Analysis

  • max time kernel
    145s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-05-2024 20:37

General

  • Target

    33853b1d020011dc876783e07d8b7230_NeikiAnalytics.exe

  • Size

    73KB

  • MD5

    33853b1d020011dc876783e07d8b7230

  • SHA1

    8dc8ccde95fd883250957c7e36d60343be0c1934

  • SHA256

    c6c1b6c6b2c8b4a507d4eb4ecda9cfeb0cfb66c4dcdea0a44eb655e9d841292e

  • SHA512

    c98df728ed61b666ed8a9fdec1e64c799cb4fbdfd5ed47264d43373dfd4ec8b3f8f2db2ee41bc6af27beca20058ebf7d5ded71d8049305542b6c3fec0f53ecd0

  • SSDEEP

    1536:ud9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:2dseIOMEZEyFjEOFqTiQm5l/5

Score
10/10

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\33853b1d020011dc876783e07d8b7230_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\33853b1d020011dc876783e07d8b7230_NeikiAnalytics.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4916
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:3892
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2252
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          PID:1236

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    73KB

    MD5

    c5ad14a538c9584c45fb4050617364c2

    SHA1

    3358d50d96599810e4d0a7642e6b364fb26208de

    SHA256

    1c0dba80ac3a5128396476897f538cdb76208d45b3c966c6d0cdbe1688d988ac

    SHA512

    0b2d65d8a0d3405c64e1c78b39ae701938230d19f47146fc641736e7b9d4061e346c2f91a639b647dc09708c09c946ffbcec9e559500dd431edce6226329c931

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    73KB

    MD5

    ce9c4280dd4ff278815e58d38638c24a

    SHA1

    02c2e5d37527af5281e6b358ba9d8e139de31d2c

    SHA256

    6540ec62a6824fd7f0085f0b5dfc71e86db5dd16c167a634f7e5367a126624ba

    SHA512

    34792c79b02fd9dc3aac3980a3477bfc99c3fc7f4360a7a9d2e989ffe5ce99dd96d64f5cc70906bc2cad9ef23c4723f19ce81c19e4a45db6554dda87cb0af1c6

  • C:\Windows\SysWOW64\omsecor.exe

    Filesize

    73KB

    MD5

    7b154f209e4c10cfdeb5cbf3dac832d1

    SHA1

    de5173061ab7e3ff3331b9fc7e53269f283513f0

    SHA256

    7c84573635f429bd0b7d6c0a0273aceda1e2c821addd0d52ae2d06899c736801

    SHA512

    835163bc482a3401e7bbc36263a7a45474a49f4d4d748f2b06fcee419f4cfad31592cabd4c46300fc8514d0cb947c6d34ab2eee4a91df5cf509c54ea93b2abb3