Overview

overview

10

Static

static

10

9820d839f4...KI.exe

windows7-x64

10

9820d839f4...KI.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    08-05-2024 01:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9820d839f42f4f2e9ea4d7957cd24d30_NEIKI.exe

  • Size

    88KB

  • MD5

    9820d839f42f4f2e9ea4d7957cd24d30

  • SHA1

    0760bcc46ad9b2d3bc1f74323fe7049c26310882

  • SHA256

    28706a55c8770d5ce4bd44669c6cd1deb059bfe4b2189324a23d8c488972a61f

  • SHA512

    fac4bf4de9c07477d8ad29edacc2b5a1feaf8e097b2a1fbedaa9b933b5b2e7f8799df61f370f76c1610b541e02e07b5df6581aff1a12c97d4abdb3e38777d40a

  • SSDEEP

    1536:1d9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:9dseIOMEZEyFjEOFqTiQm5l/5

Score
10/10
neconydtrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9820d839f42f4f2e9ea4d7957cd24d30_NEIKI.exe
    "C:\Users\Admin\AppData\Local\Temp\9820d839f42f4f2e9ea4d7957cd24d30_NEIKI.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1032
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1716
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2464
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          PID:2380

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    88KB

    MD5

    730edaddfe34291e9c89447a0c395328

    SHA1

    6ce3466be761ab4e5a3ef4c7f5f6a8ecba743afe

    SHA256

    122ec055d1d4cac370002db741196f74b1b72dff8349bb4cf6b37512bf6610de

    SHA512

    1b8d0feed8ea972dce270029cc173feb6808f64de76687f6d3e38d6a86148e4e7aff6b260a099edc54be782c7a7d50163feb7a1113a4da78dbf1615d4959b16b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    88KB

    MD5

    0ff174c3caba986773fb7a0634ac70a5

    SHA1

    35f69714fe956abe1265a7692938b089828a3b6d

    SHA256

    b51c6afd0f52d1e43765e8814806fdeecf4e751006d3481afb115fa34a07355d

    SHA512

    134707939ac3ebe412c4ad13fae42ac4bc1f1a2e898d888d4600a56118110d9bcbd0493ddfa2e20ac2e04271226fb6488af2dc17fbedc2d3cebb5e40be48f1cf

    Download Submit

  • \Windows\SysWOW64\omsecor.exe
    Filesize

    88KB

    MD5

    2a31489f8ab65074b28a99cf1579417b

    SHA1

    074a227fccf23493dbd16f90c601c9851a380ef1

    SHA256

    cec4ee3175877a389a083781acf5ce1c99ec52b26db2351ff66be4fff08bc872

    SHA512

    db53f56730384fb6b8c150eebaed904e3aaf9a2dab4ee6dc86376a5101e930db6b47a7dfdea75864246f64bd416bff8d1cab3d0245437a102683371efd6badde

    Download Submit