Analysis

  • max time kernel
    135s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-05-2024 04:01

General

  • Target

    772ecfaf450037d110309a722be51cb0_NeikiAnalytics.exe

  • Size

    62KB

  • MD5

    772ecfaf450037d110309a722be51cb0

  • SHA1

    80b35673363b09dadb9f15da611fe557480401ad

  • SHA256

    81642b660cc4cfea91eb2ac9b2227bb9050ac963a94539562c204a2839a796e0

  • SHA512

    533cc1a1dd0b23c64a7eb40ac0a00c51f0eb6f2fbf5b2d22380c3cc9041e04279ee59b359008ec2fe7e1f526f400ee618026490794d4d6e970a652399fd12269

  • SSDEEP

    768:TMEIvFGvZEr8LFK0ic46N47eSdYAHwmZQp6JXXlaa5uA:TbIvYvZEyFKF6N4yS+AQmZtl/5

Score
10/10

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\772ecfaf450037d110309a722be51cb0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\772ecfaf450037d110309a722be51cb0_NeikiAnalytics.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:768
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:4736
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2800
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          PID:4888

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    62KB

    MD5

    5ce50dfb074ac70a7654e2319faa4efb

    SHA1

    42b9f2b7340aefc50a80fe8bbc67008ac1402aa1

    SHA256

    bad9403d2799f619376b1c7ba95460367e7a1b598b38e8dd7afbd443f9fe8b27

    SHA512

    2a37fd364042d4e16496fb826a6ef3f2e51b4872a09490771e7bbbed24bfd988bd5bd732071c63119e96ae534186a16b4e2d86790168e5259363e6cf092459dc

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    62KB

    MD5

    844a6f85dc6f625c6fa369eabaab7156

    SHA1

    13362756b49d39838a1f1b64cef6e69c4f3c294c

    SHA256

    48642b198f4912ee5181c1b92207006d272ca3f5097a59c29b1bd11f29cb5214

    SHA512

    f7f433136e440a7d9a80e949cf45dc7243b6772302a3477bdd218e95258c9fed261c70b2626c20fc79d5b2531cca84b90c68bb6818da0164f38f90132fde99fe

  • C:\Windows\SysWOW64\omsecor.exe

    Filesize

    62KB

    MD5

    2f88e96bb372e463a454dd4745c547f0

    SHA1

    18f6596af570a2f633604b589be043a89a1b39bb

    SHA256

    bb5f80508256d9514fa6ff9e1de60a79ceb603fa801da33643f6923c5fa5cf68

    SHA512

    2aa766fe4e295770c36c63fd86e536d5d323ecaad34751027213778e8ee09d9cf7fd113fd1621332bce143ec7f3ac5b424c7f17a2ba7e76046fd8776a154ceb0