Analysis

  • max time kernel
    146s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    19-05-2024 15:30

General

  • Target

    e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe

  • Size

    134KB

  • MD5

    e444da3b42335ab84fedf3405c40c630

  • SHA1

    5dfeda8113e9f94a4b87c6e71c34206aa3426dba

  • SHA256

    e4d80583e99b1a56c5b4029c7403eddd1aeb098378337e297892d17b7436219e

  • SHA512

    b83c3c02505708bc3737d17f1f96a6882ec97b3d07ea99e3a83886c116b29294c77b8fff1eb48d12dcafeadb261185b811f3ef050d638bf8e1a8ed37c17159d5

  • SSDEEP

    1536:oDfDbhERTatPLTH0NqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwC7M:OiRTeH0NqAW6J6f1tqF6dngNmaZC7M

Score
10/10

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 7 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2348
    • C:\Users\Admin\AppData\Local\Temp\e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe
      C:\Users\Admin\AppData\Local\Temp\e444da3b42335ab84fedf3405c40c630_NeikiAnalytics.exe
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2008
      • C:\Users\Admin\AppData\Roaming\omsecor.exe
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2340
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • Suspicious use of WriteProcessMemory
          PID:2392
          • C:\Windows\SysWOW64\omsecor.exe
            C:\Windows\System32\omsecor.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:2336
            • C:\Windows\SysWOW64\omsecor.exe
              C:\Windows\SysWOW64\omsecor.exe
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of WriteProcessMemory
              PID:2736
              • C:\Users\Admin\AppData\Roaming\omsecor.exe
                C:\Users\Admin\AppData\Roaming\omsecor.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:2316
                • C:\Users\Admin\AppData\Roaming\omsecor.exe
                  C:\Users\Admin\AppData\Roaming\omsecor.exe
                  8⤵
                  • Executes dropped EXE
                  PID:1748

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    134KB

    MD5

    ebff5912f487cc7e8043af0b5faaf6d8

    SHA1

    d3b9cec1654186356d365fb12ea2f51757ebaa27

    SHA256

    e0a350f734b2f31399610bcf6d1c2df7e1a688b108a272484ab801c24f9680d8

    SHA512

    40cc008fbdb0dd16b5667d0ddb51ad04bbd1644ffc1e58108fffe1ce34bce59645eeb1f4189f0458cfa9f122e5fc0d1e1c4eadaa3d7fe91c1151a4f09fda54f1

  • \Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    134KB

    MD5

    793639c796fb24909caabea9a4bce7b3

    SHA1

    e6b83345985ffd053fd8e42848dbb55bc5f18904

    SHA256

    8eba1c25c82682945b78366c25fbc40567c592866a5003d22c0499191ef0f174

    SHA512

    d0b184668b7bf662e6cf804fce8668e2f5f6759a7674112badd409b1530e09d3727b0563285b1cf6fb8c980a51fb86e01260a8016af9c3f19db89e4babce23d8

  • \Windows\SysWOW64\omsecor.exe

    Filesize

    134KB

    MD5

    c1094d6d09679c1dc736197caffcd561

    SHA1

    cae01aaa7f6ab91a86f6033e50c921f6bc60afae

    SHA256

    79534e61998ab5234b03021774dda379976ce64729bf17a7e0f9e007fc581bc8

    SHA512

    d887c7e7e85e7ff584641a40186f554665961ad7129a7887e7594d781b9bad42b75b24812eaf1a8d8c376fc556a7822b62ab864634d6fdce68d1af6a0522d47e

  • memory/1748-87-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/1748-90-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2008-10-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2008-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2008-5-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2008-13-0x0000000000230000-0x0000000000254000-memory.dmp

    Filesize

    144KB

  • memory/2008-8-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2008-2-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2316-84-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

  • memory/2316-78-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

  • memory/2336-56-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

  • memory/2336-63-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

  • memory/2340-30-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

  • memory/2340-21-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

  • memory/2348-0-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

  • memory/2348-7-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

  • memory/2392-43-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2392-40-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2392-46-0x00000000020D0000-0x00000000020F4000-memory.dmp

    Filesize

    144KB

  • memory/2392-55-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2392-37-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2392-33-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2736-69-0x0000000000230000-0x0000000000254000-memory.dmp

    Filesize

    144KB