neconyd | 1de2f735c0692b61e66831d6bc63b8d81a7c97c632d54e5f975c59a30f3655ed

Analysis

max time kernel
146s
max time network
147s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
15/05/2024, 08:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab41e88c52a23429a5a87e173ce564b0_NeikiAnalytics.exe
Size

96KB
MD5

ab41e88c52a23429a5a87e173ce564b0
SHA1

2dd6b77fda9bd44183ecab4198766f71c34341ac
SHA256

1de2f735c0692b61e66831d6bc63b8d81a7c97c632d54e5f975c59a30f3655ed
SHA512

78cc030cad9e575623478f3a2c35e6350eb2614c60f7b782c174bc02116d45007aaa5f00f0b4b40b58357a8da7b895ab20257b14b109815e94f0f8ccceeaf4b1
SSDEEP

1536:YnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:YGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 6 IoCs

pid	Process
2616	omsecor.exe
2660	omsecor.exe
1876	omsecor.exe
1268	omsecor.exe
1592	omsecor.exe
1956	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2680	ab41e88c52a23429a5a87e173ce564b0_NeikiAnalytics.exe
2680	ab41e88c52a23429a5a87e173ce564b0_NeikiAnalytics.exe
2616	omsecor.exe
2660	omsecor.exe
2660	omsecor.exe
1268	omsecor.exe
1268	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1760 set thread context of 2680	1760	ab41e88c52a23429a5a87e173ce564b0_NeikiAnalytics.exe	28
PID 2616 set thread context of 2660	2616	omsecor.exe	30
PID 1876 set thread context of 1268	1876	omsecor.exe	35
PID 1592 set thread context of 1956	1592	omsecor.exe	37

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 2680	1760	ab41e88c52a23429a5a87e173ce564b0_NeikiAnalytics.exe	28
PID 1760 wrote to memory of 2680	1760	ab41e88c52a23429a5a87e173ce564b0_NeikiAnalytics.exe	28
PID 1760 wrote to memory of 2680	1760	ab41e88c52a23429a5a87e173ce564b0_NeikiAnalytics.exe	28
PID 1760 wrote to memory of 2680	1760	ab41e88c52a23429a5a87e173ce564b0_NeikiAnalytics.exe	28
PID 1760 wrote to memory of 2680	1760	ab41e88c52a23429a5a87e173ce564b0_NeikiAnalytics.exe	28
PID 1760 wrote to memory of 2680	1760	ab41e88c52a23429a5a87e173ce564b0_NeikiAnalytics.exe	28
PID 2680 wrote to memory of 2616	2680	ab41e88c52a23429a5a87e173ce564b0_NeikiAnalytics.exe	29
PID 2680 wrote to memory of 2616	2680	ab41e88c52a23429a5a87e173ce564b0_NeikiAnalytics.exe	29
PID 2680 wrote to memory of 2616	2680	ab41e88c52a23429a5a87e173ce564b0_NeikiAnalytics.exe	29
PID 2680 wrote to memory of 2616	2680	ab41e88c52a23429a5a87e173ce564b0_NeikiAnalytics.exe	29
PID 2616 wrote to memory of 2660	2616	omsecor.exe	30
PID 2616 wrote to memory of 2660	2616	omsecor.exe	30
PID 2616 wrote to memory of 2660	2616	omsecor.exe	30
PID 2616 wrote to memory of 2660	2616	omsecor.exe	30
PID 2616 wrote to memory of 2660	2616	omsecor.exe	30
PID 2616 wrote to memory of 2660	2616	omsecor.exe	30
PID 2660 wrote to memory of 1876	2660	omsecor.exe	34
PID 2660 wrote to memory of 1876	2660	omsecor.exe	34
PID 2660 wrote to memory of 1876	2660	omsecor.exe	34
PID 2660 wrote to memory of 1876	2660	omsecor.exe	34
PID 1876 wrote to memory of 1268	1876	omsecor.exe	35
PID 1876 wrote to memory of 1268	1876	omsecor.exe	35
PID 1876 wrote to memory of 1268	1876	omsecor.exe	35
PID 1876 wrote to memory of 1268	1876	omsecor.exe	35
PID 1876 wrote to memory of 1268	1876	omsecor.exe	35
PID 1876 wrote to memory of 1268	1876	omsecor.exe	35
PID 1268 wrote to memory of 1592	1268	omsecor.exe	36
PID 1268 wrote to memory of 1592	1268	omsecor.exe	36
PID 1268 wrote to memory of 1592	1268	omsecor.exe	36
PID 1268 wrote to memory of 1592	1268	omsecor.exe	36
PID 1592 wrote to memory of 1956	1592	omsecor.exe	37
PID 1592 wrote to memory of 1956	1592	omsecor.exe	37
PID 1592 wrote to memory of 1956	1592	omsecor.exe	37
PID 1592 wrote to memory of 1956	1592	omsecor.exe	37
PID 1592 wrote to memory of 1956	1592	omsecor.exe	37
PID 1592 wrote to memory of 1956	1592	omsecor.exe	37

C:\Users\Admin\AppData\Local\Temp\ab41e88c52a23429a5a87e173ce564b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\ab41e88c52a23429a5a87e173ce564b0_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Users\Admin\AppData\Local\Temp\ab41e88c52a23429a5a87e173ce564b0_NeikiAnalytics.exe
  C:\Users\Admin\AppData\Local\Temp\ab41e88c52a23429a5a87e173ce564b0_NeikiAnalytics.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2660
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1876
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1268
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1592
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        
        PID:1956

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
797109b649c24938fb1e64b1f77942a8

SHA1
daa4881fa2e85002600a12537c45f9098bb9f63c

SHA256
3f0aa6fd9e220c775e3b840c83c580d8bc35ce64f208eef1cd300e693e6514b8

SHA512
8b6c65d953b35826d656e5ce69a5f132831d8c7cbfcc1928392e3cc217bcec90d5a770b04b95c2500d95eb8432a2778037833c1a8de7478d74e5fd04f7561b13

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
f4a25ed4b08de0095ab6ed5cd4405241

SHA1
ac56d0e7bd7f48a524df0ef4d83ca1abcde81ec9

SHA256
9285e597fd3be2cbfddf5da9f97d2a034607ed4e320e4e25468b3f1faf81d0d6

SHA512
c07dce108e3cc15d99e267fb4e64102e47ef1af9093f661b55c415b24798992f54b296364bbb24dc1e56c248432652ce7c231581907ec1767e3f6cce6954d18e

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
119fc7342daa727c99227bbf9c534a41

SHA1
f53af1f5c684176aeeda50a045082f8d7feae181

SHA256
53760679c6aac829f315d1b795ea37262d577fa8b67a7eb565aeac358886fff5

SHA512
7b5559e0a2ab71523ab60c0be1adcf62019b7b72316f6d29c371a5d4ff3d5f2ac40421e669add38b4c4198af019f02a6786476e855f6a614a3b5f86b76960210

Download Submit
memory/1268-72-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/1592-86-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1760-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1760-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1760-11-0x00000000003B0000-0x00000000003D3000-memory.dmp

Filesize
140KB

Download
memory/1876-65-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1876-57-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1956-89-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1956-92-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2616-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2660-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2660-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2660-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2660-47-0x00000000007A0000-0x00000000007C3000-memory.dmp

Filesize
140KB

Download
memory/2660-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2660-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2680-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2680-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2680-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2680-17-0x0000000000300000-0x0000000000323000-memory.dmp

Filesize
140KB

Download
memory/2680-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2680-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download