neconyd | 1b386a883dcc4bdf039750015293d7a41eedde0e9c607ca7d1c689f4b2b4c0c1

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2024, 19:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f8f98b7c33d01d3a9bb93bc154dbb90_NeikiAnalytics.exe
Size

96KB
MD5

2f8f98b7c33d01d3a9bb93bc154dbb90
SHA1

3b393888961db03d82f454e8673723341c95b204
SHA256

1b386a883dcc4bdf039750015293d7a41eedde0e9c607ca7d1c689f4b2b4c0c1
SHA512

6158a4b5cdeb67f6235ced74df53074a2abb96ccf05f37b705e84227bf193543be34e8e25b1e40052a120725e877c468c562ac77ca67dedfb9598e76a137f189
SSDEEP

1536:0nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:0Gs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 6 IoCs

pid	Process
2596	omsecor.exe
768	omsecor.exe
4392	omsecor.exe
2432	omsecor.exe
3612	omsecor.exe
2140	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 232 set thread context of 8	232	2f8f98b7c33d01d3a9bb93bc154dbb90_NeikiAnalytics.exe	82
PID 2596 set thread context of 768	2596	omsecor.exe	86
PID 4392 set thread context of 2432	4392	omsecor.exe	99
PID 3612 set thread context of 2140	3612	omsecor.exe	103

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3352	232	WerFault.exe	81
4124	2596	WerFault.exe	84
5008	4392	WerFault.exe	98
4468	3612	WerFault.exe	101

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 232 wrote to memory of 8	232	2f8f98b7c33d01d3a9bb93bc154dbb90_NeikiAnalytics.exe	82
PID 232 wrote to memory of 8	232	2f8f98b7c33d01d3a9bb93bc154dbb90_NeikiAnalytics.exe	82
PID 232 wrote to memory of 8	232	2f8f98b7c33d01d3a9bb93bc154dbb90_NeikiAnalytics.exe	82
PID 232 wrote to memory of 8	232	2f8f98b7c33d01d3a9bb93bc154dbb90_NeikiAnalytics.exe	82
PID 232 wrote to memory of 8	232	2f8f98b7c33d01d3a9bb93bc154dbb90_NeikiAnalytics.exe	82
PID 8 wrote to memory of 2596	8	2f8f98b7c33d01d3a9bb93bc154dbb90_NeikiAnalytics.exe	84
PID 8 wrote to memory of 2596	8	2f8f98b7c33d01d3a9bb93bc154dbb90_NeikiAnalytics.exe	84
PID 8 wrote to memory of 2596	8	2f8f98b7c33d01d3a9bb93bc154dbb90_NeikiAnalytics.exe	84
PID 2596 wrote to memory of 768	2596	omsecor.exe	86
PID 2596 wrote to memory of 768	2596	omsecor.exe	86
PID 2596 wrote to memory of 768	2596	omsecor.exe	86
PID 2596 wrote to memory of 768	2596	omsecor.exe	86
PID 2596 wrote to memory of 768	2596	omsecor.exe	86
PID 768 wrote to memory of 4392	768	omsecor.exe	98
PID 768 wrote to memory of 4392	768	omsecor.exe	98
PID 768 wrote to memory of 4392	768	omsecor.exe	98
PID 4392 wrote to memory of 2432	4392	omsecor.exe	99
PID 4392 wrote to memory of 2432	4392	omsecor.exe	99
PID 4392 wrote to memory of 2432	4392	omsecor.exe	99
PID 4392 wrote to memory of 2432	4392	omsecor.exe	99
PID 4392 wrote to memory of 2432	4392	omsecor.exe	99
PID 2432 wrote to memory of 3612	2432	omsecor.exe	101
PID 2432 wrote to memory of 3612	2432	omsecor.exe	101
PID 2432 wrote to memory of 3612	2432	omsecor.exe	101
PID 3612 wrote to memory of 2140	3612	omsecor.exe	103
PID 3612 wrote to memory of 2140	3612	omsecor.exe	103
PID 3612 wrote to memory of 2140	3612	omsecor.exe	103
PID 3612 wrote to memory of 2140	3612	omsecor.exe	103
PID 3612 wrote to memory of 2140	3612	omsecor.exe	103

C:\Users\Admin\AppData\Local\Temp\2f8f98b7c33d01d3a9bb93bc154dbb90_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2f8f98b7c33d01d3a9bb93bc154dbb90_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:232
- C:\Users\Admin\AppData\Local\Temp\2f8f98b7c33d01d3a9bb93bc154dbb90_NeikiAnalytics.exe
  C:\Users\Admin\AppData\Local\Temp\2f8f98b7c33d01d3a9bb93bc154dbb90_NeikiAnalytics.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:8
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2596
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:768
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4392
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3612
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        
        PID:2140
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 256
        8⤵
        Program crash
        
        PID:4468
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 292
        6⤵
        Program crash
        
        PID:5008
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2596 -s 288
      4⤵
      Program crash
      PID:4124
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 232 -s 288
  2⤵
  - Program crash
  PID:3352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 232 -ip 232
1⤵
PID:2868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2596 -ip 2596
1⤵
PID:2536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4392 -ip 4392
1⤵
PID:800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3612 -ip 3612
1⤵
PID:3336

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
343d6edabb74464b952f2bbdef86f40a

SHA1
e10036476ec7bfb2f7c2079ea56dee67be1cfe6e

SHA256
ff83eaad23bfc8282884112f2f5bec13944612ed7fc00c70207db75392335afc

SHA512
d9f238b3cdfae43e621d47a3975125f97aa3fc88c68d492779f40d4b6480a21c492e68f132fb31e9970c9d4f98dcf9b28a8e228d9966348ae0cdeb2c1de2b876

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
c16c30ca540e6f9362fd8a13761fe431

SHA1
881b0d2b5fe83500898355a9555eeaf5a16cb43b

SHA256
c5b2ab6a05d5dc284222f38858a6029108404ed562a26e4ab1b7ccec5964c292

SHA512
9bbdd0b0ec64b3d43f6612d3cb45c9b3974a7b034ae8b5620e70d674c47b70154574d0ee83c92494b29714b8f3852296ffb07819816425436d4515b7ad661bdb

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
200b65b144667d86e1c7cdd7208a6b76

SHA1
ea693a6b596637f9714454648bf0a33d4aa744df

SHA256
b7cab99e7b58ab721493caabe74485c8c0088d3810fe02d2238fdf709556571b

SHA512
c42124f1574e1b0ece51e467ba8dda6f4f5081fd40cd8bfbe85fee6b6e9a772de6a52dd393fcf95b674b21bcc60550c20117b63fb70595ae91cee1f37cb40690

Download Submit
memory/8-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/8-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/8-4-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/8-7-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/232-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/232-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/768-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/768-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/768-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/768-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/768-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/768-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/768-31-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2140-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2140-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2140-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2140-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2432-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2432-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2432-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2596-11-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3612-44-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4392-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4392-51-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download