neconyd | 1d75a2266f657eef879cc76771f1dec0ac0f2b62f5c066d3a1a9e9548252ea54

Analysis

max time kernel
146s
max time network
147s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
07-05-2024 19:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

13855ddc6357c876c446d51b88ae2b00_NEIKI.exe
Size

76KB
MD5

13855ddc6357c876c446d51b88ae2b00
SHA1

c01ce28f0c36ee8ee39452e39303b8bb0781d6c5
SHA256

1d75a2266f657eef879cc76771f1dec0ac0f2b62f5c066d3a1a9e9548252ea54
SHA512

af3023e8b6812a0bf22ad300cb7476c3eba536ddfa12ba7bb39e94cc25f820915346bafe201f9638dd1c9d146c16e2cbc37dd34d0e930e17b83f50489d6c2a44
SSDEEP

1536:Sd9dseIOcE93NIvYvZEyFhEEOF6N4yS+AQmZTl/5s11:idseIOKEZEyF6EOFqTiQm5l/5s11

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 3 IoCs

pid	Process
2420	omsecor.exe
2144	omsecor.exe
2412	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2208	13855ddc6357c876c446d51b88ae2b00_NEIKI.exe
2208	13855ddc6357c876c446d51b88ae2b00_NEIKI.exe
2420	omsecor.exe
2420	omsecor.exe
2144	omsecor.exe
2144	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2420	2208	13855ddc6357c876c446d51b88ae2b00_NEIKI.exe	28
PID 2208 wrote to memory of 2420	2208	13855ddc6357c876c446d51b88ae2b00_NEIKI.exe	28
PID 2208 wrote to memory of 2420	2208	13855ddc6357c876c446d51b88ae2b00_NEIKI.exe	28
PID 2208 wrote to memory of 2420	2208	13855ddc6357c876c446d51b88ae2b00_NEIKI.exe	28
PID 2420 wrote to memory of 2144	2420	omsecor.exe	32
PID 2420 wrote to memory of 2144	2420	omsecor.exe	32
PID 2420 wrote to memory of 2144	2420	omsecor.exe	32
PID 2420 wrote to memory of 2144	2420	omsecor.exe	32
PID 2144 wrote to memory of 2412	2144	omsecor.exe	33
PID 2144 wrote to memory of 2412	2144	omsecor.exe	33
PID 2144 wrote to memory of 2412	2144	omsecor.exe	33
PID 2144 wrote to memory of 2412	2144	omsecor.exe	33

C:\Users\Admin\AppData\Local\Temp\13855ddc6357c876c446d51b88ae2b00_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\13855ddc6357c876c446d51b88ae2b00_NEIKI.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2144
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      PID:2412

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
12374d7cf262fa281e766cd99c2c80dc

SHA1
5baaf7dc541000d094ec71498c53236292a75346

SHA256
dc55eaea31dd8187c9db7831eb20e4d382817af60de69b3af43f956972c2b02e

SHA512
d23347acb98f572c02f86d10348823fe786c9a18916025a789149c36829c454bd2fc518a464f9bbdd8b9ce203d72414c6efe5251b1cc303fd82397d32f23ea71

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
c89973507da50b5410e2a555cace6c58

SHA1
f09be69423f6726e5eb51b5734f4a3367fcd8eeb

SHA256
cec1bc139896d2de449b2507983700ebcabcec3b6bc57b5523a388c75b605752

SHA512
4fd9aab26f23803a5b4bcd5353e1404cf073dda07545d184cfa089b9d0e439aadf94ac9f4d772e282976aaeef63e024acacd92a59833bd29b6e6c27ba1dfa9c8

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
32c18713fbfb9b85d9651d2544cc4c77

SHA1
150aaeff55f1c98dff09bd1023012729fde8355d

SHA256
7a41e39db26c686e8e28fd96a944ddbe6cf8a6668eb2f31bd1db8f2037fa8cac

SHA512
0b2c5491d558e142e5ef8700ee4ba50ba22dea135d52267b0e24135d76a88f53bed23bf02cacd4fffcda2aecc5425f2a9e35fffe2e68a129deaa84a5ea960e76

Download Submit
memory/2144-29-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/2144-28-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2208-7-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2412-36-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2420-9-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2420-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2420-16-0x0000000000310000-0x000000000033A000-memory.dmp

Filesize
168KB

Download
memory/2420-23-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download