Analysis
-
max time kernel
149s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2024 21:09
Static task
static1
Behavioral task
behavioral1
Sample
3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe
Resource
win7-20240220-en
General
-
Target
3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe
-
Size
96KB
-
MD5
3a06824939308fa3b1a5774d951d4bb0
-
SHA1
835a81e8c679997717562b90e11ec2723c5317a6
-
SHA256
a47c73c19b4e5f5f7206a46a5adef98372d9e624387c17a398b5d4e4306a10ab
-
SHA512
0ee3c09afce90c7d6dcaaabe4a1ea8f6e2ad9a56c888d5c10c430549ed7159c0ecfdbf5ced8090227ce9106500c65dd608371ea71275d86ab463309bbd24dc0e
-
SSDEEP
1536:wnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:wGs8cd8eXlYairZYqMddH13L
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 6 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exepid process 460 omsecor.exe 1204 omsecor.exe 4328 omsecor.exe 2492 omsecor.exe 4508 omsecor.exe 1560 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exedescription pid process target process PID 2284 set thread context of 2696 2284 3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe 3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe PID 460 set thread context of 1204 460 omsecor.exe omsecor.exe PID 4328 set thread context of 2492 4328 omsecor.exe omsecor.exe PID 4508 set thread context of 1560 4508 omsecor.exe omsecor.exe -
Program crash 4 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 1436 2284 WerFault.exe 3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe 2548 460 WerFault.exe omsecor.exe 1776 4328 WerFault.exe omsecor.exe 4932 4508 WerFault.exe omsecor.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exedescription pid process target process PID 2284 wrote to memory of 2696 2284 3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe 3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe PID 2284 wrote to memory of 2696 2284 3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe 3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe PID 2284 wrote to memory of 2696 2284 3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe 3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe PID 2284 wrote to memory of 2696 2284 3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe 3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe PID 2284 wrote to memory of 2696 2284 3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe 3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe PID 2696 wrote to memory of 460 2696 3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe omsecor.exe PID 2696 wrote to memory of 460 2696 3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe omsecor.exe PID 2696 wrote to memory of 460 2696 3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe omsecor.exe PID 460 wrote to memory of 1204 460 omsecor.exe omsecor.exe PID 460 wrote to memory of 1204 460 omsecor.exe omsecor.exe PID 460 wrote to memory of 1204 460 omsecor.exe omsecor.exe PID 460 wrote to memory of 1204 460 omsecor.exe omsecor.exe PID 460 wrote to memory of 1204 460 omsecor.exe omsecor.exe PID 1204 wrote to memory of 4328 1204 omsecor.exe omsecor.exe PID 1204 wrote to memory of 4328 1204 omsecor.exe omsecor.exe PID 1204 wrote to memory of 4328 1204 omsecor.exe omsecor.exe PID 4328 wrote to memory of 2492 4328 omsecor.exe omsecor.exe PID 4328 wrote to memory of 2492 4328 omsecor.exe omsecor.exe PID 4328 wrote to memory of 2492 4328 omsecor.exe omsecor.exe PID 4328 wrote to memory of 2492 4328 omsecor.exe omsecor.exe PID 4328 wrote to memory of 2492 4328 omsecor.exe omsecor.exe PID 2492 wrote to memory of 4508 2492 omsecor.exe omsecor.exe PID 2492 wrote to memory of 4508 2492 omsecor.exe omsecor.exe PID 2492 wrote to memory of 4508 2492 omsecor.exe omsecor.exe PID 4508 wrote to memory of 1560 4508 omsecor.exe omsecor.exe PID 4508 wrote to memory of 1560 4508 omsecor.exe omsecor.exe PID 4508 wrote to memory of 1560 4508 omsecor.exe omsecor.exe PID 4508 wrote to memory of 1560 4508 omsecor.exe omsecor.exe PID 4508 wrote to memory of 1560 4508 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Users\Admin\AppData\Local\Temp\3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exeC:\Users\Admin\AppData\Local\Temp\3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:460 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4328 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4508 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
PID:1560
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 2688⤵
- Program crash
PID:4932
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4328 -s 2926⤵
- Program crash
PID:1776
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 460 -s 2884⤵
- Program crash
PID:2548
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 2882⤵
- Program crash
PID:1436
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2284 -ip 22841⤵PID:2752
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 460 -ip 4601⤵PID:432
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4328 -ip 43281⤵PID:2076
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4508 -ip 45081⤵PID:3840
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD559a6c6ae10124b37fa2f120f4685694f
SHA1130dcb6a8fc36faaa976dbaeb6e4d7e196f81afd
SHA256b2f6bc73d254db4a4f23a120c90f81b5b5434d5b67e4b5255f4e3f9ebcbeaa5d
SHA5126d227da9aff340982a79b7a3b6e6a1e6803d6095ee12ba351f240b50a8ed3904e9dcbc3cd42d86a61474fd46ae4eab6c35d2573c3d003d450605dcd5e2c25ab1
-
Filesize
96KB
MD5246495e2b032733d47da73322aa83799
SHA115e5b29c3d0bfc625b4154a8eef5e2495d575139
SHA256b30c27317c0c30ca5cde48f96ac29db1dca289e2d2281cd9d2fd98e5a1a88e83
SHA51218be84fc666dfbdf0256b8bcb8c4f3d3733fe3922de5f00d1841817e6db0ac7c85393417752e459639f511f7695668a205d97fe3d46feab2777028ad1128625d
-
Filesize
96KB
MD5f7d6a671395ea3d10088b54b156371fd
SHA1240c751abaab5abc4e04478a9f73056681d29320
SHA256f004f4232409cb1b9e4e24bfe22219ca2e3f5277b7ede23fcbdcb47144cc2d60
SHA512c84d8f4be7b18563a176051a4424112bd2b60c34a91e56032855313e19a782f3a2a9726eee353481e7ae73def7d3bcf56acc39c27c65d2ec2267d9782ecd3e28