neconyd | 200a38b37ac1276827ced1b960c1aaf1a2765cc76d255a631e25c8382773800f

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
16/05/2024, 17:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e6532eae8e235cef22e8306ce85c6800_NeikiAnalytics.exe
Size

96KB
MD5

e6532eae8e235cef22e8306ce85c6800
SHA1

2af03474eb02f26c8587095a89966de53e956de7
SHA256

200a38b37ac1276827ced1b960c1aaf1a2765cc76d255a631e25c8382773800f
SHA512

79424c612d8327ad90c71fed77c0f3e2de2b74bc47513c8d234e7a2b2c4b96399b2f1266bd7f2f482669b3c5c3c6080e247f365ce2559b84b8070e0b9f9bbf8c
SSDEEP

1536:SnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:SGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 6 IoCs

pid	Process
2216	omsecor.exe
1976	omsecor.exe
432	omsecor.exe
1532	omsecor.exe
468	omsecor.exe
4676	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4504 set thread context of 4364	4504	e6532eae8e235cef22e8306ce85c6800_NeikiAnalytics.exe	82
PID 2216 set thread context of 1976	2216	omsecor.exe	87
PID 432 set thread context of 1532	432	omsecor.exe	108
PID 468 set thread context of 4676	468	omsecor.exe	111

Program crash 4 IoCs

pid	pid_target	Process	procid_target
912	4504	WerFault.exe	81
4212	2216	WerFault.exe	84
5112	432	WerFault.exe	107
2724	468	WerFault.exe	110

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4504 wrote to memory of 4364	4504	e6532eae8e235cef22e8306ce85c6800_NeikiAnalytics.exe	82
PID 4504 wrote to memory of 4364	4504	e6532eae8e235cef22e8306ce85c6800_NeikiAnalytics.exe	82
PID 4504 wrote to memory of 4364	4504	e6532eae8e235cef22e8306ce85c6800_NeikiAnalytics.exe	82
PID 4504 wrote to memory of 4364	4504	e6532eae8e235cef22e8306ce85c6800_NeikiAnalytics.exe	82
PID 4504 wrote to memory of 4364	4504	e6532eae8e235cef22e8306ce85c6800_NeikiAnalytics.exe	82
PID 4364 wrote to memory of 2216	4364	e6532eae8e235cef22e8306ce85c6800_NeikiAnalytics.exe	84
PID 4364 wrote to memory of 2216	4364	e6532eae8e235cef22e8306ce85c6800_NeikiAnalytics.exe	84
PID 4364 wrote to memory of 2216	4364	e6532eae8e235cef22e8306ce85c6800_NeikiAnalytics.exe	84
PID 2216 wrote to memory of 1976	2216	omsecor.exe	87
PID 2216 wrote to memory of 1976	2216	omsecor.exe	87
PID 2216 wrote to memory of 1976	2216	omsecor.exe	87
PID 2216 wrote to memory of 1976	2216	omsecor.exe	87
PID 2216 wrote to memory of 1976	2216	omsecor.exe	87
PID 1976 wrote to memory of 432	1976	omsecor.exe	107
PID 1976 wrote to memory of 432	1976	omsecor.exe	107
PID 1976 wrote to memory of 432	1976	omsecor.exe	107
PID 432 wrote to memory of 1532	432	omsecor.exe	108
PID 432 wrote to memory of 1532	432	omsecor.exe	108
PID 432 wrote to memory of 1532	432	omsecor.exe	108
PID 432 wrote to memory of 1532	432	omsecor.exe	108
PID 432 wrote to memory of 1532	432	omsecor.exe	108
PID 1532 wrote to memory of 468	1532	omsecor.exe	110
PID 1532 wrote to memory of 468	1532	omsecor.exe	110
PID 1532 wrote to memory of 468	1532	omsecor.exe	110
PID 468 wrote to memory of 4676	468	omsecor.exe	111
PID 468 wrote to memory of 4676	468	omsecor.exe	111
PID 468 wrote to memory of 4676	468	omsecor.exe	111
PID 468 wrote to memory of 4676	468	omsecor.exe	111
PID 468 wrote to memory of 4676	468	omsecor.exe	111

C:\Users\Admin\AppData\Local\Temp\e6532eae8e235cef22e8306ce85c6800_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\e6532eae8e235cef22e8306ce85c6800_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4504
- C:\Users\Admin\AppData\Local\Temp\e6532eae8e235cef22e8306ce85c6800_NeikiAnalytics.exe
  C:\Users\Admin\AppData\Local\Temp\e6532eae8e235cef22e8306ce85c6800_NeikiAnalytics.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4364
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2216
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1976
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:432
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:468
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        
        PID:4676
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 468 -s 256
        8⤵
        Program crash
        
        PID:2724
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 284
        6⤵
        Program crash
        
        PID:5112
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 288
      4⤵
      Program crash
      PID:4212
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 288
  2⤵
  - Program crash
  PID:912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4504 -ip 4504
1⤵
PID:4480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2216 -ip 2216
1⤵
PID:5092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 432 -ip 432
1⤵
PID:3876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 468 -ip 468
1⤵
PID:2916

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
3c4fad8fac2dba2da2956d6482243f4d

SHA1
b3ad3d6a9d3f6eb13674d8b3d4ceb79672f8e1fe

SHA256
b4cace72fb6dba441565ebf4c81d4f4f565eee1d76ed7dd625d7e33b0deddd9e

SHA512
de8adc9daf3b01ce2a132e92835cb0f04a755b0c75059938e61bb8253bddb3abf2d8c05f10a9a5b83de906c418ee4f1b90b9e660d5ac2df0199b3e3d45148cc9

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
e1917b672586b0b601c34f68e0c591fa

SHA1
89e261e81bdd9fae5f3b68ca8c93a3c20b757500

SHA256
306d1f269abd3b328dbb8f2c956d0899aaeda94c5bb539d26914cc73cb43efea

SHA512
6b2d058dc03f7cbca7c8132a538878a643f97154ddee4cdd4a26ba1dac10bcc5137b74b521f6b752b85f68742b0afd3bd99e90a6023353308cce09a2a33ff4f1

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
d805d3b223413d25dc82747316793515

SHA1
86ca30a4cbf356ad1c9ab0ce719a40f484567b65

SHA256
b812654b68a51fb5da3ee0ae13090d7c9393a863e7f6ef2e55d17a1c821c9825

SHA512
3a20add9a3db0c82ddc91c871a56929b7eb4d814458633f177de6efacf99209dbe7cf60203ab366f57101b1d3de55152506f969a420d2bd1d60abe142bd43215

Download Submit
memory/432-51-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/432-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/468-44-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1532-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1532-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1532-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1976-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1976-16-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1976-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1976-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1976-29-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1976-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1976-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2216-11-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4364-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4364-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4364-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4364-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4504-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4676-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4676-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4676-52-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4676-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download