Analysis

  • max time kernel
    145s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    19-05-2024 16:44

General

  • Target

    f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe

  • Size

    134KB

  • MD5

    f6a0b013d09974e204dea75b6b77ce90

  • SHA1

    df3bcaa3fad6d501f909fa7da71eee0d51bc0a0c

  • SHA256

    892b63b4b9488cc1c62d418da8b427719e392547338f175a9be072fd8bc2c619

  • SHA512

    475ca9bbde7339bf9548a8d696cd271fc755c49fcd7d3961d4b97dac29096961f7b94beea68797f62e8b447575f8d54534a4bbab9f9065ec260340cedbf03493

  • SSDEEP

    1536:PDfDbhERTatPLTH0NqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwC7M:7iRTeH0NqAW6J6f1tqF6dngNmaZC7M

Score
10/10

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 7 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2892
    • C:\Users\Admin\AppData\Local\Temp\f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe
      C:\Users\Admin\AppData\Local\Temp\f6a0b013d09974e204dea75b6b77ce90_NeikiAnalytics.exe
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2032
      • C:\Users\Admin\AppData\Roaming\omsecor.exe
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2992
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • Suspicious use of WriteProcessMemory
          PID:2804
          • C:\Windows\SysWOW64\omsecor.exe
            C:\Windows\System32\omsecor.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:2408
            • C:\Windows\SysWOW64\omsecor.exe
              C:\Windows\SysWOW64\omsecor.exe
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of WriteProcessMemory
              PID:572
              • C:\Users\Admin\AppData\Roaming\omsecor.exe
                C:\Users\Admin\AppData\Roaming\omsecor.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:1000
                • C:\Users\Admin\AppData\Roaming\omsecor.exe
                  C:\Users\Admin\AppData\Roaming\omsecor.exe
                  8⤵
                  • Executes dropped EXE
                  PID:2240

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    134KB

    MD5

    839554688e674750501bb4ee37ce4485

    SHA1

    97e21fe732e00a5453b2c81cdaf0e443eca2087c

    SHA256

    af21b58c5fb636d935414c4cd6bc5ad8a81b64806e82e557bdfa1283572df08e

    SHA512

    bfb27907d93f7e56f77d299f4187d9d29a3914fd7ba3b70db99ce9e96caf77135aa90c0d523f8b6e37edbc342164ccbb2561afd7f77d3d70a7829d160a96e5e0

  • \Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    134KB

    MD5

    d4c6cd7c0b7cc06520db971df2b61b4c

    SHA1

    5843adf3b35e97e44e43f04c3341300119f67d90

    SHA256

    50c03ddc511cda534cac111ef1f3cd3cc944ff67bfc9a31ac6d1879259b92f7c

    SHA512

    6955708588efeca0e881e10e219d95f506fb8cca16370becfd234bca853b29bf0a7ee4ccd93252560377d37c39af092388ff25d543ad8c93f906bbca34d59f78

  • \Windows\SysWOW64\omsecor.exe

    Filesize

    134KB

    MD5

    29de4db7e3822e6f31930cbe173a01c7

    SHA1

    b7562f22537eb25af5b2215431544ad34559bd6d

    SHA256

    a18d66c3a027e0cb8117fbdbe4ddb62f5a02f623dca0a2fd0a786c360e8ffcbe

    SHA512

    cb586d18869d3b0534aea19ecd2a51b56b48ee35b8f3e0569b31dc6e4b54e04245c26fe96860fed14b12854a4f3cd2fe5ab95bc15a4c4f315f517b38c3c15a28

  • memory/1000-77-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

  • memory/1000-84-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

  • memory/2032-5-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2032-1-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2032-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2032-13-0x00000000002C0000-0x00000000002E4000-memory.dmp

    Filesize

    144KB

  • memory/2032-19-0x00000000002C0000-0x00000000002E4000-memory.dmp

    Filesize

    144KB

  • memory/2032-8-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2032-10-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2240-86-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2240-89-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2408-64-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

  • memory/2408-56-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

  • memory/2804-34-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2804-46-0x00000000007A0000-0x00000000007C4000-memory.dmp

    Filesize

    144KB

  • memory/2804-54-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2804-43-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2804-40-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2804-37-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2892-0-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

  • memory/2892-6-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

  • memory/2992-30-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

  • memory/2992-22-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB