Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    19-05-2024 23:56

General

  • Target

    6449ca46b56dfd97a1a515c7545c9ba0_NeikiAnalytics.exe

  • Size

    92KB

  • MD5

    6449ca46b56dfd97a1a515c7545c9ba0

  • SHA1

    db2208c9ca213a03f97849de69c4611f90e7b909

  • SHA256

    ffdc1716124055192eef057867cec06c97d505be20443850ba4859aa2620e3a9

  • SHA512

    c60748762d871e3a5031b692011b44038964a31f0fdd4674b5e489f2bdaa5d206237415d8d9ccbf0c976a239d16775cb7396aa8df91752db5014161f9a4a6f3c

  • SSDEEP

    1536:Ud9dseIOcEr3bIvYvZEyF4EEOF6N4yS+AQmZTl/5:sdseIOyEZEyFjEOFqTiQm5l/5

Score
10/10

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6449ca46b56dfd97a1a515c7545c9ba0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\6449ca46b56dfd97a1a515c7545c9ba0_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2956
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:3044
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:352
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          PID:1988

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    92KB

    MD5

    646e95436e49b94644c735e93d65dfcc

    SHA1

    eca5b8a25bcd11d79eb973c22741b92f778ef00a

    SHA256

    3cf2c2591c867d36f4d9b7d31ea61de8eed925df4c3e676a77aa0b742ba9ea0c

    SHA512

    cf2e912608857cdd974c849074891c0e8a6b12a7f4d01dcfc51c3c41f28bcbc01f5a524ffc88f6271f4a9f0f9aa809b2fc8f861fd11d82c6cb6362d45bba3eb7

  • \Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    92KB

    MD5

    c94a7d24a8d629684cc8b90f372a7b99

    SHA1

    90adb11db9efb6682693f079926741d76826c408

    SHA256

    6cfbc523a86ff559e5f29e44ee580f4aac591fd1e6ce359a01c18dd0ac970c87

    SHA512

    9d6aeeb4c8e369db3119183a2a7643b46c6bd9534a67b371fcbe49931ce9e95c114b624877f96b8d546a121ee92e71ee74ca70c623e9363b9fc31839a0b4f48b

  • \Windows\SysWOW64\omsecor.exe

    Filesize

    92KB

    MD5

    539ea1a15f26439037b594b043c368a7

    SHA1

    05f05d5d6c17c74b5b8617f318b7c033a5680247

    SHA256

    4318e1d26bc37dbd22b5f8bc77ca251bcaeb58908b3a79ad36650eab6a98dbf3

    SHA512

    63606457ff67e4d13e5b9cac41bb296dc931ada28b3e62360ad2194610db667d8f3af34c3cb0ae0fd04191b8f293ce1c21b869dbab754a0b058d6bfae644e0b4

  • memory/352-26-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/352-35-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/1988-37-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/1988-39-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/2956-9-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/2956-0-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/2956-4-0x00000000003C0000-0x00000000003EB000-memory.dmp

    Filesize

    172KB

  • memory/3044-12-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/3044-13-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/3044-18-0x0000000000390000-0x00000000003BB000-memory.dmp

    Filesize

    172KB

  • memory/3044-25-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB