Analysis

  • max time kernel
    147s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    19-05-2024 23:06

General

  • Target

    560483ba12b15ea6a143e386d936be90_NeikiAnalytics.exe

  • Size

    72KB

  • MD5

    560483ba12b15ea6a143e386d936be90

  • SHA1

    5168679dcd5f2fa464e1e149036d7b8571ca64db

  • SHA256

    9fe28c5afd054913b2e138ac47e9690a77b452725f85fea48e6d0fa9d34eee9b

  • SHA512

    27ebc83ef129f549f8942f046d0f01b427139961700dad578da2065d3d94f0eeeba4301fe015f9e98539c6c5d4ca1d18264c42bb2b19b56333cb67b8348ba5ad

  • SSDEEP

    1536:Ld9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5211:7dseIOMEZEyFjEOFqTiQm5l/5211

Score
10/10

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\560483ba12b15ea6a143e386d936be90_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\560483ba12b15ea6a143e386d936be90_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2216
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:3036
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2696
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          PID:2768

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    72KB

    MD5

    913138a0d13d9bea5212ead7c8ecb86f

    SHA1

    7865ec6784b9e7510ec2ca08409c1a33f16656d3

    SHA256

    f4c21fd66a164398278bc627ea7213185108275443a7fa0bed3e734e0f71cf12

    SHA512

    ce0e9203e6c321f267f75a3472df8b1971035048ac6c99202ce7bd6e72011f1d6b0628cca18dfe7659ece1447ea7f25e25a8d678ee6bbce13709cfcf94e167b7

  • \Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    72KB

    MD5

    8c4d20f2bc54dbefa7fb35520743ede0

    SHA1

    f43a6f3969d8f5a2eed4ff94b10cc79cfc937880

    SHA256

    547e850cebfec5ea3747e6644239b2e2916ef3573d2cd48d49a88aba47e08837

    SHA512

    8681877495543e1e7b7f7894c2573fc19bed5a089b4df197a5d661191b46732e7a8218909c85288b579905972558ebc8fd4d01152a2dc6acfa43a4356caee602

  • \Windows\SysWOW64\omsecor.exe

    Filesize

    72KB

    MD5

    afa9ddcee5ebe39e1e67c318410ba9a4

    SHA1

    265e75987013d04dac280d9b587c7c1a355182e0

    SHA256

    614ddfeaff2f292a12602b054112f73835c119779b197d63463b7296b5fb741d

    SHA512

    d8cc87688981139398729af715fc8e963a0910a50a7c0159306f57e58df11e41b96e4ab5fb255f584504223c16b922c6e5ce7f4ff3dc13465e066f6cb8025c30