Analysis

  • max time kernel
    145s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-05-2024 01:45

General

  • Target

    841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe

  • Size

    134KB

  • MD5

    841bb7359c3f6716699dbdf80fb4b940

  • SHA1

    189c31a393697856d37659e09530d9ffae30f099

  • SHA256

    e518b0fa3c29a91839356fd7fb53f99f8b7f6637b9678b3031dffb61f8cc207d

  • SHA512

    d05c6d9570b76e90249ba7ad13745a78cff9f776c0b9a5ea45cecb18f8c0cbb656e88557e9baafbc19111aef41ef871fe1fac5fd382d370abdbc84f4227e0c43

  • SSDEEP

    1536:PDfDbhERTatPLTH0NqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwC7M:7iRTeH0NqAW6J6f1tqF6dngNmaZC7M

Score
10/10

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Executes dropped EXE 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Program crash 4 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4648
    • C:\Users\Admin\AppData\Local\Temp\841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe
      C:\Users\Admin\AppData\Local\Temp\841bb7359c3f6716699dbdf80fb4b940_NeikiAnalytics.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1536
      • C:\Users\Admin\AppData\Roaming\omsecor.exe
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1608
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Suspicious use of WriteProcessMemory
          PID:4084
          • C:\Windows\SysWOW64\omsecor.exe
            C:\Windows\System32\omsecor.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:1608
            • C:\Windows\SysWOW64\omsecor.exe
              C:\Windows\SysWOW64\omsecor.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:1884
              • C:\Users\Admin\AppData\Roaming\omsecor.exe
                C:\Users\Admin\AppData\Roaming\omsecor.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:1204
                • C:\Users\Admin\AppData\Roaming\omsecor.exe
                  C:\Users\Admin\AppData\Roaming\omsecor.exe
                  8⤵
                  • Executes dropped EXE
                  PID:2944
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 256
                  8⤵
                  • Program crash
                  PID:3376
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1608 -s 300
              6⤵
              • Program crash
              PID:3212
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1608 -s 296
          4⤵
          • Program crash
          PID:3120
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4648 -s 288
      2⤵
      • Program crash
      PID:2964
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4648 -ip 4648
    1⤵
      PID:1672
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1608 -ip 1608
      1⤵
        PID:4432
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1608 -ip 1608
        1⤵
          PID:3200
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1204 -ip 1204
          1⤵
            PID:4808

          Network

          MITRE ATT&CK Matrix

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\omsecor.exe

            Filesize

            134KB

            MD5

            ff000d5b43cdc4391be8e72df35c57d6

            SHA1

            69dd2faba5aed210923f2c6feb3e88755fd4ed12

            SHA256

            fef2c34eb2e0465205b56bd0d7a019034bd480d047a96c589cb3b64178204e3b

            SHA512

            8b9f160ba86527535b7c17f18334af31c32c7274101cc4d05440e3451024fac8762257088139988c8a59a050985a622dd76af38f11966c4c2cee856d9505da5e

          • C:\Users\Admin\AppData\Roaming\omsecor.exe

            Filesize

            134KB

            MD5

            19b6f9f15ac8df3067d54275f67c7dc3

            SHA1

            f38fc26b1605b14607312aaa6c99753aa1b0c182

            SHA256

            2e6190e313520edc485aa739208b09cd12f822a582e89926315992f3c2bed409

            SHA512

            aaa2c3e41e2102f8308ca55f81c9371b89a6e1e5f7af08f7efdea98bfe69b83f5ddcd3913fbbcaaf0f45a6221c668ada22c99c33ffbf7173c96a4bd2420c623a

          • C:\Windows\SysWOW64\omsecor.exe

            Filesize

            134KB

            MD5

            c28bfc381a8db99ed16dde0efbb6d295

            SHA1

            b9b2d79b7e494f3e47aa7ae50ee8ccc981c56edb

            SHA256

            c8625c595b98e72714fdf3789b8082f46f5256e5812f4490ae72b217af74c6c0

            SHA512

            b97e0a6bfd4adac35c211eb0bfbaaceb318c203cbb0d933e42b09806ebd4cc4322bfc1f49c35747dec41c793826298b0e7f7a1d9e1f11a81ea6ecb13c100906b

          • memory/1204-43-0x0000000000400000-0x0000000000424000-memory.dmp

            Filesize

            144KB

          • memory/1536-1-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/1536-2-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/1536-3-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/1536-5-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/1608-11-0x0000000000400000-0x0000000000424000-memory.dmp

            Filesize

            144KB

          • memory/1608-32-0x0000000000400000-0x0000000000424000-memory.dmp

            Filesize

            144KB

          • memory/1608-49-0x0000000000400000-0x0000000000424000-memory.dmp

            Filesize

            144KB

          • memory/1884-36-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/1884-42-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/1884-35-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/2944-53-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/2944-50-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/2944-47-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/2944-48-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/4084-15-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/4084-23-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/4084-20-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/4084-14-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/4084-17-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/4084-31-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/4084-24-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/4648-0-0x0000000000400000-0x0000000000424000-memory.dmp

            Filesize

            144KB

          • memory/4648-16-0x0000000000400000-0x0000000000424000-memory.dmp

            Filesize

            144KB