Analysis

  • max time kernel
    145s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-05-2024 07:24

General

  • Target

    d0efb5497c7eebd213ef6ff801d16fa0_NeikiAnalytics.exe

  • Size

    92KB

  • MD5

    d0efb5497c7eebd213ef6ff801d16fa0

  • SHA1

    e148ff316600c1562af98b7d5ba2b81cfb4a1aa0

  • SHA256

    b6855800b7590ffff020758f8debf87cd93fc1eed7524647f2322e8cad9ac2ae

  • SHA512

    8db71ca7e4b11fa5c0aa585d352ceaf38b3c82c11fa732dc8cb0913058696195bb44237f6b2d1da407c13bcfd54944196346176c34f21b2ec4f7c20a24cdf0c4

  • SSDEEP

    768:XMTIvFGvZEh8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:XUIvYvZEgFKF6N4yS+AQmZTl/5

Score
10/10

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d0efb5497c7eebd213ef6ff801d16fa0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\d0efb5497c7eebd213ef6ff801d16fa0_NeikiAnalytics.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4248
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1876
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        PID:3760

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    92KB

    MD5

    9d83235880b393306ce82a8312bcb6d8

    SHA1

    9619b2513fafd662bc267d4e1f9a1385a5e835eb

    SHA256

    995faf9ddc9a560bbdf5c9a8158659424e736093f07f91b2c60d9001e1b01259

    SHA512

    6f600fd6a71325ede580af8d19a9eb321fc4069df58b87a127bd3a9c7338e58f2009223cb5c656505d611a395da4cd65704a82513ca4b13240ea8c170b0f0832

  • C:\Windows\SysWOW64\omsecor.exe

    Filesize

    92KB

    MD5

    7ac7e1b65a156deb571a0235c56bc734

    SHA1

    183cddbb99d9164d9e6bf3143afb6e2175a84c9a

    SHA256

    6241430bacc027c3d69d05162cd13e19ef504665d1f9f92e9e41ed3e43a99d99

    SHA512

    50c61276ff07fff7159e7b3eac05a47cd7b4d56cc12f92a5c5380796e10c6c46c659f8370ba7e355fcd4ed6c5e963b9de0346997b5e3fcecacdb0251b857e6a3

  • memory/1876-6-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/1876-7-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/1876-12-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/3760-13-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/3760-14-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/4248-0-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/4248-4-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB