Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-05-2024 22:28

General

  • Target

    4c1844acd093de809b95044c34eb5020_NeikiAnalytics.exe

  • Size

    35KB

  • MD5

    4c1844acd093de809b95044c34eb5020

  • SHA1

    f410b1a20a30d947c8a2b158520e0640779f51d2

  • SHA256

    0f4810f9b49d94e5262128a2456486b076734db252d2ca492463c8a21485ba53

  • SHA512

    ff2bcc8f8dbfa946bffc34f576672c3f16216f12605616d8093114725470388b0cb9961b31904a87128042eb95d75b4d0c16c5326140e98f0a09b5bc2afb1962

  • SSDEEP

    768:u6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:18Z0kA7FHlO2OwOTUtKjpB

Score
10/10

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Executes dropped EXE 2 IoCs
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4c1844acd093de809b95044c34eb5020_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\4c1844acd093de809b95044c34eb5020_NeikiAnalytics.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1644
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:3952
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        PID:3324

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    35KB

    MD5

    66039958bca2e90753432bb1bf87d4bf

    SHA1

    c09d28def543147c6d9c79f0e0385f69603f7af0

    SHA256

    c75dcd8e1415a859379125ee75a3a15e6070e10bb5fd7e35084c3b012ff3b9c3

    SHA512

    c2d42d76a22eb42982145307ce8a7c790851b8c9d957c383792beed6bd4b89db836c7d2835b8663eec4c204ba1661b20d90d46ab7e61a868270c9ff93994b345

  • C:\Windows\SysWOW64\omsecor.exe

    Filesize

    35KB

    MD5

    5345266a3f919583d4ce769247183980

    SHA1

    62462d4c6d7ee2baf14440cd048bff9e4720b57a

    SHA256

    9e39cc810e313e51d8399409cb34aeaa336257558ad3fa9c6423202c4fdf00d5

    SHA512

    bf8358260720bf8f5cee0264c006757d2483b088bab955c2451a32454f70f81793cdcfd469d03ec38f895eb6a6bc03fdfaaaf3c2890fbe57600e84ec74e77f61

  • memory/1644-4-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/1644-0-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/3324-25-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/3324-22-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/3324-21-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/3952-13-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/3952-14-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/3952-19-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/3952-10-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/3952-7-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/3952-6-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB