neconyd | e9ec73d13ebeb954a4c741c2ae91fb07c8b80eaf44d9609de291d5a4a34f36a3

Analysis

max time kernel
146s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
17/05/2024, 02:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89ceb3fcaf666d81e6c85f94757b0ca0_NeikiAnalytics.exe
Size

134KB
MD5

89ceb3fcaf666d81e6c85f94757b0ca0
SHA1

e9ec7a03a8e115c54c8e52003bcc098c28be0580
SHA256

e9ec73d13ebeb954a4c741c2ae91fb07c8b80eaf44d9609de291d5a4a34f36a3
SHA512

46f61c652480ff64591dd96626ccb8446197f0506f515de8d7201da1e25883851b439d8b6355bbbfa2082ac9d83e46ed505abf5f867f7a51c3607c6042532c6a
SSDEEP

1536:tDfDbhERTatPLTH0NqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwC7M:9iRTeH0NqAW6J6f1tqF6dngNmaZC7M

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 6 IoCs

pid	Process
1400	omsecor.exe
2500	omsecor.exe
4476	omsecor.exe
4344	omsecor.exe
2972	omsecor.exe
4968	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 436 set thread context of 4944	436	89ceb3fcaf666d81e6c85f94757b0ca0_NeikiAnalytics.exe	84
PID 1400 set thread context of 2500	1400	omsecor.exe	89
PID 4476 set thread context of 4344	4476	omsecor.exe	113
PID 2972 set thread context of 4968	2972	omsecor.exe	117

Program crash 4 IoCs

pid	pid_target	Process	procid_target
2812	436	WerFault.exe	83
4060	1400	WerFault.exe	86
4544	4476	WerFault.exe	112
3960	2972	WerFault.exe	115

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 436 wrote to memory of 4944	436	89ceb3fcaf666d81e6c85f94757b0ca0_NeikiAnalytics.exe	84
PID 436 wrote to memory of 4944	436	89ceb3fcaf666d81e6c85f94757b0ca0_NeikiAnalytics.exe	84
PID 436 wrote to memory of 4944	436	89ceb3fcaf666d81e6c85f94757b0ca0_NeikiAnalytics.exe	84
PID 436 wrote to memory of 4944	436	89ceb3fcaf666d81e6c85f94757b0ca0_NeikiAnalytics.exe	84
PID 436 wrote to memory of 4944	436	89ceb3fcaf666d81e6c85f94757b0ca0_NeikiAnalytics.exe	84
PID 4944 wrote to memory of 1400	4944	89ceb3fcaf666d81e6c85f94757b0ca0_NeikiAnalytics.exe	86
PID 4944 wrote to memory of 1400	4944	89ceb3fcaf666d81e6c85f94757b0ca0_NeikiAnalytics.exe	86
PID 4944 wrote to memory of 1400	4944	89ceb3fcaf666d81e6c85f94757b0ca0_NeikiAnalytics.exe	86
PID 1400 wrote to memory of 2500	1400	omsecor.exe	89
PID 1400 wrote to memory of 2500	1400	omsecor.exe	89
PID 1400 wrote to memory of 2500	1400	omsecor.exe	89
PID 1400 wrote to memory of 2500	1400	omsecor.exe	89
PID 1400 wrote to memory of 2500	1400	omsecor.exe	89
PID 2500 wrote to memory of 4476	2500	omsecor.exe	112
PID 2500 wrote to memory of 4476	2500	omsecor.exe	112
PID 2500 wrote to memory of 4476	2500	omsecor.exe	112
PID 4476 wrote to memory of 4344	4476	omsecor.exe	113
PID 4476 wrote to memory of 4344	4476	omsecor.exe	113
PID 4476 wrote to memory of 4344	4476	omsecor.exe	113
PID 4476 wrote to memory of 4344	4476	omsecor.exe	113
PID 4476 wrote to memory of 4344	4476	omsecor.exe	113
PID 4344 wrote to memory of 2972	4344	omsecor.exe	115
PID 4344 wrote to memory of 2972	4344	omsecor.exe	115
PID 4344 wrote to memory of 2972	4344	omsecor.exe	115
PID 2972 wrote to memory of 4968	2972	omsecor.exe	117
PID 2972 wrote to memory of 4968	2972	omsecor.exe	117
PID 2972 wrote to memory of 4968	2972	omsecor.exe	117
PID 2972 wrote to memory of 4968	2972	omsecor.exe	117
PID 2972 wrote to memory of 4968	2972	omsecor.exe	117

C:\Users\Admin\AppData\Local\Temp\89ceb3fcaf666d81e6c85f94757b0ca0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\89ceb3fcaf666d81e6c85f94757b0ca0_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:436
- C:\Users\Admin\AppData\Local\Temp\89ceb3fcaf666d81e6c85f94757b0ca0_NeikiAnalytics.exe
  C:\Users\Admin\AppData\Local\Temp\89ceb3fcaf666d81e6c85f94757b0ca0_NeikiAnalytics.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4944
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1400
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2500
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4476
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4344
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        
        PID:4968
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 256
        8⤵
        Program crash
        
        PID:3960
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 292
        6⤵
        Program crash
        
        PID:4544
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 288
      4⤵
      Program crash
      PID:4060
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 288
  2⤵
  - Program crash
  PID:2812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 436 -ip 436
1⤵
PID:1988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1400 -ip 1400
1⤵
PID:2936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4476 -ip 4476
1⤵
PID:2912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2972 -ip 2972
1⤵
PID:628

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
cd34f5c11e273a3c7eede770e88c9b33

SHA1
df67e37cc890152dd6b6aebb71f5cdd51f17b203

SHA256
a718dc3a3b5b424c93095b9679ce4bd6e7babb71118ca82decf5879105d12294

SHA512
cf96b45564b99ab9880773984f7460acd7ad7cbd912ef9beea44224f9fce4d509260da57f20007950ecdc637ad3f49d54c1a85fe51c5d039c92928a6f4a9c0da

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
6951ec32ce694525b64612ac38ef0631

SHA1
5313b246c2e6ccdf20d09570d7a19044b3a994d6

SHA256
e205d03457bafa4c219d83374698915a743f115e8bdc9b90fe316d51b99007cf

SHA512
5f26ddbf770a079028254d46f1ed21cbf71b42e38fc55b18bb657fb4d6003f5ba28f343020e1cae7f8856f783d995097dcba56bac2e277ec7cc52b4ec9995a80

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
bb4843a51e0c91c5539e1b65925e7a09

SHA1
d13115305d65bf018dc873d081c654cdbba824e2

SHA256
39f8c56c761a8e1e751672dd3da0313546bbca07cae00dcbe5d7abd6f24acdb3

SHA512
6577401b69beefd3ce1a1345872bcecaff445f23eace4537e724d4246e40f1db9ff7d3d484a757dc95a814bee67131db3ff4c4b7a4a11b38dcc4df0a8b06d181

Download Submit
memory/436-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/436-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1400-17-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1400-11-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2500-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2500-32-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2500-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2500-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2500-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2500-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2500-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2972-43-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4344-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4344-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4344-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4476-33-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4944-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4944-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4944-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4944-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4968-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4968-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4968-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4968-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download