neconyd | 1b386a883dcc4bdf039750015293d7a41eedde0e9c607ca7d1c689f4b2b4c0c1

Analysis

max time kernel
150s
max time network
128s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
11/05/2024, 19:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f8f98b7c33d01d3a9bb93bc154dbb90_NeikiAnalytics.exe
Size

96KB
MD5

2f8f98b7c33d01d3a9bb93bc154dbb90
SHA1

3b393888961db03d82f454e8673723341c95b204
SHA256

1b386a883dcc4bdf039750015293d7a41eedde0e9c607ca7d1c689f4b2b4c0c1
SHA512

6158a4b5cdeb67f6235ced74df53074a2abb96ccf05f37b705e84227bf193543be34e8e25b1e40052a120725e877c468c562ac77ca67dedfb9598e76a137f189
SSDEEP

1536:0nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:0Gs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 6 IoCs

pid	Process
1828	omsecor.exe
3036	omsecor.exe
2476	omsecor.exe
1572	omsecor.exe
1352	omsecor.exe
2596	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2068	2f8f98b7c33d01d3a9bb93bc154dbb90_NeikiAnalytics.exe
2068	2f8f98b7c33d01d3a9bb93bc154dbb90_NeikiAnalytics.exe
1828	omsecor.exe
3036	omsecor.exe
3036	omsecor.exe
1572	omsecor.exe
1572	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 848 set thread context of 2068	848	2f8f98b7c33d01d3a9bb93bc154dbb90_NeikiAnalytics.exe	28
PID 1828 set thread context of 3036	1828	omsecor.exe	30
PID 2476 set thread context of 1572	2476	omsecor.exe	35
PID 1352 set thread context of 2596	1352	omsecor.exe	37

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 848 wrote to memory of 2068	848	2f8f98b7c33d01d3a9bb93bc154dbb90_NeikiAnalytics.exe	28
PID 848 wrote to memory of 2068	848	2f8f98b7c33d01d3a9bb93bc154dbb90_NeikiAnalytics.exe	28
PID 848 wrote to memory of 2068	848	2f8f98b7c33d01d3a9bb93bc154dbb90_NeikiAnalytics.exe	28
PID 848 wrote to memory of 2068	848	2f8f98b7c33d01d3a9bb93bc154dbb90_NeikiAnalytics.exe	28
PID 848 wrote to memory of 2068	848	2f8f98b7c33d01d3a9bb93bc154dbb90_NeikiAnalytics.exe	28
PID 848 wrote to memory of 2068	848	2f8f98b7c33d01d3a9bb93bc154dbb90_NeikiAnalytics.exe	28
PID 2068 wrote to memory of 1828	2068	2f8f98b7c33d01d3a9bb93bc154dbb90_NeikiAnalytics.exe	29
PID 2068 wrote to memory of 1828	2068	2f8f98b7c33d01d3a9bb93bc154dbb90_NeikiAnalytics.exe	29
PID 2068 wrote to memory of 1828	2068	2f8f98b7c33d01d3a9bb93bc154dbb90_NeikiAnalytics.exe	29
PID 2068 wrote to memory of 1828	2068	2f8f98b7c33d01d3a9bb93bc154dbb90_NeikiAnalytics.exe	29
PID 1828 wrote to memory of 3036	1828	omsecor.exe	30
PID 1828 wrote to memory of 3036	1828	omsecor.exe	30
PID 1828 wrote to memory of 3036	1828	omsecor.exe	30
PID 1828 wrote to memory of 3036	1828	omsecor.exe	30
PID 1828 wrote to memory of 3036	1828	omsecor.exe	30
PID 1828 wrote to memory of 3036	1828	omsecor.exe	30
PID 3036 wrote to memory of 2476	3036	omsecor.exe	34
PID 3036 wrote to memory of 2476	3036	omsecor.exe	34
PID 3036 wrote to memory of 2476	3036	omsecor.exe	34
PID 3036 wrote to memory of 2476	3036	omsecor.exe	34
PID 2476 wrote to memory of 1572	2476	omsecor.exe	35
PID 2476 wrote to memory of 1572	2476	omsecor.exe	35
PID 2476 wrote to memory of 1572	2476	omsecor.exe	35
PID 2476 wrote to memory of 1572	2476	omsecor.exe	35
PID 2476 wrote to memory of 1572	2476	omsecor.exe	35
PID 2476 wrote to memory of 1572	2476	omsecor.exe	35
PID 1572 wrote to memory of 1352	1572	omsecor.exe	36
PID 1572 wrote to memory of 1352	1572	omsecor.exe	36
PID 1572 wrote to memory of 1352	1572	omsecor.exe	36
PID 1572 wrote to memory of 1352	1572	omsecor.exe	36
PID 1352 wrote to memory of 2596	1352	omsecor.exe	37
PID 1352 wrote to memory of 2596	1352	omsecor.exe	37
PID 1352 wrote to memory of 2596	1352	omsecor.exe	37
PID 1352 wrote to memory of 2596	1352	omsecor.exe	37
PID 1352 wrote to memory of 2596	1352	omsecor.exe	37
PID 1352 wrote to memory of 2596	1352	omsecor.exe	37

C:\Users\Admin\AppData\Local\Temp\2f8f98b7c33d01d3a9bb93bc154dbb90_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2f8f98b7c33d01d3a9bb93bc154dbb90_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:848
- C:\Users\Admin\AppData\Local\Temp\2f8f98b7c33d01d3a9bb93bc154dbb90_NeikiAnalytics.exe
  C:\Users\Admin\AppData\Local\Temp\2f8f98b7c33d01d3a9bb93bc154dbb90_NeikiAnalytics.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1828
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3036
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2476
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1572
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1352
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        
        PID:2596

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
c16c30ca540e6f9362fd8a13761fe431

SHA1
881b0d2b5fe83500898355a9555eeaf5a16cb43b

SHA256
c5b2ab6a05d5dc284222f38858a6029108404ed562a26e4ab1b7ccec5964c292

SHA512
9bbdd0b0ec64b3d43f6612d3cb45c9b3974a7b034ae8b5620e70d674c47b70154574d0ee83c92494b29714b8f3852296ffb07819816425436d4515b7ad661bdb

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
8b0f97128b1bd54094c690400e62bc32

SHA1
07225f4014a036505da9c55610ae614705418980

SHA256
93b05e28647eb13a538a01ad014b3342ba38b06b0df35786fa076016219099ab

SHA512
653f2913994d411f1f4312016b42990a4eecd6ae248ccdf457505b9f8c5b2c5747cbb91400f440ebd71d284ebf7ebab61da0caf15a1a3707351241ff115fc623

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
7ee8b74e95d18079d24b609a771b87a0

SHA1
8e0b5481ed27d1da4afe03732ab6ba9caa56c24a

SHA256
2e79968a29f1bff5cbe32646d7fa1b19051196777cc56d500884001aa575d503

SHA512
ab15b10785fee57ed6f1938d60b345e659f61025937d94775eaea6d51b0b800b00028552ac1369f8d07ca05cced68c41d62b456fcf7c0c1957bd43e66d4070d0

Download Submit
memory/848-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/848-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1352-80-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1352-87-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1572-72-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/1828-31-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1828-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2068-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2068-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2068-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2068-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2068-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2476-67-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2476-57-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2596-90-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2596-93-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3036-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3036-47-0x0000000000310000-0x0000000000333000-memory.dmp

Filesize
140KB

Download
memory/3036-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3036-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3036-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3036-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download