Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    19-05-2024 13:52

General

  • Target

    cf2fd20fe34f0e3912692b87010dae50_NeikiAnalytics.exe

  • Size

    88KB

  • MD5

    cf2fd20fe34f0e3912692b87010dae50

  • SHA1

    8e05d1da78b9469e4632701e1ee3e681f944afb4

  • SHA256

    4775da73afa39225b4594fe94bd05850bac7777f0ca3a42c5b42ddb923215823

  • SHA512

    42038ccea14ad842029ef695890b86df68e80f035e02b9d3e24155efe71dec8ef8fcf23d76b1ac6c0b792aca43eb598a61f3554a6fdc0f4a833531f7ef9283a6

  • SSDEEP

    1536:fd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:XdseIOMEZEyFjEOFqTiQm5l/5

Score
10/10

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cf2fd20fe34f0e3912692b87010dae50_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\cf2fd20fe34f0e3912692b87010dae50_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2000
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1620
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2748
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          PID:1736

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    88KB

    MD5

    131b25d0a970b0f44c002bf6bd4d27f8

    SHA1

    153288c91e5a429ce158acf93c3001945da4ef84

    SHA256

    adf89be5638650b37d674af80e9504fd8c201f91509be5f8645610806d4e9eb0

    SHA512

    866e54e10146fa35904de5dd78daab296d649c093813cefa24f8860ad88e25f5a53c4a0edf9e7370a360b6d4fa1c12e586ed070f325d708fdf24c719a84a8564

  • \Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    88KB

    MD5

    d296903c20bf5cebec7c173a05bfa36f

    SHA1

    88c25b33d07449d95eeb18e7477f10ea22b6f2dc

    SHA256

    24fe7e3907b9a36b95a813ab340f21f922d0eae303f1ae3bb8ef04430492f5d1

    SHA512

    1814bee032efcb1cd173d81d57bf4f33080b30e9262398b21632bc21f966a4054ab07c8dcc5c28610bb6a7b4621b38833b61768ef07b1fe5405b04b2efddc231

  • \Windows\SysWOW64\omsecor.exe

    Filesize

    88KB

    MD5

    2a378599d59c580fb40d7347ff612a72

    SHA1

    88e72b8da6edf364b830ac147981433e293bc7ab

    SHA256

    c16bbd5bee904435c93799d420db3584ba510d60372d8bb26ab6bee15ca84b3d

    SHA512

    4959802ad3409d65cf452c8189d718d4871ead535d8ad954808a306baa128d389193800d5d28d37cdbf72190d48c01008d4e7a936550e06ff2e0b557c5ed727b