Analysis

  • max time kernel
    146s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-05-2024 06:14

General

  • Target

    c217dc2771eccec57d3517399278b380_NeikiAnalytics.exe

  • Size

    84KB

  • MD5

    c217dc2771eccec57d3517399278b380

  • SHA1

    adc01a4a404773422d0c9295fdb2d6686605d885

  • SHA256

    2049fae0e816dd8535ff4a5741a4c756aad67d3c8f3bdff1388a64936bb40ca1

  • SHA512

    db0165db0376b429d463c02ba950be8e2a38645042ab8bad16b7b61fa58379b519946628dcb62e70461f510f3ff94d9ba0ede65af7a3bfc9f43e52d758aeb128

  • SSDEEP

    1536:Id9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:4dseIOMEZEyFjEOFqTiQm5l/5

Score
10/10

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c217dc2771eccec57d3517399278b380_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\c217dc2771eccec57d3517399278b380_NeikiAnalytics.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1688
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1988
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1380
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          PID:2480

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    84KB

    MD5

    396138bc74915807de0bd583ffc328d0

    SHA1

    85eba9dfef4956f9f341ed963fc31d217386fe8c

    SHA256

    2ec86a68fd039a91e30562f7e27f4c1d765564d5bf2820056be4aabc6836144b

    SHA512

    84016c3a805356b93da1cceefbd45574e1ce523c7560073d54955dba763918479efbae2b9e68ca2d814d47a5107d28a89e8d752ee82bf263d3e148cc539fcf09

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    84KB

    MD5

    86721caf55312093a96bbc9c93391b07

    SHA1

    99b36d00be3af7ce775824f3aa49c3f8cd6bc382

    SHA256

    52af109af3ccfaf95f1284e0ef659c6e379080b558dbd096bf3e4c8064b8e6da

    SHA512

    4d81fb2639836513c00a34e7803c1838ae43dc6b179d7f802c24dd98bb7da3cca6ad6fcb0664743a18fd09893a0cf0d2a1cda452770a67db4f2ea52200aaf6e8

  • C:\Windows\SysWOW64\omsecor.exe

    Filesize

    84KB

    MD5

    8b1a6fae3c4120dfa5902bb722e5373e

    SHA1

    ad61e7e1e96c104bc12a4fb5f5847484566da5ad

    SHA256

    efee8ac0b393ae9215fde343b854c608dff271972c14cb1cdec8cb3186f7842d

    SHA512

    19581161d41e5375226763b83c4400d4a3d85a5c2ee4aab806dba491a639d0e1c667901bcd0b83caf2877aebee744631842352a99f9415d5d9e7e18317cb724d