Analysis

  • max time kernel
    145s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    19-05-2024 21:42

General

  • Target

    419fb94993688f5ba07303c9ebfdd100_NeikiAnalytics.exe

  • Size

    88KB

  • MD5

    419fb94993688f5ba07303c9ebfdd100

  • SHA1

    36c7bd34d76734e3f0d5f8930761b7e63c2c23eb

  • SHA256

    78275a526e8128da61eb9bcf7d23d082b513c78eec1b9864f3f54134d344be7e

  • SHA512

    fb384da4b2b11f48876bae9fc4ac210b244f49d4d58d813ef3f6095b656e67789478a49348f27fe20ad4bb7e3f0bd4fe76cc677c1b676d90f35b41779f9b9351

  • SSDEEP

    768:uMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:ubIvYvZEyFKF6N4yS+AQmZTl/5

Score
10/10

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\419fb94993688f5ba07303c9ebfdd100_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\419fb94993688f5ba07303c9ebfdd100_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2208
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2704
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1140
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          PID:1768

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    88KB

    MD5

    5052fb59c0d8ef75c78896a750a1b100

    SHA1

    1e66406fb6cede99fb3821270a1fd9d04d67292c

    SHA256

    e31687bd53538d86f4c459876da87aefadb4455bbd164521f3b9dc067ec33b9b

    SHA512

    63e9ece5c35bc9a5ea22f802a80c68fbc48fb7533cc47d6e755abff0d2d8767170004aafaffcabcd0b9d8fdf75cd75f6c44f2f0892759b55a2cd1f9de98850bd

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    88KB

    MD5

    216a5a3f44909fa0cc6cd66a8c4a84fa

    SHA1

    26d5c36b70479d4170ea470b10d7668a54835eba

    SHA256

    19ce62857c5a380d05d52325e390c8b1ec4299f7cb0eab69012acd2ad7328be0

    SHA512

    d97fbfdb800416c0618910da1c3953c8e2160ff2e642c5c8bc4b2affc8ea820d91fb09251e68c75469b817d6d0cab34faab7e24b869a50fa05f9f7409744bd10

  • \Windows\SysWOW64\omsecor.exe

    Filesize

    88KB

    MD5

    9b6739677ed80338497c4d7d74a8f12d

    SHA1

    3cefeb341e8ab7e616978173a113f1c752143c66

    SHA256

    a512f4bc1c8f032a3a49da458f062e2b1cc072ddebb0feb1d1c357d079fae38d

    SHA512

    58b9b916064d036017a96bcf3ed1fab7d493493b5b7c23fe367f13cf5d315be481207e3431ddbb864d379a833205a2b8256fd91a7f7f676657b94ae0ea3a794b