240 1000 omsecor.exe omsecor.exe PID 1000 wrote to memory of 2240 1000 omsecor.exe omsecor.exe PID 1000 wrote to memory of 2240 1000 omsecor.exe omsecor.exe PID 1000 wrote to memory of 2240 1000 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Users\Admin\AppData\Local\Temp\f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exeC:\Users\Admin\AppData\Local\Temp\f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:572 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
PID:2240
-
-
-
-
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
134KB
MD5839554688e674750501bb4ee37ce4485
SHA197e21fe732e00a5453b2c81cdaf0e443eca2087c
SHA256af21b58c5fb636d935414c4cd6bc5ad8a81b64806e82e557bdfa1283572df08e
SHA512bfb27907d93f7e56f77d299f4187d9d29a3914fd7ba3b70db99ce9e96caf77135aa90c0d523f8b6e37edbc342164ccbb2561afd7f77d3d70a7829d160a96e5e0
-
Filesize
134KB
MD5d4c6cd7c0b7cc06520db971df2b61b4c
SHA15843adf3b35e97e44e43f04c3341300119f67d90
SHA25650c03ddc511cda534cac111ef1f3cd3cc944ff67bfc9a31ac6d1879259b92f7c
SHA5126955708588efeca0e881e10e219d95f506fb8cca16370becfd234bca853b29bf0a7ee4ccd93252560377d37c39af092388ff25d543ad8c93f906bbca34d59f78
-
Filesize
134KB
MD529de4db7e3822e6f31930cbe173a01c7
SHA1b7562f22537eb25af5b2215431544ad34559bd6d
SHA256a18d66c3a027e0cb8117fbdbe4ddb62f5a02f623dca0a2fd0a786c360e8ffcbe
SHA512cb586d18869d3b0534aea19ecd2a51b56b48ee35b8f3e0569b31dc6e4b54e04245c26fe96860fed14b12854a4f3cd2fe5ab95bc15a4c4f315f517b38c3c15a28