Analysis
-
max time kernel
146s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20-05-2024 10:19
Static task
static1
Behavioral task
behavioral1
Sample
e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe
Resource
win7-20240508-en
General
-
Target
e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe
-
Size
134KB
-
MD5
e6e1e81e06c9a2a6a4bc75d57cc229b0
-
SHA1
1d472ae96d62f0bf0652bbbd7391b2d59d737e09
-
SHA256
e178115b6696cca91a0e9dc17f21a186ddb79b9f44e16a7f8c9815652bec0e54
-
SHA512
b7267ec2e6b3d6469a0fb5f21b953d562f4c68efd2e1d2a8734bb88e33e41e4511853e67a92d43af648ddcf712d34d364f57b37afe445e5cf6231cf542c9e15c
-
SSDEEP
1536:LDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCia:HiRTeH0iqAW6J6f1tqF6dngNmaZCia
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 6 IoCs
Processes:
omsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exepid process 1396 omsecor.exe 876 omsecor.exe 3412 omsecor.exe 3688 omsecor.exe 4908 omsecor.exe 4532 omsecor.exe -
Drops file in System32 directory 1 IoCs
Processes:
omsecor.exedescription ioc process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exedescription pid process target process PID 412 set thread context of 1204 412 e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe PID 1396 set thread context of 876 1396 omsecor.exe omsecor.exe PID 3412 set thread context of 3688 3412 omsecor.exe omsecor.exe PID 4908 set thread context of 4532 4908 omsecor.exe omsecor.exe -
Program crash 4 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 2144 412 WerFault.exe e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe 456 1396 WerFault.exe omsecor.exe 856 3412 WerFault.exe omsecor.exe 3244 4908 WerFault.exe omsecor.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exee6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exedescription pid process target process PID 412 wrote to memory of 1204 412 e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe PID 412 wrote to memory of 1204 412 e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe PID 412 wrote to memory of 1204 412 e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe PID 412 wrote to memory of 1204 412 e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe PID 412 wrote to memory of 1204 412 e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe PID 1204 wrote to memory of 1396 1204 e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe omsecor.exe PID 1204 wrote to memory of 1396 1204 e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe omsecor.exe PID 1204 wrote to memory of 1396 1204 e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe omsecor.exe PID 1396 wrote to memory of 876 1396 omsecor.exe omsecor.exe PID 1396 wrote to memory of 876 1396 omsecor.exe omsecor.exe PID 1396 wrote to memory of 876 1396 omsecor.exe omsecor.exe PID 1396 wrote to memory of 876 1396 omsecor.exe omsecor.exe PID 1396 wrote to memory of 876 1396 omsecor.exe omsecor.exe PID 876 wrote to memory of 3412 876 omsecor.exe omsecor.exe PID 876 wrote to memory of 3412 876 omsecor.exe omsecor.exe PID 876 wrote to memory of 3412 876 omsecor.exe omsecor.exe PID 3412 wrote to memory of 3688 3412 omsecor.exe omsecor.exe PID 3412 wrote to memory of 3688 3412 omsecor.exe omsecor.exe PID 3412 wrote to memory of 3688 3412 omsecor.exe omsecor.exe PID 3412 wrote to memory of 3688 3412 omsecor.exe omsecor.exe PID 3412 wrote to memory of 3688 3412 omsecor.exe omsecor.exe PID 3688 wrote to memory of 4908 3688 omsecor.exe omsecor.exe PID 3688 wrote to memory of 4908 3688 omsecor.exe omsecor.exe PID 3688 wrote to memory of 4908 3688 omsecor.exe omsecor.exe PID 4908 wrote to memory of 4532 4908 omsecor.exe omsecor.exe PID 4908 wrote to memory of 4532 4908 omsecor.exe omsecor.exe PID 4908 wrote to memory of 4532 4908 omsecor.exe omsecor.exe PID 4908 wrote to memory of 4532 4908 omsecor.exe omsecor.exe PID 4908 wrote to memory of 4532 4908 omsecor.exe omsecor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:412 -
C:\Users\Admin\AppData\Local\Temp\e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exeC:\Users\Admin\AppData\Local\Temp\e6e1e81e06c9a2a6a4bc75d57cc229b0_NeikiAnalytics.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3412 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3688 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
PID:4532
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 2568⤵
- Program crash
PID:3244
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3412 -s 2926⤵
- Program crash
PID:856
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 2884⤵
- Program crash
PID:456
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 412 -s 2882⤵
- Program crash
PID:2144
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 412 -ip 4121⤵PID:4032
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1396 -ip 13961⤵PID:3488
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3412 -ip 34121⤵PID:3672
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4908 -ip 49081⤵PID:760
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
134KB
MD5f1f33d4dd65a06546b32e56a4f10b0e1
SHA1f0fed91149ec8f89e94af540ddafcaf602f23c2b
SHA256ab96330ac27d557bacf0c8b14381b5240a77b4d8fdf41db27036385de92a2fe8
SHA5122a2066dc0286390c03ed8e5c64efeac9d31932ce5d3a60a575e717c623a0cb818f6a2938266cb912990b6b2e43cfea2393077d64a2b6c758c54120437dfd44fc
-
Filesize
134KB
MD5f070806249d51972e6924609e9350db4
SHA1fdb9ac094e1320f77ce8acbc156eb081c1018dc7
SHA256d0f384b0569b25028f12b5b57675fd4b07ca804309fa4849c8d88ca1aff41892
SHA512bb0fa709c7ca7c2cf16da3d6ec316b9629d058e333fc1a536beb608eb3e9a34111fd6b5bede61aa9369b18575d5a5fc111702acabe3477b8df667a758e71ec91
-
Filesize
134KB
MD5de3ea46560c7e0ed009b4ddb95145899
SHA1b03a199fc83a8f79b6e3115e36cee413ebe5768a
SHA25619a21890ef1e4d6fa7f181ebd07e5c096cacfc117cbf5eb01ccbabd3b8b99566
SHA5124a3ea27bfdf413baf400de50969fb6f0244093c8af86bb06de43e9e6606fbcbcfafc8f68f3796af44664e1867a36a712bf06a20e2c95bd38d6dafb79853a9998