Analysis
-
max time kernel
146s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
20-05-2024 10:19
Static task
static1
Behavioral task
behavioral1
Sample
e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe
Resource
win7-20240508-en
General
-
Target
e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe
-
Size
134KB
-
MD5
e6e1e81e06c9a2a6a4bc75d57cc229b0
-
SHA1
1d472ae96d62f0bf0652bbbd7391b2d59d737e09
-
SHA256
e178115b6696cca91a0e9dc17f21a186ddb79b9f44e16a7f8c9815652bec0e54
-
SHA512
b7267ec2e6b3d6469a0fb5f21b953d562f4c68efd2e1d2a8734bb88e33e41e4511853e67a92d43af648ddcf712d34d364f57b37afe445e5cf6231cf542c9e15c
-
SSDEEP
1536:LDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCia:HiRTeH0iqAW6J6f1tqF6dngNmaZCia
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 6 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exepid process 1676 omsecor.exe 2360 omsecor.exe 2864 omsecor.exe 2732 omsecor.exe 852 omsecor.exe 572 omsecor.exe -
Loads dropped DLL 7 IoCs
Processes:
e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exepid process 2260 e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe 2260 e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe 1676 omsecor.exe 2360 omsecor.exe 2360 omsecor.exe 2732 omsecor.exe 2732 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exedescription pid process target process PID 2408 set thread context of 2260 2408 e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe PID 1676 set thread context of 2360 1676 omsecor.exe omsecor.exe PID 2864 set thread context of 2732 2864 omsecor.exe omsecor.exe PID 852 set thread context of 572 852 omsecor.exe omsecor.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exee6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exedescription pid process target process PID 2408 wrote to memory of 2260 2408 e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe PID 2408 wrote to memory of 2260 2408 e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe PID 2408 wrote to memory of 2260 2408 e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe PID 2408 wrote to memory of 2260 2408 e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe PID 2408 wrote to memory of 2260 2408 e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe PID 2408 wrote to memory of 2260 2408 e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe PID 2260 wrote to memory of 1676 2260 e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe omsecor.exe PID 2260 wrote to memory of 1676 2260 e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe omsecor.exe PID 2260 wrote to memory of 1676 2260 e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe omsecor.exe PID 2260 wrote to memory of 1676 2260 e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe omsecor.exe PID 1676 wrote to memory of 2360 1676 omsecor.exe omsecor.exe PID 1676 wrote to memory of 2360 1676 omsecor.exe omsecor.exe PID 1676 wrote to memory of 2360 1676 omsecor.exe omsecor.exe PID 1676 wrote to memory of 2360 1676 omsecor.exe omsecor.exe PID 1676 wrote to memory of 2360 1676 omsecor.exe omsecor.exe PID 1676 wrote to memory of 2360 1676 omsecor.exe omsecor.exe PID 2360 wrote to memory of 2864 2360 omsecor.exe omsecor.exe PID 2360 wrote to memory of 2864 2360 omsecor.exe omsecor.exe PID 2360 wrote to memory of 2864 2360 omsecor.exe omsecor.exe PID 2360 wrote to memory of 2864 2360 omsecor.exe omsecor.exe PID 2864 wrote to memory of 2732 2864 omsecor.exe omsecor.exe PID 2864 wrote to memory of 2732 2864 omsecor.exe omsecor.exe PID 2864 wrote to memory of 2732 2864 omsecor.exe omsecor.exe PID 2864 wrote to memory of 2732 2864 omsecor.exe omsecor.exe PID 2864 wrote to memory of 2732 2864 omsecor.exe omsecor.exe PID 2864 wrote to memory of 2732 2864 omsecor.exe omsecor.exe PID 2732 wrote to memory of 852 2732 omsecor.exe omsecor.exe PID 2732 wrote to memory of 852 2732 omsecor.exe omsecor.exe PID 2732 wrote to memory of 852 2732 omsecor.exe omsecor.exe PID 2732 wrote to memory of 852 2732 omsecor.exe omsecor.exe PID 852 wrote to memory of 572 852 omsecor.exe omsecor.exe PID 852 wrote to memory of 572 852 omsecor.exe omsecor.exe PID 852 wrote to memory of 572 852 omsecor.exe omsecor.exe PID 852 wrote to memory of 572 852 omsecor.exe omsecor.exe PID 852 wrote to memory of 572 852 omsecor.exe omsecor.exe PID 852 wrote to memory of 572 852 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Users\Admin\AppData\Local\Temp\e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exeC:\Users\Admin\AppData\Local\Temp\e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
PID:572
-
-
-
-
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
134KB
MD5f1f33d4dd65a06546b32e56a4f10b0e1
SHA1f0fed91149ec8f89e94af540ddafcaf602f23c2b
SHA256ab96330ac27d557bacf0c8b14381b5240a77b4d8fdf41db27036385de92a2fe8
SHA5122a2066dc0286390c03ed8e5c64efeac9d31932ce5d3a60a575e717c623a0cb818f6a2938266cb912990b6b2e43cfea2393077d64a2b6c758c54120437dfd44fc
-
Filesize
134KB
MD5704eadaa70c9405b9fe3faafc54d0df5
SHA199f6c526b61deadc40a3fa5fd68f0d34e091f59f
SHA25662a07eadcdab92d3364ed0a5acf9f9b085ce26c805315fec0941d5b9ee23c636
SHA512400f12612328a654ac81eb28fa1fa8080157587656152f3dcaa1ff1dde5bbd8c178947fc1e7f076df1ea0dc4cef5f0d136f237af9fef1d83d51b050a4662fb63
-
Filesize
134KB
MD5245a740264359625176bde85f1611fed
SHA163ec69f4e9be3804ec228b6d94a6c7f208b022e3
SHA2562368aead53a0b5282b45e4d31c8dec2508421f9b8ed60fd27d92c47c53a0dbe3
SHA5123ed3cdd05ab9bbd218b9d6df76ff21101493b652df3079682fc42e677d07eca5dffb8acb0bde8f988d30ec81c1416845aba1ec1e200c90c48ef204020e58a23c