Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2024 16:44
Static task
static1
Behavioral task
behavioral1
Sample
f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe
Resource
win7-20240508-en
General
-
Target
f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe
-
Size
134KB
-
MD5
f6a0b013d09974e204dea75b6b77ce90
-
SHA1
df3bcaa3fad6d501f909fa7da71eee0d51bc0a0c
-
SHA256
892b63b4b9488cc1c62d418da8b427719e392547338f175a9be072fd8bc2c619
-
SHA512
475ca9bbde7339bf9548a8d696cd271fc755c49fcd7d3961d4b97dac29096961f7b94beea68797f62e8b447575f8d54534a4bbab9f9065ec260340cedbf03493
-
SSDEEP
1536:PDfDbhERTatPLTH0NqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwC7M:7iRTeH0NqAW6J6f1tqF6dngNmaZC7M
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 6 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exepid process 404 omsecor.exe 4772 omsecor.exe 3104 omsecor.exe 1076 omsecor.exe 1492 omsecor.exe 4584 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exedescription pid process target process PID 2184 set thread context of 4236 2184 f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe PID 404 set thread context of 4772 404 omsecor.exe omsecor.exe PID 3104 set thread context of 1076 3104 omsecor.exe omsecor.exe PID 1492 set thread context of 4584 1492 omsecor.exe omsecor.exe -
Program crash 4 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 1112 2184 WerFault.exe f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe 3164 404 WerFault.exe omsecor.exe 1216 3104 WerFault.exe omsecor.exe 3396 1492 WerFault.exe omsecor.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exef6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exedescription pid process target process PID 2184 wrote to memory of 4236 2184 f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe PID 2184 wrote to memory of 4236 2184 f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe PID 2184 wrote to memory of 4236 2184 f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe PID 2184 wrote to memory of 4236 2184 f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe PID 2184 wrote to memory of 4236 2184 f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe PID 4236 wrote to memory of 404 4236 f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe omsecor.exe PID 4236 wrote to memory of 404 4236 f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe omsecor.exe PID 4236 wrote to memory of 404 4236 f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe omsecor.exe PID 404 wrote to memory of 4772 404 omsecor.exe omsecor.exe PID 404 wrote to memory of 4772 404 omsecor.exe omsecor.exe PID 404 wrote to memory of 4772 404 omsecor.exe omsecor.exe PID 404 wrote to memory of 4772 404 omsecor.exe omsecor.exe PID 404 wrote to memory of 4772 404 omsecor.exe omsecor.exe PID 4772 wrote to memory of 3104 4772 omsecor.exe omsecor.exe PID 4772 wrote to memory of 3104 4772 omsecor.exe omsecor.exe PID 4772 wrote to memory of 3104 4772 omsecor.exe omsecor.exe PID 3104 wrote to memory of 1076 3104 omsecor.exe omsecor.exe PID 3104 wrote to memory of 1076 3104 omsecor.exe omsecor.exe PID 3104 wrote to memory of 1076 3104 omsecor.exe omsecor.exe PID 3104 wrote to memory of 1076 3104 omsecor.exe omsecor.exe PID 3104 wrote to memory of 1076 3104 omsecor.exe omsecor.exe PID 1076 wrote to memory of 1492 1076 omsecor.exe omsecor.exe PID 1076 wrote to memory of 1492 1076 omsecor.exe omsecor.exe PID 1076 wrote to memory of 1492 1076 omsecor.exe omsecor.exe PID 1492 wrote to memory of 4584 1492 omsecor.exe omsecor.exe PID 1492 wrote to memory of 4584 1492 omsecor.exe omsecor.exe PID 1492 wrote to memory of 4584 1492 omsecor.exe omsecor.exe PID 1492 wrote to memory of 4584 1492 omsecor.exe omsecor.exe PID 1492 wrote to memory of 4584 1492 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Users\Admin\AppData\Local\Temp\f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exeC:\Users\Admin\AppData\Local\Temp\f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe2⤵
- Suspicious use of WriteProcessMemory
PID:4236 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
PID:4584
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 2568⤵
- Program crash
PID:3396
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 2926⤵
- Program crash
PID:1216
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 2884⤵
- Program crash
PID:3164
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 2882⤵
- Program crash
PID:1112
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2184 -ip 21841⤵PID:4720
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 404 -ip 4041⤵PID:1568
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4036,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=4196 /prefetch:81⤵PID:4540
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3104 -ip 31041⤵PID:4636
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1492 -ip 14921⤵PID:4224
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
134KB
MD5aafd1724bc43e9a08389314b5d844e14
SHA1fa2bf1876ee3a05611e96ee1dffacac472bc2792
SHA2569d7c686545f4172665a6372000c92b9a3a74073ae6f7c08d25c1a681c50f3d4a
SHA512c9f745cf32017cc1c9e956b6a71e10c2713f88b00293ab9fe680febc5cadebd3bb8745cc010089e40526e4b18ed8d5e9542e39a23340ba902a4509e2191f0e56
-
Filesize
134KB
MD5d4c6cd7c0b7cc06520db971df2b61b4c
SHA15843adf3b35e97e44e43f04c3341300119f67d90
SHA25650c03ddc511cda534cac111ef1f3cd3cc944ff67bfc9a31ac6d1879259b92f7c
SHA5126955708588efeca0e881e10e219d95f506fb8cca16370becfd234bca853b29bf0a7ee4ccd93252560377d37c39af092388ff25d543ad8c93f906bbca34d59f78
-
Filesize
134KB
MD592238cad262c15ca6e3b989b4f904901
SHA12d9debcd11c0ac6faaaf1996669cbe854237ca47
SHA256351aa293a0808228de3116b6572a082b507928637f4f61ce590a5f8c4ad7bc1b
SHA51295af30f15f7a521bb64235456b9b0ade084531de438debea62915a41356d7369c09b8188dc7731ca5de67db35c463d2b438752b18abb2437bbacae3391b2a355