neconyd | 69728bf9129f7172efd3f4170a965eabaf6f0f14f9b1cb83641e657a09fc775d

Analysis

max time kernel
150s
max time network
129s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
14-05-2024 03:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67b92e9d81218abcc1bbd6c5aee495c0_NeikiAnalytics.exe
Size

96KB
MD5

67b92e9d81218abcc1bbd6c5aee495c0
SHA1

50be30b183c6276521c4d9349c694fa7e78cdd0c
SHA256

69728bf9129f7172efd3f4170a965eabaf6f0f14f9b1cb83641e657a09fc775d
SHA512

f4f35fbd012d9de47f790e38039384c7378fb9e1e882762321f9d01fccb95067ec410f5efbf64b75a92c6da2c4eb2174813c5babdc147025c38883e80f2c964d
SSDEEP

1536:UnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:UGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 6 IoCs

pid	Process
2760	omsecor.exe
1656	omsecor.exe
2904	omsecor.exe
308	omsecor.exe
884	omsecor.exe
2880	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2420	67b92e9d81218abcc1bbd6c5aee495c0_NeikiAnalytics.exe
2420	67b92e9d81218abcc1bbd6c5aee495c0_NeikiAnalytics.exe
2760	omsecor.exe
1656	omsecor.exe
1656	omsecor.exe
308	omsecor.exe
308	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2208 set thread context of 2420	2208	67b92e9d81218abcc1bbd6c5aee495c0_NeikiAnalytics.exe	28
PID 2760 set thread context of 1656	2760	omsecor.exe	30
PID 2904 set thread context of 308	2904	omsecor.exe	35
PID 884 set thread context of 2880	884	omsecor.exe	37

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2420	2208	67b92e9d81218abcc1bbd6c5aee495c0_NeikiAnalytics.exe	28
PID 2208 wrote to memory of 2420	2208	67b92e9d81218abcc1bbd6c5aee495c0_NeikiAnalytics.exe	28
PID 2208 wrote to memory of 2420	2208	67b92e9d81218abcc1bbd6c5aee495c0_NeikiAnalytics.exe	28
PID 2208 wrote to memory of 2420	2208	67b92e9d81218abcc1bbd6c5aee495c0_NeikiAnalytics.exe	28
PID 2208 wrote to memory of 2420	2208	67b92e9d81218abcc1bbd6c5aee495c0_NeikiAnalytics.exe	28
PID 2208 wrote to memory of 2420	2208	67b92e9d81218abcc1bbd6c5aee495c0_NeikiAnalytics.exe	28
PID 2420 wrote to memory of 2760	2420	67b92e9d81218abcc1bbd6c5aee495c0_NeikiAnalytics.exe	29
PID 2420 wrote to memory of 2760	2420	67b92e9d81218abcc1bbd6c5aee495c0_NeikiAnalytics.exe	29
PID 2420 wrote to memory of 2760	2420	67b92e9d81218abcc1bbd6c5aee495c0_NeikiAnalytics.exe	29
PID 2420 wrote to memory of 2760	2420	67b92e9d81218abcc1bbd6c5aee495c0_NeikiAnalytics.exe	29
PID 2760 wrote to memory of 1656	2760	omsecor.exe	30
PID 2760 wrote to memory of 1656	2760	omsecor.exe	30
PID 2760 wrote to memory of 1656	2760	omsecor.exe	30
PID 2760 wrote to memory of 1656	2760	omsecor.exe	30
PID 2760 wrote to memory of 1656	2760	omsecor.exe	30
PID 2760 wrote to memory of 1656	2760	omsecor.exe	30
PID 1656 wrote to memory of 2904	1656	omsecor.exe	34
PID 1656 wrote to memory of 2904	1656	omsecor.exe	34
PID 1656 wrote to memory of 2904	1656	omsecor.exe	34
PID 1656 wrote to memory of 2904	1656	omsecor.exe	34
PID 2904 wrote to memory of 308	2904	omsecor.exe	35
PID 2904 wrote to memory of 308	2904	omsecor.exe	35
PID 2904 wrote to memory of 308	2904	omsecor.exe	35
PID 2904 wrote to memory of 308	2904	omsecor.exe	35
PID 2904 wrote to memory of 308	2904	omsecor.exe	35
PID 2904 wrote to memory of 308	2904	omsecor.exe	35
PID 308 wrote to memory of 884	308	omsecor.exe	36
PID 308 wrote to memory of 884	308	omsecor.exe	36
PID 308 wrote to memory of 884	308	omsecor.exe	36
PID 308 wrote to memory of 884	308	omsecor.exe	36
PID 884 wrote to memory of 2880	884	omsecor.exe	37
PID 884 wrote to memory of 2880	884	omsecor.exe	37
PID 884 wrote to memory of 2880	884	omsecor.exe	37
PID 884 wrote to memory of 2880	884	omsecor.exe	37
PID 884 wrote to memory of 2880	884	omsecor.exe	37
PID 884 wrote to memory of 2880	884	omsecor.exe	37

C:\Users\Admin\AppData\Local\Temp\67b92e9d81218abcc1bbd6c5aee495c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\67b92e9d81218abcc1bbd6c5aee495c0_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Users\Admin\AppData\Local\Temp\67b92e9d81218abcc1bbd6c5aee495c0_NeikiAnalytics.exe
  C:\Users\Admin\AppData\Local\Temp\67b92e9d81218abcc1bbd6c5aee495c0_NeikiAnalytics.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1656
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2904
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:308
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:884
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        
        PID:2880

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
ee3034f4f280ff4246ec4ab40b5bcdce

SHA1
dd1c434d4bf39054884df035d9a8090b2ae0fefa

SHA256
4af1558eeb46f5bd5010a1f6de81336a023a3dd45e364c4333d0061fc080fbf7

SHA512
bd9674dba279f001e518673b6124e56a9698825629bdba8be0acb9625429289784fa789d560270e3f5587641eb1b5fcc62d98b8b40ea919dbaee7258ed08066a

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
40f92d4b929c2d7564f9cacd803ef508

SHA1
6893941b611b4109517013940444da046041d668

SHA256
2acf30aa7dbe48bfecfec7cbf7ff9dab669a793fdb760e1280a8ba3a6cf31de0

SHA512
e63f4d2f4e5216e20bd8c38a125a27d43dbdc3a64a9ec02a1362a4787d59a63a1b6a6ab515c58d60555c1429c475e023c153d546dd8986fe108b834a1f866cab

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
64ed8427ad31d5ad98e421be7c868307

SHA1
b8e5055272510d667c288f823b6d9a4b20d37934

SHA256
46954c1b80e832e2924391bf77de7dad536686acf44052d974141c4534a9e130

SHA512
472a3ce2578a65bef1be2fefef8cca93c7c385afdf3f804387f4580008a7a50efef646768a4a2e6d590a2da349a33476c73496c52aefb2f04351e6489552be5f

Download Submit
memory/884-78-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/884-86-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1656-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1656-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1656-47-0x00000000002A0000-0x00000000002C3000-memory.dmp

Filesize
140KB

Download
memory/1656-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1656-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1656-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2208-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2208-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2420-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2420-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2420-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2420-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2420-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2760-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2760-24-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2760-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2880-88-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2880-91-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2904-66-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download