Analysis

  • max time kernel
    145s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    20-05-2024 06:14

General

  • Target

    c217dc2771eccec57d3517399278b380_NeikiAnalytics.exe

  • Size

    84KB

  • MD5

    c217dc2771eccec57d3517399278b380

  • SHA1

    adc01a4a404773422d0c9295fdb2d6686605d885

  • SHA256

    2049fae0e816dd8535ff4a5741a4c756aad67d3c8f3bdff1388a64936bb40ca1

  • SHA512

    db0165db0376b429d463c02ba950be8e2a38645042ab8bad16b7b61fa58379b519946628dcb62e70461f510f3ff94d9ba0ede65af7a3bfc9f43e52d758aeb128

  • SSDEEP

    1536:Id9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:4dseIOMEZEyFjEOFqTiQm5l/5

Score
10/10

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c217dc2771eccec57d3517399278b380_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\c217dc2771eccec57d3517399278b380_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2068
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2176
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1752
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          PID:1832

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    84KB

    MD5

    86721caf55312093a96bbc9c93391b07

    SHA1

    99b36d00be3af7ce775824f3aa49c3f8cd6bc382

    SHA256

    52af109af3ccfaf95f1284e0ef659c6e379080b558dbd096bf3e4c8064b8e6da

    SHA512

    4d81fb2639836513c00a34e7803c1838ae43dc6b179d7f802c24dd98bb7da3cca6ad6fcb0664743a18fd09893a0cf0d2a1cda452770a67db4f2ea52200aaf6e8

  • \Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    84KB

    MD5

    8a738c7474431d9afe188839535612bc

    SHA1

    494275f83679f5015a8ac4e2864497e41bc9cefe

    SHA256

    71cefe3354cfdf65e0d9117037f42bfc079405c6fa55061acf96bbcd8e695be8

    SHA512

    f88db01fb520d30c0a3bdc05603a8b396db4d8f65a80d0b5345ad9eb73ba5d8cb467d97725b0baaff87b6e6f16feb1499c269c47e91efe57691fca95884744f1

  • \Windows\SysWOW64\omsecor.exe

    Filesize

    84KB

    MD5

    4253861b8f458ec98f099919ecfef6ab

    SHA1

    77eef3889ee2005c998d7f2ce187da61f513379b

    SHA256

    5a77527622b9095bdadb6f81c75c50c55c8c8a25ab83198c203730942ef2421b

    SHA512

    fed9294229865f018ca790d4c1a3076bd6810a55b2ba637f09106f318acd8ce8154a5a617fdb1a1f702445ca791cbda353ace03870130da7ca1da3d624e52a6f