Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-05-2024 18:16

General

  • Target

    1250fe92a2260f7c09dc1c5095dd5230_NeikiAnalytics.exe

  • Size

    68KB

  • MD5

    1250fe92a2260f7c09dc1c5095dd5230

  • SHA1

    7f3725bfabb33a113b075622f577cba0ca66a86d

  • SHA256

    6fda56328ae06afb2adeba143f785bc80ba529a06b97d627251603698a886c7d

  • SHA512

    ae3c582915a86927a1116e3d555bb9603855cfc0e12cf4b7d0e560a90b18a294caf0a73e804b6b3df000a1609630a7f72fadb49454ad63cb3027c38707f77f45

  • SSDEEP

    1536:Id9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:4dseIOMEZEyFjEOFqTiQm5l/5

Score
10/10

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1250fe92a2260f7c09dc1c5095dd5230_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\1250fe92a2260f7c09dc1c5095dd5230_NeikiAnalytics.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4880
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2352
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4764
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          PID:2676

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    68KB

    MD5

    9e319d9b83293fbfadf87dbdd9c44ec0

    SHA1

    3040738b150fe5d95d9a094766305e85a672298d

    SHA256

    7a3a496899d62afa7fabf18396c9920e2ec1eec742e4d9a6dbb423b051b8efc9

    SHA512

    d1ffaf2c48802a91d2842413989094557f9d119b174ad8cf3d0254a94c05b47fda7a71d55e65c3a553179622dee6c34f58b3994b5ed29b8b1c79457e682bfb25

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    68KB

    MD5

    36ba5045984713994e40557aca4b1e0a

    SHA1

    639dfffa81c32e6fc0bb0a362f251ef4a5e6f1a8

    SHA256

    cd8f08327d1d2d2288d78996e39b9f76c1c947484a0d2fbca6e50b6f8455593b

    SHA512

    c8f0b9d1e15ae8f66d9637899166f2f665d0c3e4dfe3c3f8bff0ce67cf9e67767d4f1f68861852c3a0a198d4e304f51b392a4bea241583440e6f0fa3f7b9338b

  • C:\Windows\SysWOW64\omsecor.exe

    Filesize

    68KB

    MD5

    1b04947bf9237a4b3de22995d9087311

    SHA1

    9a3b5d567802876af7e084e606b424407deeafdb

    SHA256

    c64cd655b6d0fd0b47cbabda0d0292cbaee4f5974911f5f8839df14dc94c9d45

    SHA512

    641ccdd013942d8a795ff196c1b211a106e3102a09afaf80128b9a9134e66bf0fc4cf13d8e50fa376f1f8ab8535b861280233498ddd6d42038e3517a599d2abb