Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
20-05-2024 01:45
Static task
static1
Behavioral task
behavioral1
Sample
841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe
-
Size
134KB
-
MD5
841bb7359c3f6716699dbdf80fb4b940
-
SHA1
189c31a393697856d37659e09530d9ffae30f099
-
SHA256
e518b0fa3c29a91839356fd7fb53f99f8b7f6637b9678b3031dffb61f8cc207d
-
SHA512
d05c6d9570b76e90249ba7ad13745a78cff9f776c0b9a5ea45cecb18f8c0cbb656e88557e9baafbc19111aef41ef871fe1fac5fd382d370abdbc84f4227e0c43
-
SSDEEP
1536:PDfDbhERTatPLTH0NqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwC7M:7iRTeH0NqAW6J6f1tqF6dngNmaZC7M
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 6 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exepid process 2624 omsecor.exe 3060 omsecor.exe 1448 omsecor.exe 2808 omsecor.exe 1336 omsecor.exe 1240 omsecor.exe -
Loads dropped DLL 7 IoCs
Processes:
841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exepid process 908 841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe 908 841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe 2624 omsecor.exe 3060 omsecor.exe 3060 omsecor.exe 2808 omsecor.exe 2808 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exedescription pid process target process PID 2104 set thread context of 908 2104 841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe 841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe PID 2624 set thread context of 3060 2624 omsecor.exe omsecor.exe PID 1448 set thread context of 2808 1448 omsecor.exe omsecor.exe PID 1336 set thread context of 1240 1336 omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exedescription pid process target process PID 2104 wrote to memory of 908 2104 841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe 841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe PID 2104 wrote to memory of 908 2104 841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe 841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe PID 2104 wrote to memory of 908 2104 841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe 841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe PID 2104 wrote to memory of 908 2104 841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe 841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe PID 2104 wrote to memory of 908 2104 841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe 841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe PID 2104 wrote to memory of 908 2104 841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe 841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe PID 908 wrote to memory of 2624 908 841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe omsecor.exe PID 908 wrote to memory of 2624 908 841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe omsecor.exe PID 908 wrote to memory of 2624 908 841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe omsecor.exe PID 908 wrote to memory of 2624 908 841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe omsecor.exe PID 2624 wrote to memory of 3060 2624 omsecor.exe omsecor.exe PID 2624 wrote to memory of 3060 2624 omsecor.exe omsecor.exe PID 2624 wrote to memory of 3060 2624 omsecor.exe omsecor.exe PID 2624 wrote to memory of 3060 2624 omsecor.exe omsecor.exe PID 2624 wrote to memory of 3060 2624 omsecor.exe omsecor.exe PID 2624 wrote to memory of 3060 2624 omsecor.exe omsecor.exe PID 3060 wrote to memory of 1448 3060 omsecor.exe omsecor.exe PID 3060 wrote to memory of 1448 3060 omsecor.exe omsecor.exe PID 3060 wrote to memory of 1448 3060 omsecor.exe omsecor.exe PID 3060 wrote to memory of 1448 3060 omsecor.exe omsecor.exe PID 1448 wrote to memory of 2808 1448 omsecor.exe omsecor.exe PID 1448 wrote to memory of 2808 1448 omsecor.exe omsecor.exe PID 1448 wrote to memory of 2808 1448 omsecor.exe omsecor.exe PID 1448 wrote to memory of 2808 1448 omsecor.exe omsecor.exe PID 1448 wrote to memory of 2808 1448 omsecor.exe omsecor.exe PID 1448 wrote to memory of 2808 1448 omsecor.exe omsecor.exe PID 2808 wrote to memory of 1336 2808 omsecor.exe omsecor.exe PID 2808 wrote to memory of 1336 2808 omsecor.exe omsecor.exe PID 2808 wrote to memory of 1336 2808 omsecor.exe omsecor.exe PID 2808 wrote to memory of 1336 2808 omsecor.exe omsecor.exe PID 1336 wrote to memory of 1240 1336 omsecor.exe omsecor.exe PID 1336 wrote to memory of 1240 1336 omsecor.exe omsecor.exe PID 1336 wrote to memory of 1240 1336 omsecor.exe omsecor.exe PID 1336 wrote to memory of 1240 1336 omsecor.exe omsecor.exe PID 1336 wrote to memory of 1240 1336 omsecor.exe omsecor.exe PID 1336 wrote to memory of 1240 1336 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Users\Admin\AppData\Local\Temp\841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exeC:\Users\Admin\AppData\Local\Temp\841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
PID:1240
-
-
-
-
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
134KB
MD519b6f9f15ac8df3067d54275f67c7dc3
SHA1f38fc26b1605b14607312aaa6c99753aa1b0c182
SHA2562e6190e313520edc485aa739208b09cd12f822a582e89926315992f3c2bed409
SHA512aaa2c3e41e2102f8308ca55f81c9371b89a6e1e5f7af08f7efdea98bfe69b83f5ddcd3913fbbcaaf0f45a6221c668ada22c99c33ffbf7173c96a4bd2420c623a
-
Filesize
134KB
MD5b9d318413e7b40877a2ccf662aa5078d
SHA1ec119789c6318b9c7fdd367ae1a21e3695c4d49d
SHA256065be7f6ac286ae9b2432432d4ee5497e55b3cc9309ec124570dcab4a0918424
SHA5128f067829eac59f40fd31302e4083039b779d1e52cde36dff46d1a9858bc0a83e679556503fe8512b626aec990724370d587adad97781bc89caf70745449a5b99
-
Filesize
134KB
MD52682b6085bf5224be33516bb43320476
SHA169245f5c013b7a684679b2c9ece7595f8e04aab4
SHA25691d090c9cb5b85468023ddb91c8524ff2244a9e8db2720b57e4ba580976feddf
SHA512fbf41559ae5aab0b2a45b4ba84b92c15e07cddd89034efbf1caaa8521f93bf00f7a12b80653e6e0532b4e511ed36717fc7f148fd00f88dc692fb157cba4c5d4d