Analysis
-
max time kernel
145s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20-05-2024 01:45
Static task
static1
Behavioral task
behavioral1
Sample
841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe
-
Size
134KB
-
MD5
841bb7359c3f6716699dbdf80fb4b940
-
SHA1
189c31a393697856d37659e09530d9ffae30f099
-
SHA256
e518b0fa3c29a91839356fd7fb53f99f8b7f6637b9678b3031dffb61f8cc207d
-
SHA512
d05c6d9570b76e90249ba7ad13745a78cff9f776c0b9a5ea45cecb18f8c0cbb656e88557e9baafbc19111aef41ef871fe1fac5fd382d370abdbc84f4227e0c43
-
SSDEEP
1536:PDfDbhERTatPLTH0NqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwC7M:7iRTeH0NqAW6J6f1tqF6dngNmaZC7M
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 6 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exepid process 1608 omsecor.exe 4084 omsecor.exe 1608 omsecor.exe 1884 omsecor.exe 1204 omsecor.exe 2944 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exedescription pid process target process PID 4648 set thread context of 1536 4648 841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe 841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe PID 1608 set thread context of 4084 1608 omsecor.exe omsecor.exe PID 1608 set thread context of 1884 1608 omsecor.exe omsecor.exe PID 1204 set thread context of 2944 1204 omsecor.exe omsecor.exe -
Program crash 4 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 3120 1608 WerFault.exe omsecor.exe 2964 4648 WerFault.exe 841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe 3212 1608 WerFault.exe omsecor.exe 3376 1204 WerFault.exe omsecor.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exedescription pid process target process PID 4648 wrote to memory of 1536 4648 841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe 841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe PID 4648 wrote to memory of 1536 4648 841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe 841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe PID 4648 wrote to memory of 1536 4648 841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe 841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe PID 4648 wrote to memory of 1536 4648 841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe 841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe PID 4648 wrote to memory of 1536 4648 841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe 841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe PID 1536 wrote to memory of 1608 1536 841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe omsecor.exe PID 1536 wrote to memory of 1608 1536 841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe omsecor.exe PID 1536 wrote to memory of 1608 1536 841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe omsecor.exe PID 1608 wrote to memory of 4084 1608 omsecor.exe omsecor.exe PID 1608 wrote to memory of 4084 1608 omsecor.exe omsecor.exe PID 1608 wrote to memory of 4084 1608 omsecor.exe omsecor.exe PID 1608 wrote to memory of 4084 1608 omsecor.exe omsecor.exe PID 1608 wrote to memory of 4084 1608 omsecor.exe omsecor.exe PID 4084 wrote to memory of 1608 4084 omsecor.exe omsecor.exe PID 4084 wrote to memory of 1608 4084 omsecor.exe omsecor.exe PID 4084 wrote to memory of 1608 4084 omsecor.exe omsecor.exe PID 1608 wrote to memory of 1884 1608 omsecor.exe omsecor.exe PID 1608 wrote to memory of 1884 1608 omsecor.exe omsecor.exe PID 1608 wrote to memory of 1884 1608 omsecor.exe omsecor.exe PID 1608 wrote to memory of 1884 1608 omsecor.exe omsecor.exe PID 1608 wrote to memory of 1884 1608 omsecor.exe omsecor.exe PID 1884 wrote to memory of 1204 1884 omsecor.exe omsecor.exe PID 1884 wrote to memory of 1204 1884 omsecor.exe omsecor.exe PID 1884 wrote to memory of 1204 1884 omsecor.exe omsecor.exe PID 1204 wrote to memory of 2944 1204 omsecor.exe omsecor.exe PID 1204 wrote to memory of 2944 1204 omsecor.exe omsecor.exe PID 1204 wrote to memory of 2944 1204 omsecor.exe omsecor.exe PID 1204 wrote to memory of 2944 1204 omsecor.exe omsecor.exe PID 1204 wrote to memory of 2944 1204 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Users\Admin\AppData\Local\Temp\841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exeC:\Users\Admin\AppData\Local\Temp\841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4084 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
PID:2944
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 2568⤵
- Program crash
PID:3376
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1608 -s 3006⤵
- Program crash
PID:3212
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1608 -s 2964⤵
- Program crash
PID:3120
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4648 -s 2882⤵
- Program crash
PID:2964
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4648 -ip 46481⤵PID:1672
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1608 -ip 16081⤵PID:4432
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1608 -ip 16081⤵PID:3200
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1204 -ip 12041⤵PID:4808
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
134KB
MD5ff000d5b43cdc4391be8e72df35c57d6
SHA169dd2faba5aed210923f2c6feb3e88755fd4ed12
SHA256fef2c34eb2e0465205b56bd0d7a019034bd480d047a96c589cb3b64178204e3b
SHA5128b9f160ba86527535b7c17f18334af31c32c7274101cc4d05440e3451024fac8762257088139988c8a59a050985a622dd76af38f11966c4c2cee856d9505da5e
-
Filesize
134KB
MD519b6f9f15ac8df3067d54275f67c7dc3
SHA1f38fc26b1605b14607312aaa6c99753aa1b0c182
SHA2562e6190e313520edc485aa739208b09cd12f822a582e89926315992f3c2bed409
SHA512aaa2c3e41e2102f8308ca55f81c9371b89a6e1e5f7af08f7efdea98bfe69b83f5ddcd3913fbbcaaf0f45a6221c668ada22c99c33ffbf7173c96a4bd2420c623a
-
Filesize
134KB
MD5c28bfc381a8db99ed16dde0efbb6d295
SHA1b9b2d79b7e494f3e47aa7ae50ee8ccc981c56edb
SHA256c8625c595b98e72714fdf3789b8082f46f5256e5812f4490ae72b217af74c6c0
SHA512b97e0a6bfd4adac35c211eb0bfbaaceb318c203cbb0d933e42b09806ebd4cc4322bfc1f49c35747dec41c793826298b0e7f7a1d9e1f11a81ea6ecb13c100906b