Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
20-05-2024 00:31
Static task
static1
Behavioral task
behavioral1
Sample
6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe
Resource
win7-20231129-en
General
-
Target
6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe
-
Size
96KB
-
MD5
6eaf2c2b326411b3ae3448e0b6fc1600
-
SHA1
17ec7ed415b4ed63ebcc724e188a23b634a39082
-
SHA256
371e71a4f6c3ebe555ed82cc36b31867c3e8b04cd464295b2137c4770fdbaa18
-
SHA512
cb37119b57f6332c804b42acd175e88f45c1ddfc17b2b78a7d1bfa1a90314c8f3e3933f79db61e46c172c55e215440d845008de9aac99b4a5bae2c147a3f9d8b
-
SSDEEP
1536:EnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:EGs8cd8eXlYairZYqMddH13L
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 6 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exepid process 4232 omsecor.exe 1540 omsecor.exe 3300 omsecor.exe 3644 omsecor.exe 4664 omsecor.exe 5104 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exedescription pid process target process PID 3344 set thread context of 3792 3344 6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe 6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe PID 4232 set thread context of 1540 4232 omsecor.exe omsecor.exe PID 3300 set thread context of 3644 3300 omsecor.exe omsecor.exe PID 4664 set thread context of 5104 4664 omsecor.exe omsecor.exe -
Program crash 4 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 2092 3344 WerFault.exe 6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe 1908 4232 WerFault.exe omsecor.exe 3128 3300 WerFault.exe omsecor.exe 2580 4664 WerFault.exe omsecor.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exedescription pid process target process PID 3344 wrote to memory of 3792 3344 6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe 6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe PID 3344 wrote to memory of 3792 3344 6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe 6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe PID 3344 wrote to memory of 3792 3344 6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe 6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe PID 3344 wrote to memory of 3792 3344 6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe 6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe PID 3344 wrote to memory of 3792 3344 6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe 6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe PID 3792 wrote to memory of 4232 3792 6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe omsecor.exe PID 3792 wrote to memory of 4232 3792 6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe omsecor.exe PID 3792 wrote to memory of 4232 3792 6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe omsecor.exe PID 4232 wrote to memory of 1540 4232 omsecor.exe omsecor.exe PID 4232 wrote to memory of 1540 4232 omsecor.exe omsecor.exe PID 4232 wrote to memory of 1540 4232 omsecor.exe omsecor.exe PID 4232 wrote to memory of 1540 4232 omsecor.exe omsecor.exe PID 4232 wrote to memory of 1540 4232 omsecor.exe omsecor.exe PID 1540 wrote to memory of 3300 1540 omsecor.exe omsecor.exe PID 1540 wrote to memory of 3300 1540 omsecor.exe omsecor.exe PID 1540 wrote to memory of 3300 1540 omsecor.exe omsecor.exe PID 3300 wrote to memory of 3644 3300 omsecor.exe omsecor.exe PID 3300 wrote to memory of 3644 3300 omsecor.exe omsecor.exe PID 3300 wrote to memory of 3644 3300 omsecor.exe omsecor.exe PID 3300 wrote to memory of 3644 3300 omsecor.exe omsecor.exe PID 3300 wrote to memory of 3644 3300 omsecor.exe omsecor.exe PID 3644 wrote to memory of 4664 3644 omsecor.exe omsecor.exe PID 3644 wrote to memory of 4664 3644 omsecor.exe omsecor.exe PID 3644 wrote to memory of 4664 3644 omsecor.exe omsecor.exe PID 4664 wrote to memory of 5104 4664 omsecor.exe omsecor.exe PID 4664 wrote to memory of 5104 4664 omsecor.exe omsecor.exe PID 4664 wrote to memory of 5104 4664 omsecor.exe omsecor.exe PID 4664 wrote to memory of 5104 4664 omsecor.exe omsecor.exe PID 4664 wrote to memory of 5104 4664 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3344 -
C:\Users\Admin\AppData\Local\Temp\6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exeC:\Users\Admin\AppData\Local\Temp\6eaf2c2b326411b3ae3448e0b6fc1600_NeikiAnalytics.exe2⤵
- Suspicious use of WriteProcessMemory
PID:3792 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4232 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3300 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4664 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
PID:5104
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 2568⤵
- Program crash
PID:2580
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 2926⤵
- Program crash
PID:3128
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 2884⤵
- Program crash
PID:1908
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3344 -s 2882⤵
- Program crash
PID:2092
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3344 -ip 33441⤵PID:3000
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4232 -ip 42321⤵PID:1604
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3300 -ip 33001⤵PID:1040
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4664 -ip 46641⤵PID:3668
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD59c72da8eb0229b5bd6fb47bfd8caa6a5
SHA1ab7e932e83179b17fab5d1e1715e43c509b362f6
SHA2569547b2e6477c6204113a57a072e02e421f16c082a0bb424be0ce34a1bbbe7263
SHA51226d6a33c1a959f3ac64a9de36825cc9ff6fb95841c828a0d37194b53db0bbcbd24b77d558e5da908b2359f5c4da03dc446b0f3af856461fd7f08c1be0ed437b8
-
Filesize
96KB
MD5e3a599ec10fab6201e487e0e03b7eded
SHA17a91e83115ba8e4d0154847f41540458aab3af04
SHA256c41c378f356b796115fc0be17d1ba03df82deb0453c9d4c8c87bfee49f6c2411
SHA5120a4bac34d268b6782f6367d3d1908309431f4999a6854ca97b7d96983ffc955816f1643d850fa96f3191564934a22ac1efb1185a1c9d77b0c728f331f0e7e432
-
Filesize
96KB
MD56cba678ca333e8d4a7747bce41cf4467
SHA17b90ea72ed78383c657397c4eeb50825cb4eeef2
SHA256a415b494f55434c8423884d7ee296d49706bc7754933131b6fd6eb53d340cf61
SHA512c17f1a16f45b910f1e5bc5fd0715e1b62356bca26d9aeef0210d35ed07324fb3dd4226d2349b8c61e013b82f1e62c8331b5df1582247053cc98827033b13762e