Overview

overview

10

Static

static

10

19352471d1...cs.exe

windows7-x64

10

19352471d1...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    14/05/2024, 19:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    19352471d1b651e1f36b526272ce5710_NeikiAnalytics.exe

  • Size

    76KB

  • MD5

    19352471d1b651e1f36b526272ce5710

  • SHA1

    430a8a97642e4f288b22e7646b4640b75bdd4d14

  • SHA256

    1a9be485c47a7a64da19d5cd4b46b9be87cb880c38c19cee11dc135ff8377d24

  • SHA512

    a037f9156f477215f2fefc90b2c1b0ffb5933891429b7b8c2a4580e8f2287566949c42e8efd2d8b0cb3cedd3e7d2061e05b4596599c94325249727994a80f540

  • SSDEEP

    768:vOMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAW:vObIvYvZEyFKF6N4yS+AQmZTl/5O

Score
10/10
neconydtrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\19352471d1b651e1f36b526272ce5710_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\19352471d1b651e1f36b526272ce5710_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2036
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1736
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2684
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          PID:1660

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    76KB

    MD5

    565b1971bfd6b624eb01ef7176611c3e

    SHA1

    6a45075c0c04408cb7b13aed897bc668851b6dbe

    SHA256

    32dc652ccdfe56482c974220becd282ebf674599f5f416023c09a24bb87796fb

    SHA512

    31688ece071a783e89e34ba39a26d5c68a2c598438fc190ef5ed5727e73ff7031b58d2c4c01dbe883c93d8bea23a031a860add4002e209665fa2546e8c7da3f0

    Download Submit

  • \Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    76KB

    MD5

    407ab0b69d7cdd102821a63779cb6b09

    SHA1

    8b61de3f31ab66caa6e8c868d90a946e18d0b2d0

    SHA256

    447c65430ea199c94e8030346987177128029eda82f36e9a0b965a4aec917f22

    SHA512

    522d4d54f03d709615b5985591a830c774ff116cec50c429f60ae5789dddfccc991e9c895df39fccbf2e5d8bb4acce92bbaaf09ee8394ab0e9039997293b4345

    Download Submit

  • \Windows\SysWOW64\omsecor.exe
    Filesize

    76KB

    MD5

    1cd811ef0c7528387bbe384837cc4fa2

    SHA1

    c9d85ced9b41fa765b57fa3556e61e672300c966

    SHA256

    1e1296d984e9bf5a927a9c5a09fc152bda42c7edc8cab108a71770a6a30694bd

    SHA512

    d8458dc9c140a72b55edf389766fcc476a6a34b8d3d86a327f980f0d8a67b2595f6710a0312b61b6171fd1750e22e4ea50bc478be4c215d40d06a7adb2466852

    Download Submit