Analysis
-
max time kernel
146s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
19-05-2024 21:09
Static task
static1
Behavioral task
behavioral1
Sample
3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe
Resource
win7-20240220-en
General
-
Target
3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe
-
Size
96KB
-
MD5
3a06824939308fa3b1a5774d951d4bb0
-
SHA1
835a81e8c679997717562b90e11ec2723c5317a6
-
SHA256
a47c73c19b4e5f5f7206a46a5adef98372d9e624387c17a398b5d4e4306a10ab
-
SHA512
0ee3c09afce90c7d6dcaaabe4a1ea8f6e2ad9a56c888d5c10c430549ed7159c0ecfdbf5ced8090227ce9106500c65dd608371ea71275d86ab463309bbd24dc0e
-
SSDEEP
1536:wnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:wGs8cd8eXlYairZYqMddH13L
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 6 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exepid process 2508 omsecor.exe 2620 omsecor.exe 112 omsecor.exe 2016 omsecor.exe 2216 omsecor.exe 1896 omsecor.exe -
Loads dropped DLL 7 IoCs
Processes:
3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exepid process 1920 3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe 1920 3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe 2508 omsecor.exe 2620 omsecor.exe 2620 omsecor.exe 2016 omsecor.exe 2016 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exedescription pid process target process PID 2916 set thread context of 1920 2916 3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe 3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe PID 2508 set thread context of 2620 2508 omsecor.exe omsecor.exe PID 112 set thread context of 2016 112 omsecor.exe omsecor.exe PID 2216 set thread context of 1896 2216 omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exedescription pid process target process PID 2916 wrote to memory of 1920 2916 3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe 3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe PID 2916 wrote to memory of 1920 2916 3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe 3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe PID 2916 wrote to memory of 1920 2916 3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe 3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe PID 2916 wrote to memory of 1920 2916 3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe 3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe PID 2916 wrote to memory of 1920 2916 3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe 3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe PID 2916 wrote to memory of 1920 2916 3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe 3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe PID 1920 wrote to memory of 2508 1920 3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe omsecor.exe PID 1920 wrote to memory of 2508 1920 3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe omsecor.exe PID 1920 wrote to memory of 2508 1920 3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe omsecor.exe PID 1920 wrote to memory of 2508 1920 3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe omsecor.exe PID 2508 wrote to memory of 2620 2508 omsecor.exe omsecor.exe PID 2508 wrote to memory of 2620 2508 omsecor.exe omsecor.exe PID 2508 wrote to memory of 2620 2508 omsecor.exe omsecor.exe PID 2508 wrote to memory of 2620 2508 omsecor.exe omsecor.exe PID 2508 wrote to memory of 2620 2508 omsecor.exe omsecor.exe PID 2508 wrote to memory of 2620 2508 omsecor.exe omsecor.exe PID 2620 wrote to memory of 112 2620 omsecor.exe omsecor.exe PID 2620 wrote to memory of 112 2620 omsecor.exe omsecor.exe PID 2620 wrote to memory of 112 2620 omsecor.exe omsecor.exe PID 2620 wrote to memory of 112 2620 omsecor.exe omsecor.exe PID 112 wrote to memory of 2016 112 omsecor.exe omsecor.exe PID 112 wrote to memory of 2016 112 omsecor.exe omsecor.exe PID 112 wrote to memory of 2016 112 omsecor.exe omsecor.exe PID 112 wrote to memory of 2016 112 omsecor.exe omsecor.exe PID 112 wrote to memory of 2016 112 omsecor.exe omsecor.exe PID 112 wrote to memory of 2016 112 omsecor.exe omsecor.exe PID 2016 wrote to memory of 2216 2016 omsecor.exe omsecor.exe PID 2016 wrote to memory of 2216 2016 omsecor.exe omsecor.exe PID 2016 wrote to memory of 2216 2016 omsecor.exe omsecor.exe PID 2016 wrote to memory of 2216 2016 omsecor.exe omsecor.exe PID 2216 wrote to memory of 1896 2216 omsecor.exe omsecor.exe PID 2216 wrote to memory of 1896 2216 omsecor.exe omsecor.exe PID 2216 wrote to memory of 1896 2216 omsecor.exe omsecor.exe PID 2216 wrote to memory of 1896 2216 omsecor.exe omsecor.exe PID 2216 wrote to memory of 1896 2216 omsecor.exe omsecor.exe PID 2216 wrote to memory of 1896 2216 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Users\Admin\AppData\Local\Temp\3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exeC:\Users\Admin\AppData\Local\Temp\3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:112 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
PID:1896
-
-
-
-
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD5246495e2b032733d47da73322aa83799
SHA115e5b29c3d0bfc625b4154a8eef5e2495d575139
SHA256b30c27317c0c30ca5cde48f96ac29db1dca289e2d2281cd9d2fd98e5a1a88e83
SHA51218be84fc666dfbdf0256b8bcb8c4f3d3733fe3922de5f00d1841817e6db0ac7c85393417752e459639f511f7695668a205d97fe3d46feab2777028ad1128625d
-
Filesize
96KB
MD5085a0ccac905e875fcb379ce3954a59d
SHA178239949710489636aff48bcb1e81bd2498da98d
SHA2566b58e0aac00ccb99a8b8084ffabf56ae7cbb795c80c4c14625a2327b8b7a6000
SHA512bb296b947c77b8434536479fb92a9abd707a28fd1aa877bfea4cf6b1606616a16d6c4b46f4e0a4468f9db3d8b74892d8bdafa8a78bf847fdbc865423b6601707
-
Filesize
96KB
MD5902e8a198640715bc9651d927e6c6eaf
SHA14708079473117e57591d92d8f77e96bbfceb4a2e
SHA2565d019fb49fe66cacc2c1656788e4f7a1b1305d9008b3efcae86ce03a12ae66fb
SHA512262562993ba6186c35d5e0eb87d92484cf1afb92d62e83ea7115224c48ffe83b6e101950e5928f7576bf4532d8354dd675963255a56db043b00c5379817736ec