Analysis

  • max time kernel
    149s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-05-2024 23:06

General

  • Target

    560483ba12b15ea6a143e386d936be90_NeikiAnalytics.exe

  • Size

    72KB

  • MD5

    560483ba12b15ea6a143e386d936be90

  • SHA1

    5168679dcd5f2fa464e1e149036d7b8571ca64db

  • SHA256

    9fe28c5afd054913b2e138ac47e9690a77b452725f85fea48e6d0fa9d34eee9b

  • SHA512

    27ebc83ef129f549f8942f046d0f01b427139961700dad578da2065d3d94f0eeeba4301fe015f9e98539c6c5d4ca1d18264c42bb2b19b56333cb67b8348ba5ad

  • SSDEEP

    1536:Ld9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5211:7dseIOMEZEyFjEOFqTiQm5l/5211

Score
10/10

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\560483ba12b15ea6a143e386d936be90_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\560483ba12b15ea6a143e386d936be90_NeikiAnalytics.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1020
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1360
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4460
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          PID:2208

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    72KB

    MD5

    5122c2fcaaba9aafadfb0b1331d42638

    SHA1

    36a9252e2f2b1dd47381f527997753722147d0f6

    SHA256

    d3d0be9439335c979c4a127a90102dae0a1e860f2420661689c7871af9d43cd3

    SHA512

    8d57f38ccfee7031d743ef6247d517b469cbbc3adec833e20b5346e5821d56421b15518f075badf10202053b8465759c974c2f2fd21dde133ebfd755d003a507

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    72KB

    MD5

    913138a0d13d9bea5212ead7c8ecb86f

    SHA1

    7865ec6784b9e7510ec2ca08409c1a33f16656d3

    SHA256

    f4c21fd66a164398278bc627ea7213185108275443a7fa0bed3e734e0f71cf12

    SHA512

    ce0e9203e6c321f267f75a3472df8b1971035048ac6c99202ce7bd6e72011f1d6b0628cca18dfe7659ece1447ea7f25e25a8d678ee6bbce13709cfcf94e167b7

  • C:\Windows\SysWOW64\omsecor.exe

    Filesize

    72KB

    MD5

    0f80ec2a5fea78f2ef1dbdd9a17c2e95

    SHA1

    1600c8e6bc541c796711a67ac53adaf4712eb6c3

    SHA256

    99e1e4df7c395c0d7a42970f702f258bd478c9025460cd2da22ac91b1c21f481

    SHA512

    b41da0939441b5ea6c431143b3bb72819be6e52581417e509683fc3eacea55696f2d0c20253f2ce8fab0ee245e7c71786a1928057f8ffe3a5cf43a2e12213379