Analysis

  • max time kernel
    145s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    19-05-2024 21:13

General

  • Target

    3b02bba4c58e5212c09826fb09efa7d0_NeikiAnalytics.exe

  • Size

    92KB

  • MD5

    3b02bba4c58e5212c09826fb09efa7d0

  • SHA1

    b7942475df016d6169a951907d004a3bea9e4652

  • SHA256

    37db7492dfe068914d41761817ca7312e8445bc1f18f0cc724630d78b09434b8

  • SHA512

    27ac421f89556e7095a4d738cc01f94b18e7fc6e7e2dbffc62f5d779201677b8ec41d0112e11a12e3c62dd7352c5c6cf6176a54dcf53f25f633a151a70c7242f

  • SSDEEP

    1536:1d9dseIOcEE3bIvYvZEyF4EEOF6N4yS+AQmZTl/5:9dseIO/EZEyFjEOFqTiQm5l/5

Score
10/10

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3b02bba4c58e5212c09826fb09efa7d0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\3b02bba4c58e5212c09826fb09efa7d0_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2860
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2984
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2880
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          PID:796

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    92KB

    MD5

    8a601248fbd0e4adef61e50da8050343

    SHA1

    833186c923e736db1b58ef1bfddc833f2f242804

    SHA256

    1c6376c5e80e4d15d21323106ce687ab6c7047a460401dfb9453a754d36055d7

    SHA512

    db4636e8ae57ad72da48d352c4f07e1e79ea18d40ab53d252ade17739219483ca061e1225e8cb44ab7b3c62f8a362eec766519ea38eba4ab73971662912d931d

  • \Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    92KB

    MD5

    ef577c001ff20b8074164ab79b5c48ca

    SHA1

    60b79da473dd53ca037d88b6d6907ce72c400b96

    SHA256

    94d95e36314f5af9b1701ac327ebb6d4f2545837593c5a2ed22660ea2e3a5da3

    SHA512

    2842446db993b16ddabd08762ac1abda7a9080f95e9c920a167883602ca5588c0556642766f6f382a768d3cafb46acb162ffedd5373e90604e08fa43b9a68a4f

  • \Windows\SysWOW64\omsecor.exe

    Filesize

    92KB

    MD5

    4cd38af11f270cfc8e17ffaab02b37c1

    SHA1

    6af1b3856f1d03ab212ae01683ea5e4190346500

    SHA256

    8de8ac38f79fca6ef9f3be5027bf40777b408e49d68cf825a570a5ff3e7eafd2

    SHA512

    ca250d01966853ba415f58971d193e964947b5868029223d88cfc8811c6a7c2af608f80bd23ad7b48e38d7939d607d1882cef977dd26e16f4612c7c678ac1d1e

  • memory/796-35-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/796-36-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/2860-1-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/2880-32-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/2984-9-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/2984-11-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/2984-16-0x0000000000470000-0x000000000049B000-memory.dmp

    Filesize

    172KB

  • memory/2984-22-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB