Analysis

  • max time kernel
    146s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    20-05-2024 04:45

General

  • Target

    b09a521906d1eed8c0989d0f2e9e75b0_NeikiAnalytics.exe

  • Size

    80KB

  • MD5

    b09a521906d1eed8c0989d0f2e9e75b0

  • SHA1

    1cfc08fd78c4fd8cfa5bf61f5a3e54d9c8145276

  • SHA256

    e73eaeafa6e84acb88b422d6e340f5da99a13e64b3e2616fa444e5129faf86a8

  • SHA512

    b32bbba650e10c2b15dbe3e75e7f0f894bf4f295db573f95842a0d071972507456b481e9f43dca900e581af518acf8432e1888a9f827ad183fbc104b4efc4b49

  • SSDEEP

    768:KfMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:KfbIvYvZEyFKF6N4yS+AQmZTl/5

Score
10/10

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b09a521906d1eed8c0989d0f2e9e75b0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\b09a521906d1eed8c0989d0f2e9e75b0_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1656
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2760
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2820
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          PID:3044

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    80KB

    MD5

    87a34cd5cbff2557af7ddfb672e3b2fa

    SHA1

    b723170993ab887d205a4f8da695395c2b24889d

    SHA256

    b497f0117e0f4fd2d6f76749480d13798e35029a58d7e7bd9c594c35ad2cedb1

    SHA512

    6499deab1a8d5106917559402f15c3fbd9fbaed11b8257443bab20b443c3436db1dba3035326f7a90d817afe3d94c06e7d53db212cf3658df09181332aacb579

  • \Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    80KB

    MD5

    720e279f2e6f6aff51c9193add0ac6a2

    SHA1

    2568cc8769b9d0effd735eb25fdfdaba278a2975

    SHA256

    0c69ab57d833e6a3645153a6656257e5130f0f1d233d7526bf267725e01b20e4

    SHA512

    6b157331cb3651766d0228fa57316052e53d324b5e2e653af5a8b93cbf93bbbdbdbb5d6c9717d8b3ded1bdae6c815bf8c1ebefdf7a450f0a78439025b34c53d0

  • \Windows\SysWOW64\omsecor.exe

    Filesize

    80KB

    MD5

    c79035d95bf6c0d3d7e8370651b24e49

    SHA1

    f1238cbf29c9151fb5df59b30270cdf10e99bbb3

    SHA256

    a61e2b7ba21b979115149e4053d16b68208e0aec56009c18e383db307dd61db8

    SHA512

    02f188889822a134058ac8a09ff88face1610a2700ad76d6e2f72091f1ca09e22f0c0f5305fa4ff6b027fca7c1da28ed3da14fd0cd25ef076bc735d56a00d356