Analysis

  • max time kernel
    146s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    19-05-2024 18:16

General

  • Target

    1250fe92a2260f7c09dc1c5095dd5230_NeikiAnalytics.exe

  • Size

    68KB

  • MD5

    1250fe92a2260f7c09dc1c5095dd5230

  • SHA1

    7f3725bfabb33a113b075622f577cba0ca66a86d

  • SHA256

    6fda56328ae06afb2adeba143f785bc80ba529a06b97d627251603698a886c7d

  • SHA512

    ae3c582915a86927a1116e3d555bb9603855cfc0e12cf4b7d0e560a90b18a294caf0a73e804b6b3df000a1609630a7f72fadb49454ad63cb3027c38707f77f45

  • SSDEEP

    1536:Id9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:4dseIOMEZEyFjEOFqTiQm5l/5

Score
10/10

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1250fe92a2260f7c09dc1c5095dd5230_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\1250fe92a2260f7c09dc1c5095dd5230_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2108
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1736
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2608
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          PID:2924

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    68KB

    MD5

    36ba5045984713994e40557aca4b1e0a

    SHA1

    639dfffa81c32e6fc0bb0a362f251ef4a5e6f1a8

    SHA256

    cd8f08327d1d2d2288d78996e39b9f76c1c947484a0d2fbca6e50b6f8455593b

    SHA512

    c8f0b9d1e15ae8f66d9637899166f2f665d0c3e4dfe3c3f8bff0ce67cf9e67767d4f1f68861852c3a0a198d4e304f51b392a4bea241583440e6f0fa3f7b9338b

  • \Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    68KB

    MD5

    921e3af9255bb97b8229deefc2071f6a

    SHA1

    f984ee09233cf7c8e74d1db3e061e08067f00cbb

    SHA256

    bff6a82f3de4096b293b2708ad3972ac8e22bd2d5fc549e8cc080e580dca1245

    SHA512

    e7e57d24607c359aa2146d3d380d7c6070ec28c9bfade13c120a35087b2e4df6ba343510fbca73ba9795ed32c4dad2560b7d39e7ff689e63d270a32b1616a682

  • \Windows\SysWOW64\omsecor.exe

    Filesize

    68KB

    MD5

    d731e6fb560d9681b1fbad2d578935cb

    SHA1

    e31cd803557c66238f76e40ce606fef8f8ac2021

    SHA256

    2ceb82e483c69571bacebaf0fd47d25f5b16a2913d6952f33771e6a48c61152b

    SHA512

    6f4ffad1e19f35455af6d605d254453ad593a417569f64c208263a839056d0957a4ecacbbf0cb5124ea0926d86c663222d113772437b69510f837d4316cd1d9e