Analysis

  • max time kernel
    146s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-05-2024 23:24

General

  • Target

    5afd94cc31a233536072343ff517f3a0_NeikiAnalytics.exe

  • Size

    134KB

  • MD5

    5afd94cc31a233536072343ff517f3a0

  • SHA1

    1151a1bdec480b1bb013d6a0e1b59055cfee6688

  • SHA256

    335afed6ffd674bbcaa384fbbcb5f34d6bd3dd1dea45dbd043b58faea73b2195

  • SHA512

    2b0d844036c0b4c98625b92a08ae64d464e6ad5bc92c081cf953e30041ea7c64f3e39877eeb149bda5f1b1739ea06c2ed40e693eba2dc7158b44edde807288aa

  • SSDEEP

    1536:ODfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCia:wiRTeH0iqAW6J6f1tqF6dngNmaZCia

Score
10/10

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Executes dropped EXE 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Program crash 4 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5afd94cc31a233536072343ff517f3a0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\5afd94cc31a233536072343ff517f3a0_NeikiAnalytics.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:960
    • C:\Users\Admin\AppData\Local\Temp\5afd94cc31a233536072343ff517f3a0_NeikiAnalytics.exe
      C:\Users\Admin\AppData\Local\Temp\5afd94cc31a233536072343ff517f3a0_NeikiAnalytics.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1724
      • C:\Users\Admin\AppData\Roaming\omsecor.exe
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1800
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Suspicious use of WriteProcessMemory
          PID:1772
          • C:\Windows\SysWOW64\omsecor.exe
            C:\Windows\System32\omsecor.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:628
            • C:\Windows\SysWOW64\omsecor.exe
              C:\Windows\SysWOW64\omsecor.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:3692
              • C:\Users\Admin\AppData\Roaming\omsecor.exe
                C:\Users\Admin\AppData\Roaming\omsecor.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:2372
                • C:\Users\Admin\AppData\Roaming\omsecor.exe
                  C:\Users\Admin\AppData\Roaming\omsecor.exe
                  8⤵
                  • Executes dropped EXE
                  PID:4384
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 268
                  8⤵
                  • Program crash
                  PID:1404
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 292
              6⤵
              • Program crash
              PID:2540
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 272
          4⤵
          • Program crash
          PID:628
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 960 -s 288
      2⤵
      • Program crash
      PID:4508
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 960 -ip 960
    1⤵
      PID:4512
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1800 -ip 1800
      1⤵
        PID:1308
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 628 -ip 628
        1⤵
          PID:1732
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2372 -ip 2372
          1⤵
            PID:4720

          Network

          MITRE ATT&CK Matrix

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\omsecor.exe

            Filesize

            134KB

            MD5

            cf4de8c7e946c26c2efdee3bb1f253a9

            SHA1

            3a70ee1a1a379cabda0597ca3f15418e3b462772

            SHA256

            f3ddf4dc76ccb30729025c9a72bf2eea14c83f9e9aee61e2c115ff481f9d806a

            SHA512

            d270f11b23a2af23a1fef10c14844a8498010034ac782849d1cf9290a13b1a0bd8a4e308eb898a1051ff9bec2f1eba0850f5c34300efd9b9a5293ba6fdd88ee8

          • C:\Users\Admin\AppData\Roaming\omsecor.exe

            Filesize

            134KB

            MD5

            3136f87d558f19234dffde62f80fc053

            SHA1

            09aa0482fe1fd731f0aba2d9218a16bed9a56f28

            SHA256

            87dd713da95cf6f0999f11dc98f227036ca2047e630fa3df9e7ee64dff65f1bb

            SHA512

            202f55c5583f0f55f2d5b765665c5ec1d8ad96d3711230e627a23d8570b6a36d800954c649985b5a27be1367dd42368d744b44f292177dfe31aab26cbd849a6d

          • C:\Windows\SysWOW64\omsecor.exe

            Filesize

            134KB

            MD5

            d01a07a65c805485a3448a937fb573f3

            SHA1

            ef4593b5efe12dfc5f3509ad7e8b1787c94ce2d2

            SHA256

            cf9d4e5b13aedcd5f40b74745b7ceea884993332829cae3229db5a8bd2489227

            SHA512

            80f24a10f6a4c3b6e7e6da94164aaa739d047b463f15928eddea0c955b3515d4ae76921654ee52451afea775dcba977ad2216a51c13967082f22682839096e5d

          • memory/628-32-0x0000000000400000-0x0000000000424000-memory.dmp

            Filesize

            144KB

          • memory/628-50-0x0000000000400000-0x0000000000424000-memory.dmp

            Filesize

            144KB

          • memory/960-16-0x0000000000400000-0x0000000000424000-memory.dmp

            Filesize

            144KB

          • memory/960-0-0x0000000000400000-0x0000000000424000-memory.dmp

            Filesize

            144KB

          • memory/1724-5-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/1724-2-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/1724-1-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/1724-3-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/1772-30-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/1772-23-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/1772-24-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/1772-20-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/1772-17-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/1772-15-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/1772-14-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/1800-11-0x0000000000400000-0x0000000000424000-memory.dmp

            Filesize

            144KB

          • memory/2372-51-0x0000000000400000-0x0000000000424000-memory.dmp

            Filesize

            144KB

          • memory/2372-43-0x0000000000400000-0x0000000000424000-memory.dmp

            Filesize

            144KB

          • memory/3692-38-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/3692-35-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/3692-36-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/4384-47-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/4384-49-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/4384-52-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/4384-55-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB