Analysis

  • max time kernel
    145s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-05-2024 03:25

General

  • Target

    9f73b46138b08037195e76e5180649a0_NeikiAnalytics.exe

  • Size

    80KB

  • MD5

    9f73b46138b08037195e76e5180649a0

  • SHA1

    e4b6b8b84b5c59ff4110e3f38e5f4c954d98e88d

  • SHA256

    07bc9db7d5ea8998be8ae0783c0ccadc510866d4c953a3ded51314c0b57828aa

  • SHA512

    d39352c6a8bd6a136adf1e59ece1d9fe47cec94c0ea49f22611e764b756e6cab7e5bfe4a59dd7c20af8a3c06dd6f7c4d8648d37ca06e3b0ce16f55f627aa5036

  • SSDEEP

    768:3fMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:3fbIvYvZEyFKF6N4yS+AQmZTl/5

Score
10/10

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9f73b46138b08037195e76e5180649a0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\9f73b46138b08037195e76e5180649a0_NeikiAnalytics.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:528
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2344
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:716
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          PID:2460

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    80KB

    MD5

    c8ab7ff887bd58e43482969667b2b41c

    SHA1

    d2f69efab22f07d94e26e02aa6845ae4004ca60f

    SHA256

    733a1bac5c2f21e339512cf98c980349492630c2aa6a811bc70293bee5ff821d

    SHA512

    8af6876529142f1a1740d76e8c9d4ad1e0d46a6301275257a725ab8cd00ce46f7b8e6200c9606cee7ca873af0cb5e61e09b1f16741fbf5b295a6d3b6fa70767c

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    80KB

    MD5

    7fbdf871bf91153ecff8d044ed40c37a

    SHA1

    7b4b0d5de867f6b6444b79580abb345785af434e

    SHA256

    35352d475ffe0a44217dae8569fd6b770297a0aee28b337f39ca76529051bc11

    SHA512

    bf950d2f0bb65cbd89dd61ef3e5bbd3cb2f357f934cb20a653069bd4a172d9f6476cd4a1a2c9f2daa8815fc94afd05b28c9de0af046ac73b5982876919956799

  • C:\Windows\SysWOW64\omsecor.exe

    Filesize

    80KB

    MD5

    b961e68449d82e9914c6877ec7a1a3cf

    SHA1

    7d05ec87c42a431482c0a72ffd0ff141e978709e

    SHA256

    ce34ebe99f2009a3dc461c15feddf693e4644f4b093059042ecd4d6fafaa3f4e

    SHA512

    e39e1950c3785e094697c0456c47a620a19b4d4a52b72aeed98a35ff247a721980403cd007056493deb63f200044482c79c6aef3a6c2e580d3a5fccdd64657df