neconyd | 69728bf9129f7172efd3f4170a965eabaf6f0f14f9b1cb83641e657a09fc775d

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14-05-2024 03:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67b92e9d81218abcc1bbd6c5aee495c0_NeikiAnalytics.exe
Size

96KB
MD5

67b92e9d81218abcc1bbd6c5aee495c0
SHA1

50be30b183c6276521c4d9349c694fa7e78cdd0c
SHA256

69728bf9129f7172efd3f4170a965eabaf6f0f14f9b1cb83641e657a09fc775d
SHA512

f4f35fbd012d9de47f790e38039384c7378fb9e1e882762321f9d01fccb95067ec410f5efbf64b75a92c6da2c4eb2174813c5babdc147025c38883e80f2c964d
SSDEEP

1536:UnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:UGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 6 IoCs

pid	Process
900	omsecor.exe
3476	omsecor.exe
3020	omsecor.exe
1376	omsecor.exe
3204	omsecor.exe
4332	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4908 set thread context of 1160	4908	67b92e9d81218abcc1bbd6c5aee495c0_NeikiAnalytics.exe	81
PID 900 set thread context of 3476	900	omsecor.exe	86
PID 3020 set thread context of 1376	3020	omsecor.exe	96
PID 3204 set thread context of 4332	3204	omsecor.exe	100

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3248	4908	WerFault.exe	80
208	900	WerFault.exe	83
1600	3020	WerFault.exe	95
5076	3204	WerFault.exe	98

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4908 wrote to memory of 1160	4908	67b92e9d81218abcc1bbd6c5aee495c0_NeikiAnalytics.exe	81
PID 4908 wrote to memory of 1160	4908	67b92e9d81218abcc1bbd6c5aee495c0_NeikiAnalytics.exe	81
PID 4908 wrote to memory of 1160	4908	67b92e9d81218abcc1bbd6c5aee495c0_NeikiAnalytics.exe	81
PID 4908 wrote to memory of 1160	4908	67b92e9d81218abcc1bbd6c5aee495c0_NeikiAnalytics.exe	81
PID 4908 wrote to memory of 1160	4908	67b92e9d81218abcc1bbd6c5aee495c0_NeikiAnalytics.exe	81
PID 1160 wrote to memory of 900	1160	67b92e9d81218abcc1bbd6c5aee495c0_NeikiAnalytics.exe	83
PID 1160 wrote to memory of 900	1160	67b92e9d81218abcc1bbd6c5aee495c0_NeikiAnalytics.exe	83
PID 1160 wrote to memory of 900	1160	67b92e9d81218abcc1bbd6c5aee495c0_NeikiAnalytics.exe	83
PID 900 wrote to memory of 3476	900	omsecor.exe	86
PID 900 wrote to memory of 3476	900	omsecor.exe	86
PID 900 wrote to memory of 3476	900	omsecor.exe	86
PID 900 wrote to memory of 3476	900	omsecor.exe	86
PID 900 wrote to memory of 3476	900	omsecor.exe	86
PID 3476 wrote to memory of 3020	3476	omsecor.exe	95
PID 3476 wrote to memory of 3020	3476	omsecor.exe	95
PID 3476 wrote to memory of 3020	3476	omsecor.exe	95
PID 3020 wrote to memory of 1376	3020	omsecor.exe	96
PID 3020 wrote to memory of 1376	3020	omsecor.exe	96
PID 3020 wrote to memory of 1376	3020	omsecor.exe	96
PID 3020 wrote to memory of 1376	3020	omsecor.exe	96
PID 3020 wrote to memory of 1376	3020	omsecor.exe	96
PID 1376 wrote to memory of 3204	1376	omsecor.exe	98
PID 1376 wrote to memory of 3204	1376	omsecor.exe	98
PID 1376 wrote to memory of 3204	1376	omsecor.exe	98
PID 3204 wrote to memory of 4332	3204	omsecor.exe	100
PID 3204 wrote to memory of 4332	3204	omsecor.exe	100
PID 3204 wrote to memory of 4332	3204	omsecor.exe	100
PID 3204 wrote to memory of 4332	3204	omsecor.exe	100
PID 3204 wrote to memory of 4332	3204	omsecor.exe	100

C:\Users\Admin\AppData\Local\Temp\67b92e9d81218abcc1bbd6c5aee495c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\67b92e9d81218abcc1bbd6c5aee495c0_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4908
- C:\Users\Admin\AppData\Local\Temp\67b92e9d81218abcc1bbd6c5aee495c0_NeikiAnalytics.exe
  C:\Users\Admin\AppData\Local\Temp\67b92e9d81218abcc1bbd6c5aee495c0_NeikiAnalytics.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1160
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:900
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3476
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3020
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1376
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3204
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        
        PID:4332
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 256
        8⤵
        Program crash
        
        PID:5076
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 292
        6⤵
        Program crash
        
        PID:1600
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 296
      4⤵
      Program crash
      PID:208
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 288
  2⤵
  - Program crash
  PID:3248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4908 -ip 4908
1⤵
PID:1776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 900 -ip 900
1⤵
PID:904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3020 -ip 3020
1⤵
PID:232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3204 -ip 3204
1⤵
PID:1980

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
587cc7dfc37e1399e81135e2b3870cae

SHA1
a5ee37ddebdc65020e182357f1a62d3477a5522c

SHA256
57e6effb1d16ace3d0705033a0b8b350da14c01c3f4afb53fb4c707ed6ce6877

SHA512
139d7be5be3154c8c9bfd048b88c7aed2469904c02d744ae7aa5ef42490f7017f05f43b54abce0195120ca485ccb5f04d3785cb877e55ef6516c202448a578fd

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
40f92d4b929c2d7564f9cacd803ef508

SHA1
6893941b611b4109517013940444da046041d668

SHA256
2acf30aa7dbe48bfecfec7cbf7ff9dab669a793fdb760e1280a8ba3a6cf31de0

SHA512
e63f4d2f4e5216e20bd8c38a125a27d43dbdc3a64a9ec02a1362a4787d59a63a1b6a6ab515c58d60555c1429c475e023c153d546dd8986fe108b834a1f866cab

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
9152ba48b735a7458eac46eb5617273e

SHA1
59dd8f29e63818ebb9b93273c60d4d956e694a7b

SHA256
345c6a731fb62bac7166f2351e67a9fc9665f831abec02bd4ac464a5e5758943

SHA512
768f5111f57b55899d5fefdca372967a7df31174d3ff1422cee444b94b75e6661429f960e30542929e3654eb6a119173442515bb50e45355bd46a06c0c93b887

Download Submit
memory/900-11-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1160-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1160-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1160-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1160-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1376-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1376-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1376-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3020-35-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3204-46-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3476-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3476-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3476-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3476-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3476-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3476-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3476-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4332-51-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4332-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4332-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4332-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4908-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download