neconyd | 1d75a2266f657eef879cc76771f1dec0ac0f2b62f5c066d3a1a9e9548252ea54

Analysis

max time kernel
145s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 19:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

13855ddc6357c876c446d51b88ae2b00_NEIKI.exe
Size

76KB
MD5

13855ddc6357c876c446d51b88ae2b00
SHA1

c01ce28f0c36ee8ee39452e39303b8bb0781d6c5
SHA256

1d75a2266f657eef879cc76771f1dec0ac0f2b62f5c066d3a1a9e9548252ea54
SHA512

af3023e8b6812a0bf22ad300cb7476c3eba536ddfa12ba7bb39e94cc25f820915346bafe201f9638dd1c9d146c16e2cbc37dd34d0e930e17b83f50489d6c2a44
SSDEEP

1536:Sd9dseIOcE93NIvYvZEyFhEEOF6N4yS+AQmZTl/5s11:idseIOKEZEyF6EOFqTiQm5l/5s11

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 3 IoCs

pid	Process
2848	omsecor.exe
5108	omsecor.exe
4884	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4472 wrote to memory of 2848	4472	13855ddc6357c876c446d51b88ae2b00_NEIKI.exe	91
PID 4472 wrote to memory of 2848	4472	13855ddc6357c876c446d51b88ae2b00_NEIKI.exe	91
PID 4472 wrote to memory of 2848	4472	13855ddc6357c876c446d51b88ae2b00_NEIKI.exe	91
PID 2848 wrote to memory of 5108	2848	omsecor.exe	101
PID 2848 wrote to memory of 5108	2848	omsecor.exe	101
PID 2848 wrote to memory of 5108	2848	omsecor.exe	101
PID 5108 wrote to memory of 4884	5108	omsecor.exe	102
PID 5108 wrote to memory of 4884	5108	omsecor.exe	102
PID 5108 wrote to memory of 4884	5108	omsecor.exe	102

C:\Users\Admin\AppData\Local\Temp\13855ddc6357c876c446d51b88ae2b00_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\13855ddc6357c876c446d51b88ae2b00_NEIKI.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4472
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5108
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      PID:4884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4036 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8
1⤵
PID:4016

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
74f163d66ebb9e68d07f20fd28ea993b

SHA1
4a85b34f28ce5770d8b876fc341e24781dd33b53

SHA256
eca3f9eeae6cae14db57e88524580300027303262911b484a45ee5e4b58f5ffc

SHA512
d1451377c012d25c0d1adc8b960a8d3159ccb12cd22b111d4a2bdf2d80343eadf904c6c429084e89c5284f61b95a7707672bb2135f41d3a86128aa994734fd4b

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
12374d7cf262fa281e766cd99c2c80dc

SHA1
5baaf7dc541000d094ec71498c53236292a75346

SHA256
dc55eaea31dd8187c9db7831eb20e4d382817af60de69b3af43f956972c2b02e

SHA512
d23347acb98f572c02f86d10348823fe786c9a18916025a789149c36829c454bd2fc518a464f9bbdd8b9ce203d72414c6efe5251b1cc303fd82397d32f23ea71

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
7991fb19f6de292f20fbb888251c8ca1

SHA1
834b5c1e9bb029053e2d98603d1f17c66bf4705c

SHA256
88f7722a2c5bb4d6523f7786074fb757cfb432d64419bbadb1746b032b7a06c7

SHA512
b5f5a668c0d3188bf8f26d813065b8dc32fc05c65bd7c18f6f943fafe41c5ebffd712ee779d9d95cb9a4a4e2d210825fa4f33abc22797af4ec7216d931916b17

Download Submit
memory/2848-5-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2848-7-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2848-13-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4472-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4472-6-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4884-19-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4884-20-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/5108-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/5108-17-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download