Analysis
-
max time kernel
145s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
21/05/2024, 07:57
Static task
static1
Behavioral task
behavioral1
Sample
1f2d0d245c91e112cb44208bd4f47bdd067f6a1ef9c7f8e33f3d49db784f715a_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
1f2d0d245c91e112cb44208bd4f47bdd067f6a1ef9c7f8e33f3d49db784f715a_NeikiAnalytics.exe
-
Size
96KB
-
MD5
7ec381c4b60d6d4bb8c153c3e1827110
-
SHA1
0f41884d1f4093b53849a3de27b1886f621c63a4
-
SHA256
1f2d0d245c91e112cb44208bd4f47bdd067f6a1ef9c7f8e33f3d49db784f715a
-
SHA512
0e05d6e74b8a229f5f14e8e76d60d2d7bbdb8d536bba330900ac9394eb8d6ba8b661abedeff9dfc3f6055b788b43a9bd1ade38889a8c98af0c7ed8945cb989fd
-
SSDEEP
1536:KnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:KGs8cd8eXlYairZYqMddH13L
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Executes dropped EXE 6 IoCs
pid Process 2776 omsecor.exe 2568 omsecor.exe 828 omsecor.exe 1432 omsecor.exe 2260 omsecor.exe 2064 omsecor.exe -
Loads dropped DLL 7 IoCs
pid Process 2828 1f2d0d245c91e112cb44208bd4f47bdd067f6a1ef9c7f8e33f3d49db784f715a_NeikiAnalytics.exe 2828 1f2d0d245c91e112cb44208bd4f47bdd067f6a1ef9c7f8e33f3d49db784f715a_NeikiAnalytics.exe 2776 omsecor.exe 2568 omsecor.exe 2568 omsecor.exe 1432 omsecor.exe 1432 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2732 set thread context of 2828 2732 1f2d0d245c91e112cb44208bd4f47bdd067f6a1ef9c7f8e33f3d49db784f715a_NeikiAnalytics.exe 28 PID 2776 set thread context of 2568 2776 omsecor.exe 30 PID 828 set thread context of 1432 828 omsecor.exe 35 PID 2260 set thread context of 2064 2260 omsecor.exe 37 -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2732 wrote to memory of 2828 2732 1f2d0d245c91e112cb44208bd4f47bdd067f6a1ef9c7f8e33f3d49db784f715a_NeikiAnalytics.exe 28 PID 2732 wrote to memory of 2828 2732 1f2d0d245c91e112cb44208bd4f47bdd067f6a1ef9c7f8e33f3d49db784f715a_NeikiAnalytics.exe 28 PID 2732 wrote to memory of 2828 2732 1f2d0d245c91e112cb44208bd4f47bdd067f6a1ef9c7f8e33f3d49db784f715a_NeikiAnalytics.exe 28 PID 2732 wrote to memory of 2828 2732 1f2d0d245c91e112cb44208bd4f47bdd067f6a1ef9c7f8e33f3d49db784f715a_NeikiAnalytics.exe 28 PID 2732 wrote to memory of 2828 2732 1f2d0d245c91e112cb44208bd4f47bdd067f6a1ef9c7f8e33f3d49db784f715a_NeikiAnalytics.exe 28 PID 2732 wrote to memory of 2828 2732 1f2d0d245c91e112cb44208bd4f47bdd067f6a1ef9c7f8e33f3d49db784f715a_NeikiAnalytics.exe 28 PID 2828 wrote to memory of 2776 2828 1f2d0d245c91e112cb44208bd4f47bdd067f6a1ef9c7f8e33f3d49db784f715a_NeikiAnalytics.exe 29 PID 2828 wrote to memory of 2776 2828 1f2d0d245c91e112cb44208bd4f47bdd067f6a1ef9c7f8e33f3d49db784f715a_NeikiAnalytics.exe 29 PID 2828 wrote to memory of 2776 2828 1f2d0d245c91e112cb44208bd4f47bdd067f6a1ef9c7f8e33f3d49db784f715a_NeikiAnalytics.exe 29 PID 2828 wrote to memory of 2776 2828 1f2d0d245c91e112cb44208bd4f47bdd067f6a1ef9c7f8e33f3d49db784f715a_NeikiAnalytics.exe 29 PID 2776 wrote to memory of 2568 2776 omsecor.exe 30 PID 2776 wrote to memory of 2568 2776 omsecor.exe 30 PID 2776 wrote to memory of 2568 2776 omsecor.exe 30 PID 2776 wrote to memory of 2568 2776 omsecor.exe 30 PID 2776 wrote to memory of 2568 2776 omsecor.exe 30 PID 2776 wrote to memory of 2568 2776 omsecor.exe 30 PID 2568 wrote to memory of 828 2568 omsecor.exe 34 PID 2568 wrote to memory of 828 2568 omsecor.exe 34 PID 2568 wrote to memory of 828 2568 omsecor.exe 34 PID 2568 wrote to memory of 828 2568 omsecor.exe 34 PID 828 wrote to memory of 1432 828 omsecor.exe 35 PID 828 wrote to memory of 1432 828 omsecor.exe 35 PID 828 wrote to memory of 1432 828 omsecor.exe 35 PID 828 wrote to memory of 1432 828 omsecor.exe 35 PID 828 wrote to memory of 1432 828 omsecor.exe 35 PID 828 wrote to memory of 1432 828 omsecor.exe 35 PID 1432 wrote to memory of 2260 1432 omsecor.exe 36 PID 1432 wrote to memory of 2260 1432 omsecor.exe 36 PID 1432 wrote to memory of 2260 1432 omsecor.exe 36 PID 1432 wrote to memory of 2260 1432 omsecor.exe 36 PID 2260 wrote to memory of 2064 2260 omsecor.exe 37 PID 2260 wrote to memory of 2064 2260 omsecor.exe 37 PID 2260 wrote to memory of 2064 2260 omsecor.exe 37 PID 2260 wrote to memory of 2064 2260 omsecor.exe 37 PID 2260 wrote to memory of 2064 2260 omsecor.exe 37 PID 2260 wrote to memory of 2064 2260 omsecor.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f2d0d245c91e112cb44208bd4f47bdd067f6a1ef9c7f8e33f3d49db784f715a_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\1f2d0d245c91e112cb44208bd4f47bdd067f6a1ef9c7f8e33f3d49db784f715a_NeikiAnalytics.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Users\Admin\AppData\Local\Temp\1f2d0d245c91e112cb44208bd4f47bdd067f6a1ef9c7f8e33f3d49db784f715a_NeikiAnalytics.exeC:\Users\Admin\AppData\Local\Temp\1f2d0d245c91e112cb44208bd4f47bdd067f6a1ef9c7f8e33f3d49db784f715a_NeikiAnalytics.exe2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
PID:2064
-
-
-
-
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD56a8c8a73b03450d86d4c97f3529fa3e5
SHA1b44d79345d0e4084c6dbc847c17dc9fad5d6771d
SHA256a12ab56994ee18450c824c471e765909453754e70e01af6f30e693cc1e3ee3b0
SHA512cf84248d40548f7019ff4a03b86762d155cb1513e7c3fd3a2902b8a4761b03b2f8288f9e8116011e632f68ea33e094d47d35c13778439136a6468fb80e65d3ef
-
Filesize
96KB
MD558c2442275c7b29002230fd04a02e091
SHA1010b64d8acfe08c70edbed4faf49bce9a581c3d7
SHA2560704ba0210e50b1329e566c93092dbe7df161e2ca6556209d3a9c392b8c4c790
SHA512517d52e5e798873e72134258ca32f1cb599e7892d335c761289a1aa16e91609e85d3f404060593d2b155b4b071bcec2ba1db3a9c80cfbd4c430428855b158265
-
Filesize
96KB
MD5f526abddb6fec7600212d4d7274def18
SHA19e0a57d6a3cd90cb8c153f66277962ec4d1a07a7
SHA256cf519c76c1e21a602a6983d1734ae3e579b95fc035307369ce602787603a02fd
SHA512282494beb306fbb9d92dd4ee84ddb7ace95f2ca62bda3a089ddf935f3b1764a840de8e0fd0c5cef3e001a943cc4e63e4cc67810a56f4e1a97784e957798741ae