Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-05-2024 21:42

General

  • Target

    419fb94993688f5ba07303c9ebfdd100_NeikiAnalytics.exe

  • Size

    88KB

  • MD5

    419fb94993688f5ba07303c9ebfdd100

  • SHA1

    36c7bd34d76734e3f0d5f8930761b7e63c2c23eb

  • SHA256

    78275a526e8128da61eb9bcf7d23d082b513c78eec1b9864f3f54134d344be7e

  • SHA512

    fb384da4b2b11f48876bae9fc4ac210b244f49d4d58d813ef3f6095b656e67789478a49348f27fe20ad4bb7e3f0bd4fe76cc677c1b676d90f35b41779f9b9351

  • SSDEEP

    768:uMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:ubIvYvZEyFKF6N4yS+AQmZTl/5

Score
10/10

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\419fb94993688f5ba07303c9ebfdd100_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\419fb94993688f5ba07303c9ebfdd100_NeikiAnalytics.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2204
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:4324
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3672
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          PID:4400

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    88KB

    MD5

    aebd5276b5031e6d8aae23bc581ef32a

    SHA1

    914ede2da717ba26ec7b9f2a249731a19570a10e

    SHA256

    3bbca189fcb80779a3296d4afac3c4cceba2e3650feb0779b84f1e11383574dd

    SHA512

    3dfe131e3418af30693de5bac71cbdd01bc6c9fe52ac4f54a78259e9bb63e9e46f6858030c2a5799632db8b86b901da9d68e2127bc99272fdb66a8081b1ff5d3

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    88KB

    MD5

    216a5a3f44909fa0cc6cd66a8c4a84fa

    SHA1

    26d5c36b70479d4170ea470b10d7668a54835eba

    SHA256

    19ce62857c5a380d05d52325e390c8b1ec4299f7cb0eab69012acd2ad7328be0

    SHA512

    d97fbfdb800416c0618910da1c3953c8e2160ff2e642c5c8bc4b2affc8ea820d91fb09251e68c75469b817d6d0cab34faab7e24b869a50fa05f9f7409744bd10

  • C:\Windows\SysWOW64\omsecor.exe

    Filesize

    88KB

    MD5

    ba9ca3181e6acdd3c6d80e66a1077cff

    SHA1

    885fbec3aab1294210087e1f2f3577f02c937803

    SHA256

    cbb7d019c810aa09c18b29c93e399294d7a219a1871ed9633bf56bcd4a471c53

    SHA512

    59a5d26f318108f4609cf7afd10a1d714e7e9758fa6acb1e8928ad76547739ebb8576032b969e15d1431bce6a19e1d28a3803b223c85e3c64a00f23d94b9be01