Analysis

  • max time kernel
    147s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-05-2024 04:45

General

  • Target

    b09a521906d1eed8c0989d0f2e9e75b0_NeikiAnalytics.exe

  • Size

    80KB

  • MD5

    b09a521906d1eed8c0989d0f2e9e75b0

  • SHA1

    1cfc08fd78c4fd8cfa5bf61f5a3e54d9c8145276

  • SHA256

    e73eaeafa6e84acb88b422d6e340f5da99a13e64b3e2616fa444e5129faf86a8

  • SHA512

    b32bbba650e10c2b15dbe3e75e7f0f894bf4f295db573f95842a0d071972507456b481e9f43dca900e581af518acf8432e1888a9f827ad183fbc104b4efc4b49

  • SSDEEP

    768:KfMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:KfbIvYvZEyFKF6N4yS+AQmZTl/5

Score
10/10

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b09a521906d1eed8c0989d0f2e9e75b0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\b09a521906d1eed8c0989d0f2e9e75b0_NeikiAnalytics.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1396
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2536
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2248
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          PID:4300

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    80KB

    MD5

    46d9678b4487e84c516b34e71a4029d7

    SHA1

    74884c7f09c0fe1f6a171c58555cd19f192d6450

    SHA256

    cf8b28f90832105463531dad6751cf038ee50ebe35d838432294238342444e8f

    SHA512

    46c1ec87ccc2eae539d0a6d0255373dd61cd209ac99927f4f063a916db22b9561d40c5fb5997a391eae6e07d4c4c5f36556878793104d7b2081b4700a333e215

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    80KB

    MD5

    87a34cd5cbff2557af7ddfb672e3b2fa

    SHA1

    b723170993ab887d205a4f8da695395c2b24889d

    SHA256

    b497f0117e0f4fd2d6f76749480d13798e35029a58d7e7bd9c594c35ad2cedb1

    SHA512

    6499deab1a8d5106917559402f15c3fbd9fbaed11b8257443bab20b443c3436db1dba3035326f7a90d817afe3d94c06e7d53db212cf3658df09181332aacb579

  • C:\Windows\SysWOW64\omsecor.exe

    Filesize

    80KB

    MD5

    fd01891cfcf022bbf245744d90a3e451

    SHA1

    454691a7464b9db7be8cc420f799887df58d9875

    SHA256

    64509b5009bb1ebf4d82a8284058d9c899c3c0b6df843755b58691ebe76e0419

    SHA512

    cdce6763cce128ae0a49d2cecaa966e054eef6ecbf1c915bc17b8d2b2f54e632158fbadc7f5bc2d0a0b415ce07855b46d42a94a9c68d95383d2d43055bd470e9