neconyd | e9ec73d13ebeb954a4c741c2ae91fb07c8b80eaf44d9609de291d5a4a34f36a3

Analysis

max time kernel
145s
max time network
147s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
17/05/2024, 02:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89ceb3fcaf666d81e6c85f94757b0ca0_NeikiAnalytics.exe
Size

134KB
MD5

89ceb3fcaf666d81e6c85f94757b0ca0
SHA1

e9ec7a03a8e115c54c8e52003bcc098c28be0580
SHA256

e9ec73d13ebeb954a4c741c2ae91fb07c8b80eaf44d9609de291d5a4a34f36a3
SHA512

46f61c652480ff64591dd96626ccb8446197f0506f515de8d7201da1e25883851b439d8b6355bbbfa2082ac9d83e46ed505abf5f867f7a51c3607c6042532c6a
SSDEEP

1536:tDfDbhERTatPLTH0NqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwC7M:9iRTeH0NqAW6J6f1tqF6dngNmaZC7M

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 6 IoCs

pid	Process
2424	omsecor.exe
1796	omsecor.exe
1028	omsecor.exe
1992	omsecor.exe
3052	omsecor.exe
1780	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
1624	89ceb3fcaf666d81e6c85f94757b0ca0_NeikiAnalytics.exe
1624	89ceb3fcaf666d81e6c85f94757b0ca0_NeikiAnalytics.exe
2424	omsecor.exe
1796	omsecor.exe
1796	omsecor.exe
1992	omsecor.exe
1992	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2964 set thread context of 1624	2964	89ceb3fcaf666d81e6c85f94757b0ca0_NeikiAnalytics.exe	28
PID 2424 set thread context of 1796	2424	omsecor.exe	30
PID 1028 set thread context of 1992	1028	omsecor.exe	35
PID 3052 set thread context of 1780	3052	omsecor.exe	37

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 1624	2964	89ceb3fcaf666d81e6c85f94757b0ca0_NeikiAnalytics.exe	28
PID 2964 wrote to memory of 1624	2964	89ceb3fcaf666d81e6c85f94757b0ca0_NeikiAnalytics.exe	28
PID 2964 wrote to memory of 1624	2964	89ceb3fcaf666d81e6c85f94757b0ca0_NeikiAnalytics.exe	28
PID 2964 wrote to memory of 1624	2964	89ceb3fcaf666d81e6c85f94757b0ca0_NeikiAnalytics.exe	28
PID 2964 wrote to memory of 1624	2964	89ceb3fcaf666d81e6c85f94757b0ca0_NeikiAnalytics.exe	28
PID 2964 wrote to memory of 1624	2964	89ceb3fcaf666d81e6c85f94757b0ca0_NeikiAnalytics.exe	28
PID 1624 wrote to memory of 2424	1624	89ceb3fcaf666d81e6c85f94757b0ca0_NeikiAnalytics.exe	29
PID 1624 wrote to memory of 2424	1624	89ceb3fcaf666d81e6c85f94757b0ca0_NeikiAnalytics.exe	29
PID 1624 wrote to memory of 2424	1624	89ceb3fcaf666d81e6c85f94757b0ca0_NeikiAnalytics.exe	29
PID 1624 wrote to memory of 2424	1624	89ceb3fcaf666d81e6c85f94757b0ca0_NeikiAnalytics.exe	29
PID 2424 wrote to memory of 1796	2424	omsecor.exe	30
PID 2424 wrote to memory of 1796	2424	omsecor.exe	30
PID 2424 wrote to memory of 1796	2424	omsecor.exe	30
PID 2424 wrote to memory of 1796	2424	omsecor.exe	30
PID 2424 wrote to memory of 1796	2424	omsecor.exe	30
PID 2424 wrote to memory of 1796	2424	omsecor.exe	30
PID 1796 wrote to memory of 1028	1796	omsecor.exe	34
PID 1796 wrote to memory of 1028	1796	omsecor.exe	34
PID 1796 wrote to memory of 1028	1796	omsecor.exe	34
PID 1796 wrote to memory of 1028	1796	omsecor.exe	34
PID 1028 wrote to memory of 1992	1028	omsecor.exe	35
PID 1028 wrote to memory of 1992	1028	omsecor.exe	35
PID 1028 wrote to memory of 1992	1028	omsecor.exe	35
PID 1028 wrote to memory of 1992	1028	omsecor.exe	35
PID 1028 wrote to memory of 1992	1028	omsecor.exe	35
PID 1028 wrote to memory of 1992	1028	omsecor.exe	35
PID 1992 wrote to memory of 3052	1992	omsecor.exe	36
PID 1992 wrote to memory of 3052	1992	omsecor.exe	36
PID 1992 wrote to memory of 3052	1992	omsecor.exe	36
PID 1992 wrote to memory of 3052	1992	omsecor.exe	36
PID 3052 wrote to memory of 1780	3052	omsecor.exe	37
PID 3052 wrote to memory of 1780	3052	omsecor.exe	37
PID 3052 wrote to memory of 1780	3052	omsecor.exe	37
PID 3052 wrote to memory of 1780	3052	omsecor.exe	37
PID 3052 wrote to memory of 1780	3052	omsecor.exe	37
PID 3052 wrote to memory of 1780	3052	omsecor.exe	37

C:\Users\Admin\AppData\Local\Temp\89ceb3fcaf666d81e6c85f94757b0ca0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\89ceb3fcaf666d81e6c85f94757b0ca0_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Users\Admin\AppData\Local\Temp\89ceb3fcaf666d81e6c85f94757b0ca0_NeikiAnalytics.exe
  C:\Users\Admin\AppData\Local\Temp\89ceb3fcaf666d81e6c85f94757b0ca0_NeikiAnalytics.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1624
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2424
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1796
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1028
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        
        PID:1780

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
cd34f5c11e273a3c7eede770e88c9b33

SHA1
df67e37cc890152dd6b6aebb71f5cdd51f17b203

SHA256
a718dc3a3b5b424c93095b9679ce4bd6e7babb71118ca82decf5879105d12294

SHA512
cf96b45564b99ab9880773984f7460acd7ad7cbd912ef9beea44224f9fce4d509260da57f20007950ecdc637ad3f49d54c1a85fe51c5d039c92928a6f4a9c0da

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
d3d83d2ae429b4996d295553b9b7597c

SHA1
6ddbb1d7a86050a0798cb1cfe882f9d845de699e

SHA256
88c9bd4aaeb22c1788c90ef6142a9bad64ea867b448ec0464e7aafcdef607fa1

SHA512
8fff6ad7e93882ff880febd3334847d625f23810d9d61b5fc44dda9a16719634e441d802c4495498c32270d35c43eca822cf6d4df9c014e837525e06c0189494

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
1424dc2e54c179162a9169631d7d3700

SHA1
37e60953b09edb626d51ef1708c28700ae8ff60d

SHA256
ce42b1288c451329f68572aff517b30500a9fc4b4cfaebe6dd7c3c7cba7a714f

SHA512
7df89d900c9520ec11f8693647c447370cc2a63937c0f4fc4253ef470c531252d3529b46493787ecbc19ebb8c73d0f8b659c1600150bea32a6a3425aef87cd4a

Download Submit
memory/1028-62-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1028-55-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1624-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1624-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1624-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1624-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1624-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1780-89-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1780-86-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1796-46-0x00000000003A0000-0x00000000003C4000-memory.dmp

Filesize
144KB

Download
memory/1796-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1796-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1796-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1796-33-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1796-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1992-69-0x00000000001C0000-0x00000000001E4000-memory.dmp

Filesize
144KB

Download
memory/2424-22-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2424-23-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/2424-31-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2964-6-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2964-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3052-83-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3052-77-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download