Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-05-2024 22:21

General

  • Target

    4a3e205eda2bf17b4814f80634f85020_NeikiAnalytics.exe

  • Size

    35KB

  • MD5

    4a3e205eda2bf17b4814f80634f85020

  • SHA1

    86b186846dd3e3d0c9991f67bdf15acfe810a119

  • SHA256

    611c99ba02d45fb455adedfbf2fcd66ef46786e9805a60ea0b691c21e41b82a8

  • SHA512

    d87c476cc2ebcadfc0ba8826873536c20dc5bb7600bdb0c16841855ef8103fe5985082bed349defc1c662d1e6949655e97c7a0a3556f3a701009602d7429095f

  • SSDEEP

    768:T6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:O8Z0kA7FHlO2OwOTUtKjpB

Score
10/10

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Executes dropped EXE 2 IoCs
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4a3e205eda2bf17b4814f80634f85020_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\4a3e205eda2bf17b4814f80634f85020_NeikiAnalytics.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4288
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1072
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        PID:3028

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    35KB

    MD5

    47d23b50ebffe846cc961a2047352357

    SHA1

    ac1ddb731430964777d181ab3bd6c72a32b812eb

    SHA256

    5fd29ff0315b2f103f48d9645b705bd8d79484348562ec8df0c61a8e4fd5a04b

    SHA512

    1c702185a320324ee2df176cc0808da8ca55fcf946b3e8178a173cf390bf1a998a36a751bdc34e69b60b0270905eff99f38551ce698634f0bd0a1cbd38d86122

  • C:\Windows\SysWOW64\omsecor.exe

    Filesize

    35KB

    MD5

    35e1a71514f0f9e71e3900afb564f098

    SHA1

    5388563141e847552f4d94ad8f1c3f0e333a5b99

    SHA256

    e52320d1c25883a936646abaef0a1b6dae7f6405e424cbbd968a7a0b06442da2

    SHA512

    c2e34a6ba0b0595b6eb04d59852662648ec655f2eecbf5ae76a9c1bcfa4b07dd2129e0671bd3e4a62ed1c755629007a3addb00f8d5911dfbab19233024fd7b98

  • memory/1072-6-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/1072-7-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/1072-10-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/1072-13-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/1072-14-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/1072-20-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/3028-21-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/3028-22-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/3028-25-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/4288-1-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB