Analysis
-
max time kernel
141s -
max time network
131s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
20-05-2024 00:31
Static task
static1
Behavioral task
behavioral1
Sample
6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe
Resource
win7-20231129-en
General
-
Target
6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe
-
Size
96KB
-
MD5
6eaf2c2b326411b3ae3448e0b6fc1600
-
SHA1
17ec7ed415b4ed63ebcc724e188a23b634a39082
-
SHA256
371e71a4f6c3ebe555ed82cc36b31867c3e8b04cd464295b2137c4770fdbaa18
-
SHA512
cb37119b57f6332c804b42acd175e88f45c1ddfc17b2b78a7d1bfa1a90314c8f3e3933f79db61e46c172c55e215440d845008de9aac99b4a5bae2c147a3f9d8b
-
SSDEEP
1536:EnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:EGs8cd8eXlYairZYqMddH13L
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 6 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exepid process 2564 omsecor.exe 2672 omsecor.exe 1540 omsecor.exe 2796 omsecor.exe 2012 omsecor.exe 1504 omsecor.exe -
Loads dropped DLL 7 IoCs
Processes:
6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exepid process 2352 6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe 2352 6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe 2564 omsecor.exe 2672 omsecor.exe 2672 omsecor.exe 2796 omsecor.exe 2796 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exedescription pid process target process PID 2244 set thread context of 2352 2244 6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe 6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe PID 2564 set thread context of 2672 2564 omsecor.exe omsecor.exe PID 1540 set thread context of 2796 1540 omsecor.exe omsecor.exe PID 2012 set thread context of 1504 2012 omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exedescription pid process target process PID 2244 wrote to memory of 2352 2244 6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe 6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe PID 2244 wrote to memory of 2352 2244 6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe 6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe PID 2244 wrote to memory of 2352 2244 6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe 6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe PID 2244 wrote to memory of 2352 2244 6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe 6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe PID 2244 wrote to memory of 2352 2244 6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe 6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe PID 2244 wrote to memory of 2352 2244 6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe 6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe PID 2352 wrote to memory of 2564 2352 6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe omsecor.exe PID 2352 wrote to memory of 2564 2352 6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe omsecor.exe PID 2352 wrote to memory of 2564 2352 6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe omsecor.exe PID 2352 wrote to memory of 2564 2352 6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe omsecor.exe PID 2564 wrote to memory of 2672 2564 omsecor.exe omsecor.exe PID 2564 wrote to memory of 2672 2564 omsecor.exe omsecor.exe PID 2564 wrote to memory of 2672 2564 omsecor.exe omsecor.exe PID 2564 wrote to memory of 2672 2564 omsecor.exe omsecor.exe PID 2564 wrote to memory of 2672 2564 omsecor.exe omsecor.exe PID 2564 wrote to memory of 2672 2564 omsecor.exe omsecor.exe PID 2672 wrote to memory of 1540 2672 omsecor.exe omsecor.exe PID 2672 wrote to memory of 1540 2672 omsecor.exe omsecor.exe PID 2672 wrote to memory of 1540 2672 omsecor.exe omsecor.exe PID 2672 wrote to memory of 1540 2672 omsecor.exe omsecor.exe PID 1540 wrote to memory of 2796 1540 omsecor.exe omsecor.exe PID 1540 wrote to memory of 2796 1540 omsecor.exe omsecor.exe PID 1540 wrote to memory of 2796 1540 omsecor.exe omsecor.exe PID 1540 wrote to memory of 2796 1540 omsecor.exe omsecor.exe PID 1540 wrote to memory of 2796 1540 omsecor.exe omsecor.exe PID 1540 wrote to memory of 2796 1540 omsecor.exe omsecor.exe PID 2796 wrote to memory of 2012 2796 omsecor.exe omsecor.exe PID 2796 wrote to memory of 2012 2796 omsecor.exe omsecor.exe PID 2796 wrote to memory of 2012 2796 omsecor.exe omsecor.exe PID 2796 wrote to memory of 2012 2796 omsecor.exe omsecor.exe PID 2012 wrote to memory of 1504 2012 omsecor.exe omsecor.exe PID 2012 wrote to memory of 1504 2012 omsecor.exe omsecor.exe PID 2012 wrote to memory of 1504 2012 omsecor.exe omsecor.exe PID 2012 wrote to memory of 1504 2012 omsecor.exe omsecor.exe PID 2012 wrote to memory of 1504 2012 omsecor.exe omsecor.exe PID 2012 wrote to memory of 1504 2012 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Users\Admin\AppData\Local\Temp\6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exeC:\Users\Admin\AppData\Local\Temp\6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
PID:1504
-
-
-
-
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD5e3a599ec10fab6201e487e0e03b7eded
SHA17a91e83115ba8e4d0154847f41540458aab3af04
SHA256c41c378f356b796115fc0be17d1ba03df82deb0453c9d4c8c87bfee49f6c2411
SHA5120a4bac34d268b6782f6367d3d1908309431f4999a6854ca97b7d96983ffc955816f1643d850fa96f3191564934a22ac1efb1185a1c9d77b0c728f331f0e7e432
-
Filesize
96KB
MD5de0ff6bacd0eb160161f33683042c393
SHA14fe33cc108df6fbc4c4ccf75d289289ad4839433
SHA256d8894572f8b917635f3d0464a5552e8a97f652624de91e4f13c354a2f121cd21
SHA5127e7b99068a64470606ce02663ce04ec2af36010335f55ba7dd27c7d2351c142d33310797ba88f1d0cb793503d96556dfe61ad920579d39241f9658284389d1df
-
Filesize
96KB
MD5a29d1b26a8b53d1783c61b98df5eef57
SHA1335cd0d9aaa7ffb0757eb16242067968bf84376b
SHA25637e3578530e7c43cab1026b10d228e3c747047adc3cbb73c5852b2ee5866ae82
SHA512566040985de597d99397c22c845d97c15b71626d23f9ed554fb88431ae65dacbabb76f568ac7f1bf6ce43797b244785f742237cccfbe16d64168f58fa347b448