neconyd | 1de2f735c0692b61e66831d6bc63b8d81a7c97c632d54e5f975c59a30f3655ed

Analysis

max time kernel
145s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 08:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab41e88c52a23429a5a87e173ce564b0_NeikiAnalytics.exe
Size

96KB
MD5

ab41e88c52a23429a5a87e173ce564b0
SHA1

2dd6b77fda9bd44183ecab4198766f71c34341ac
SHA256

1de2f735c0692b61e66831d6bc63b8d81a7c97c632d54e5f975c59a30f3655ed
SHA512

78cc030cad9e575623478f3a2c35e6350eb2614c60f7b782c174bc02116d45007aaa5f00f0b4b40b58357a8da7b895ab20257b14b109815e94f0f8ccceeaf4b1
SSDEEP

1536:YnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:YGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 6 IoCs

pid	Process
3536	omsecor.exe
2928	omsecor.exe
1032	omsecor.exe
3172	omsecor.exe
3180	omsecor.exe
4712	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4104 set thread context of 3288	4104	ab41e88c52a23429a5a87e173ce564b0_NeikiAnalytics.exe	86
PID 3536 set thread context of 2928	3536	omsecor.exe	90
PID 1032 set thread context of 3172	1032	omsecor.exe	111
PID 3180 set thread context of 4712	3180	omsecor.exe	115

Program crash 4 IoCs

pid	pid_target	Process	procid_target
1356	3536	WerFault.exe	88
4148	4104	WerFault.exe	85
2888	1032	WerFault.exe	110
3668	3180	WerFault.exe	113

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4104 wrote to memory of 3288	4104	ab41e88c52a23429a5a87e173ce564b0_NeikiAnalytics.exe	86
PID 4104 wrote to memory of 3288	4104	ab41e88c52a23429a5a87e173ce564b0_NeikiAnalytics.exe	86
PID 4104 wrote to memory of 3288	4104	ab41e88c52a23429a5a87e173ce564b0_NeikiAnalytics.exe	86
PID 4104 wrote to memory of 3288	4104	ab41e88c52a23429a5a87e173ce564b0_NeikiAnalytics.exe	86
PID 4104 wrote to memory of 3288	4104	ab41e88c52a23429a5a87e173ce564b0_NeikiAnalytics.exe	86
PID 3288 wrote to memory of 3536	3288	ab41e88c52a23429a5a87e173ce564b0_NeikiAnalytics.exe	88
PID 3288 wrote to memory of 3536	3288	ab41e88c52a23429a5a87e173ce564b0_NeikiAnalytics.exe	88
PID 3288 wrote to memory of 3536	3288	ab41e88c52a23429a5a87e173ce564b0_NeikiAnalytics.exe	88
PID 3536 wrote to memory of 2928	3536	omsecor.exe	90
PID 3536 wrote to memory of 2928	3536	omsecor.exe	90
PID 3536 wrote to memory of 2928	3536	omsecor.exe	90
PID 3536 wrote to memory of 2928	3536	omsecor.exe	90
PID 3536 wrote to memory of 2928	3536	omsecor.exe	90
PID 2928 wrote to memory of 1032	2928	omsecor.exe	110
PID 2928 wrote to memory of 1032	2928	omsecor.exe	110
PID 2928 wrote to memory of 1032	2928	omsecor.exe	110
PID 1032 wrote to memory of 3172	1032	omsecor.exe	111
PID 1032 wrote to memory of 3172	1032	omsecor.exe	111
PID 1032 wrote to memory of 3172	1032	omsecor.exe	111
PID 1032 wrote to memory of 3172	1032	omsecor.exe	111
PID 1032 wrote to memory of 3172	1032	omsecor.exe	111
PID 3172 wrote to memory of 3180	3172	omsecor.exe	113
PID 3172 wrote to memory of 3180	3172	omsecor.exe	113
PID 3172 wrote to memory of 3180	3172	omsecor.exe	113
PID 3180 wrote to memory of 4712	3180	omsecor.exe	115
PID 3180 wrote to memory of 4712	3180	omsecor.exe	115
PID 3180 wrote to memory of 4712	3180	omsecor.exe	115
PID 3180 wrote to memory of 4712	3180	omsecor.exe	115
PID 3180 wrote to memory of 4712	3180	omsecor.exe	115

C:\Users\Admin\AppData\Local\Temp\ab41e88c52a23429a5a87e173ce564b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\ab41e88c52a23429a5a87e173ce564b0_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4104
- C:\Users\Admin\AppData\Local\Temp\ab41e88c52a23429a5a87e173ce564b0_NeikiAnalytics.exe
  C:\Users\Admin\AppData\Local\Temp\ab41e88c52a23429a5a87e173ce564b0_NeikiAnalytics.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3288
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3536
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2928
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1032
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3172
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3180
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        
        PID:4712
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 256
        8⤵
        Program crash
        
        PID:3668
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1032 -s 292
        6⤵
        Program crash
        
        PID:2888
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3536 -s 300
      4⤵
      Program crash
      PID:1356
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4104 -s 272
  2⤵
  - Program crash
  PID:4148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4104 -ip 4104
1⤵
PID:4140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3536 -ip 3536
1⤵
PID:2368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1032 -ip 1032
1⤵
PID:1480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3180 -ip 3180
1⤵
PID:3044

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
306d68d7476c41c5ae62a5034a14cad0

SHA1
a26de966097c9b1ed761d5eb6ad48365cc6830d2

SHA256
4c96589c824e2896e8c0ab72168e35613c12b078a4d4f2d3f957bf5fd1edb603

SHA512
64cc8476aa882e2b44d3007da235717a5b487bde97c966bb2860165060cde791f86e89bafb8430699e8875f6f98ad2d4df5a20b3a4a6cc3b0ac0ba619854e423

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
797109b649c24938fb1e64b1f77942a8

SHA1
daa4881fa2e85002600a12537c45f9098bb9f63c

SHA256
3f0aa6fd9e220c775e3b840c83c580d8bc35ce64f208eef1cd300e693e6514b8

SHA512
8b6c65d953b35826d656e5ce69a5f132831d8c7cbfcc1928392e3cc217bcec90d5a770b04b95c2500d95eb8432a2778037833c1a8de7478d74e5fd04f7561b13

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
3583f4d9ed52f11b77923e5b02dcfe5b

SHA1
dccfd67b16f6faa63f58bd254bc1943200d152cc

SHA256
22c4dc2c24c65a2a26cf6a58a1085c190098d641746c947bd132d36b7f8ad576

SHA512
f7b4b5dde1e2aa12043f842511066267dd7a9ec396351ae295b32435f3d9bac1f1d0c0c5984808a11aa51d24707a3eeec31dcb67c7979406e7ef1a1cd8e56c9f

Download Submit
memory/1032-35-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2928-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2928-31-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2928-27-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2928-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2928-16-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2928-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2928-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3172-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3172-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3172-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3180-54-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3180-46-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3288-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3288-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3288-7-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3288-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3536-11-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4104-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4104-18-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4712-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4712-52-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4712-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4712-58-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download