Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-05-2024 23:56

General

  • Target

    6449ca46b56dfd97a1a515c7545c9ba0_NeikiAnalytics.exe

  • Size

    92KB

  • MD5

    6449ca46b56dfd97a1a515c7545c9ba0

  • SHA1

    db2208c9ca213a03f97849de69c4611f90e7b909

  • SHA256

    ffdc1716124055192eef057867cec06c97d505be20443850ba4859aa2620e3a9

  • SHA512

    c60748762d871e3a5031b692011b44038964a31f0fdd4674b5e489f2bdaa5d206237415d8d9ccbf0c976a239d16775cb7396aa8df91752db5014161f9a4a6f3c

  • SSDEEP

    1536:Ud9dseIOcEr3bIvYvZEyF4EEOF6N4yS+AQmZTl/5:sdseIOyEZEyFjEOFqTiQm5l/5

Score
10/10

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6449ca46b56dfd97a1a515c7545c9ba0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\6449ca46b56dfd97a1a515c7545c9ba0_NeikiAnalytics.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3484
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1876
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        PID:5052

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    92KB

    MD5

    646e95436e49b94644c735e93d65dfcc

    SHA1

    eca5b8a25bcd11d79eb973c22741b92f778ef00a

    SHA256

    3cf2c2591c867d36f4d9b7d31ea61de8eed925df4c3e676a77aa0b742ba9ea0c

    SHA512

    cf2e912608857cdd974c849074891c0e8a6b12a7f4d01dcfc51c3c41f28bcbc01f5a524ffc88f6271f4a9f0f9aa809b2fc8f861fd11d82c6cb6362d45bba3eb7

  • C:\Windows\SysWOW64\omsecor.exe

    Filesize

    92KB

    MD5

    9b088f2a348dfca3104407d1fa545e96

    SHA1

    df0406a3d84d2412d1d6745fcd529a258faa5dd9

    SHA256

    597459f804df9a8a98eb7f45f3c0587c507f794f14deb0d131c442018862de17

    SHA512

    3c8f934696ef909010de17627ba46fe30732817c7ac2dbb7387024b1a4555434a2eb3fd39b5a6c455c78cc735f7dc466a0da25b026e55868275d55016c2f6a7d

  • memory/1876-5-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/1876-6-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/1876-11-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/3484-1-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/5052-12-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/5052-13-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB