Overview

overview

10

Static

static

10

9884ca4816...cs.exe

windows7-x64

10

9884ca4816...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    17-05-2024 03:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9884ca4816c2dec04fda5f3ae6484370_NeikiAnalytics.exe

  • Size

    89KB

  • MD5

    9884ca4816c2dec04fda5f3ae6484370

  • SHA1

    b9912a1513c4d850a4ce82f4ba09bf5486d83b3f

  • SHA256

    8cc5952323d33d54ab6a02333ed87f0e598133b9ac607c287f1e9aa4b64ff3a6

  • SHA512

    35bfb998c460ff6f94c4ad00e2be3d53e3dfe88038a7c80e5d38209a386911a9829f699de54c67d03d4a1aed5947316c8914786c6858259b632d8c7341e2ea71

  • SSDEEP

    768:kMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:kbIvYvZEyFKF6N4yS+AQmZTl/5

Score
10/10
neconydtrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9884ca4816c2dec04fda5f3ae6484370_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\9884ca4816c2dec04fda5f3ae6484370_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1948
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2836
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2740
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          PID:2008

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    89KB

    MD5

    aeab40b561f779cf24c622387ab9331d

    SHA1

    be9c33866639731c2329c25a6c7a2269ec286754

    SHA256

    f1a6bd3fe2e13f72816e29c03c462f2a558479af6b270d65c05540534e105f3c

    SHA512

    e747dba10f2fae692673cfa34e9d6500454e2a0a6bedff4f5c0e5e78e01ab6aae72b135367545e4c24fa206e9cc6af2642a7c53ae89613d7c6ba20b12918c44a

    Download Submit

  • \Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    89KB

    MD5

    e30ff853bc510e32f9370c71417e1624

    SHA1

    e3a0d8b01c1b72b3f8eabc4953b55db1fd5d97f4

    SHA256

    bf19857577b61063699941bd097f6b6691feac86bf0b741936e5c25643aa55a4

    SHA512

    2f72f54be93771e6896e1fe31efe75c02b8a1529b70879eee9ecc503fb0a57f3e01be1549c21955b1438117b208d0c38d6cb2d9136836d4a1c1e967dfa5150b6

    Download Submit

  • \Windows\SysWOW64\omsecor.exe
    Filesize

    89KB

    MD5

    ac64a8796a2b35c2329970fda0db9905

    SHA1

    a096ce4f710f89718ed0aad81af511a727db1d47

    SHA256

    4de1aeb71a98e960fd2dd0942edc07e6852954ddc705408ccbce1b9790a60b4b

    SHA512

    9775cb3785f77eb08c589ebd101d2e45908f89df9c5b12b7c5af0ceb5ff10eb862b7e4a2637890a0205a1213385df3a44826a55d6fc9b6019cbf3cc28bc6d69d

    Download Submit