neconyd | 011c059fa55493bf1821a870d89e7d6d3f5f1c45646c952f33194ca2770668a1

Analysis

max time kernel
146s
max time network
148s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20/05/2024, 07:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d2cd9a9616266103c033c4cd5af543a0_NeikiAnalytics.exe
Size

92KB
MD5

d2cd9a9616266103c033c4cd5af543a0
SHA1

297ebd574004a01108d997d73248db89dfdbf2fc
SHA256

011c059fa55493bf1821a870d89e7d6d3f5f1c45646c952f33194ca2770668a1
SHA512

02c72d5137a9f8b8536507761def77e2b1ff381fc0ca9105f56760d8ff31ef32fb72e36c9947e7a6557e763c04dfd8bf523fc7bb92eee020d0082e51bdf0c21e
SSDEEP

1536:/d9dseIOcEr3bIvYvZEyF4EEOF6N4yS+AQmZTl/5:3dseIOyEZEyFjEOFqTiQm5l/5

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 3 IoCs

pid	Process
1932	omsecor.exe
2864	omsecor.exe
1700	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2380	d2cd9a9616266103c033c4cd5af543a0_NeikiAnalytics.exe
2380	d2cd9a9616266103c033c4cd5af543a0_NeikiAnalytics.exe
1932	omsecor.exe
1932	omsecor.exe
2864	omsecor.exe
2864	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 1932	2380	d2cd9a9616266103c033c4cd5af543a0_NeikiAnalytics.exe	28
PID 2380 wrote to memory of 1932	2380	d2cd9a9616266103c033c4cd5af543a0_NeikiAnalytics.exe	28
PID 2380 wrote to memory of 1932	2380	d2cd9a9616266103c033c4cd5af543a0_NeikiAnalytics.exe	28
PID 2380 wrote to memory of 1932	2380	d2cd9a9616266103c033c4cd5af543a0_NeikiAnalytics.exe	28
PID 1932 wrote to memory of 2864	1932	omsecor.exe	32
PID 1932 wrote to memory of 2864	1932	omsecor.exe	32
PID 1932 wrote to memory of 2864	1932	omsecor.exe	32
PID 1932 wrote to memory of 2864	1932	omsecor.exe	32
PID 2864 wrote to memory of 1700	2864	omsecor.exe	33
PID 2864 wrote to memory of 1700	2864	omsecor.exe	33
PID 2864 wrote to memory of 1700	2864	omsecor.exe	33
PID 2864 wrote to memory of 1700	2864	omsecor.exe	33

C:\Users\Admin\AppData\Local\Temp\d2cd9a9616266103c033c4cd5af543a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\d2cd9a9616266103c033c4cd5af543a0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      PID:1700

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
92KB

MD5
84230afd5a8a2644094660f014b02995

SHA1
36e2352fdce75e7afd6300e7fc527232eb140ce4

SHA256
78b98f9e1b0b085472a8d9c0d15b2aa44d7185859c5020b4e948cb0e72d7299c

SHA512
4a8223eff219b57af9d6e603e5aad94715ed0674d4b2f87ee05573e3cf404a4491253aebf95bc9e9ba442bd1a6884ce732ed923252dbd27c81e27365733edc98

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
92KB

MD5
6687c8cfe5fb17d8d13bfa28b78fe460

SHA1
8c4f6ef95c1d72c1448520c2e5434ede191f4f0d

SHA256
d1cc83fc18382bbb941bc2053daf37eff98f145b109d84be6994181aa8631d68

SHA512
af03707e8511da136290f7423853947661b81234b4b09915210b87156498b412334d43db57fec1559263c04e94ea0dbbd71d140f5b7f4effd3599d236b0f5cfa

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
92KB

MD5
f0de8a558bf0da95c1612eb45bc0f9bd

SHA1
c603b8705697d43b2df69b73d9922d1c0b486177

SHA256
ba245ce705d200206c8e8b972a705bcb280d19e601c47acfdfe7040889e36810

SHA512
adc0f3cab1e8f0241e05b77e795d57e4097438d26581c0e38bc30f04f8be0e78e43a6f27f8c4a4de17c277f75609b3553422d06bd13e24cb63b292359435f4a2

Download Submit
memory/1700-36-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1932-10-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1932-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1932-16-0x0000000000350000-0x000000000037B000-memory.dmp

Filesize
172KB

Download
memory/1932-22-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2380-1-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2864-28-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2864-33-0x0000000000250000-0x000000000027B000-memory.dmp

Filesize
172KB

Download