Analysis

  • max time kernel
    149s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-05-2024 21:09

General

  • Target

    3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe

  • Size

    96KB

  • MD5

    3a06824939308fa3b1a5774d951d4bb0

  • SHA1

    835a81e8c679997717562b90e11ec2723c5317a6

  • SHA256

    a47c73c19b4e5f5f7206a46a5adef98372d9e624387c17a398b5d4e4306a10ab

  • SHA512

    0ee3c09afce90c7d6dcaaabe4a1ea8f6e2ad9a56c888d5c10c430549ed7159c0ecfdbf5ced8090227ce9106500c65dd608371ea71275d86ab463309bbd24dc0e

  • SSDEEP

    1536:wnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:wGs8cd8eXlYairZYqMddH13L

Score
10/10

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Executes dropped EXE 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Program crash 4 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2284
    • C:\Users\Admin\AppData\Local\Temp\3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe
      C:\Users\Admin\AppData\Local\Temp\3a06824939308fa3b1a5774d951d4bb0_NeikiAnalytics.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2696
      • C:\Users\Admin\AppData\Roaming\omsecor.exe
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:460
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Suspicious use of WriteProcessMemory
          PID:1204
          • C:\Windows\SysWOW64\omsecor.exe
            C:\Windows\System32\omsecor.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:4328
            • C:\Windows\SysWOW64\omsecor.exe
              C:\Windows\SysWOW64\omsecor.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:2492
              • C:\Users\Admin\AppData\Roaming\omsecor.exe
                C:\Users\Admin\AppData\Roaming\omsecor.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:4508
                • C:\Users\Admin\AppData\Roaming\omsecor.exe
                  C:\Users\Admin\AppData\Roaming\omsecor.exe
                  8⤵
                  • Executes dropped EXE
                  PID:1560
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 268
                  8⤵
                  • Program crash
                  PID:4932
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4328 -s 292
              6⤵
              • Program crash
              PID:1776
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 460 -s 288
          4⤵
          • Program crash
          PID:2548
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 288
      2⤵
      • Program crash
      PID:1436
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2284 -ip 2284
    1⤵
      PID:2752
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 460 -ip 460
      1⤵
        PID:432
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4328 -ip 4328
        1⤵
          PID:2076
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4508 -ip 4508
          1⤵
            PID:3840

          Network

          MITRE ATT&CK Matrix

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\omsecor.exe

            Filesize

            96KB

            MD5

            59a6c6ae10124b37fa2f120f4685694f

            SHA1

            130dcb6a8fc36faaa976dbaeb6e4d7e196f81afd

            SHA256

            b2f6bc73d254db4a4f23a120c90f81b5b5434d5b67e4b5255f4e3f9ebcbeaa5d

            SHA512

            6d227da9aff340982a79b7a3b6e6a1e6803d6095ee12ba351f240b50a8ed3904e9dcbc3cd42d86a61474fd46ae4eab6c35d2573c3d003d450605dcd5e2c25ab1

          • C:\Users\Admin\AppData\Roaming\omsecor.exe

            Filesize

            96KB

            MD5

            246495e2b032733d47da73322aa83799

            SHA1

            15e5b29c3d0bfc625b4154a8eef5e2495d575139

            SHA256

            b30c27317c0c30ca5cde48f96ac29db1dca289e2d2281cd9d2fd98e5a1a88e83

            SHA512

            18be84fc666dfbdf0256b8bcb8c4f3d3733fe3922de5f00d1841817e6db0ac7c85393417752e459639f511f7695668a205d97fe3d46feab2777028ad1128625d

          • C:\Windows\SysWOW64\omsecor.exe

            Filesize

            96KB

            MD5

            f7d6a671395ea3d10088b54b156371fd

            SHA1

            240c751abaab5abc4e04478a9f73056681d29320

            SHA256

            f004f4232409cb1b9e4e24bfe22219ca2e3f5277b7ede23fcbdcb47144cc2d60

            SHA512

            c84d8f4be7b18563a176051a4424112bd2b60c34a91e56032855313e19a782f3a2a9726eee353481e7ae73def7d3bcf56acc39c27c65d2ec2267d9782ecd3e28

          • memory/460-11-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

          • memory/1204-15-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/1204-14-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/1204-19-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/1204-22-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/1204-25-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/1204-26-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/1204-33-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/1560-50-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/1560-49-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/1560-54-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/1560-57-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/2284-0-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

          • memory/2284-18-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

          • memory/2492-40-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/2492-37-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/2492-38-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/2696-7-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/2696-1-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/2696-2-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/2696-3-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/4328-34-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

          • memory/4328-52-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

          • memory/4508-44-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB