Analysis

  • max time kernel
    146s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    19-05-2024 21:09

General

  • Target

    3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe

  • Size

    96KB

  • MD5

    3a06824939308fa3b1a5774d951d4bb0

  • SHA1

    835a81e8c679997717562b90e11ec2723c5317a6

  • SHA256

    a47c73c19b4e5f5f7206a46a5adef98372d9e624387c17a398b5d4e4306a10ab

  • SHA512

    0ee3c09afce90c7d6dcaaabe4a1ea8f6e2ad9a56c888d5c10c430549ed7159c0ecfdbf5ced8090227ce9106500c65dd608371ea71275d86ab463309bbd24dc0e

  • SSDEEP

    1536:wnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:wGs8cd8eXlYairZYqMddH13L

Score
10/10

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 7 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2916
    • C:\Users\Admin\AppData\Local\Temp\3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe
      C:\Users\Admin\AppData\Local\Temp\3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1920
      • C:\Users\Admin\AppData\Roaming\omsecor.exe
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2508
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • Suspicious use of WriteProcessMemory
          PID:2620
          • C:\Windows\SysWOW64\omsecor.exe
            C:\Windows\System32\omsecor.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:112
            • C:\Windows\SysWOW64\omsecor.exe
              C:\Windows\SysWOW64\omsecor.exe
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of WriteProcessMemory
              PID:2016
              • C:\Users\Admin\AppData\Roaming\omsecor.exe
                C:\Users\Admin\AppData\Roaming\omsecor.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:2216
                • C:\Users\Admin\AppData\Roaming\omsecor.exe
                  C:\Users\Admin\AppData\Roaming\omsecor.exe
                  8⤵
                  • Executes dropped EXE
                  PID:1896

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    96KB

    MD5

    246495e2b032733d47da73322aa83799

    SHA1

    15e5b29c3d0bfc625b4154a8eef5e2495d575139

    SHA256

    b30c27317c0c30ca5cde48f96ac29db1dca289e2d2281cd9d2fd98e5a1a88e83

    SHA512

    18be84fc666dfbdf0256b8bcb8c4f3d3733fe3922de5f00d1841817e6db0ac7c85393417752e459639f511f7695668a205d97fe3d46feab2777028ad1128625d

  • \Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    96KB

    MD5

    085a0ccac905e875fcb379ce3954a59d

    SHA1

    78239949710489636aff48bcb1e81bd2498da98d

    SHA256

    6b58e0aac00ccb99a8b8084ffabf56ae7cbb795c80c4c14625a2327b8b7a6000

    SHA512

    bb296b947c77b8434536479fb92a9abd707a28fd1aa877bfea4cf6b1606616a16d6c4b46f4e0a4468f9db3d8b74892d8bdafa8a78bf847fdbc865423b6601707

  • \Windows\SysWOW64\omsecor.exe

    Filesize

    96KB

    MD5

    902e8a198640715bc9651d927e6c6eaf

    SHA1

    4708079473117e57591d92d8f77e96bbfceb4a2e

    SHA256

    5d019fb49fe66cacc2c1656788e4f7a1b1305d9008b3efcae86ce03a12ae66fb

    SHA512

    262562993ba6186c35d5e0eb87d92484cf1afb92d62e83ea7115224c48ffe83b6e101950e5928f7576bf4532d8354dd675963255a56db043b00c5379817736ec

  • memory/112-66-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/112-58-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1896-94-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/1896-91-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/1920-15-0x0000000000230000-0x0000000000253000-memory.dmp

    Filesize

    140KB

  • memory/1920-4-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/1920-14-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/1920-6-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/1920-10-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/1920-2-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2016-73-0x0000000000230000-0x0000000000253000-memory.dmp

    Filesize

    140KB

  • memory/2216-88-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2216-81-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2508-35-0x0000000000230000-0x0000000000253000-memory.dmp

    Filesize

    140KB

  • memory/2508-32-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2620-36-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2620-57-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2620-48-0x0000000000310000-0x0000000000333000-memory.dmp

    Filesize

    140KB

  • memory/2620-45-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2620-42-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2620-39-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2916-0-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2916-8-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2916-1-0x0000000000260000-0x0000000000283000-memory.dmp

    Filesize

    140KB