Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-05-2024 07:32

General

  • Target

    d2cd9a9616266103c033c4cd5af543a0_NeikiAnalytics.exe

  • Size

    92KB

  • MD5

    d2cd9a9616266103c033c4cd5af543a0

  • SHA1

    297ebd574004a01108d997d73248db89dfdbf2fc

  • SHA256

    011c059fa55493bf1821a870d89e7d6d3f5f1c45646c952f33194ca2770668a1

  • SHA512

    02c72d5137a9f8b8536507761def77e2b1ff381fc0ca9105f56760d8ff31ef32fb72e36c9947e7a6557e763c04dfd8bf523fc7bb92eee020d0082e51bdf0c21e

  • SSDEEP

    1536:/d9dseIOcEr3bIvYvZEyF4EEOF6N4yS+AQmZTl/5:3dseIOyEZEyFjEOFqTiQm5l/5

Score
10/10

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d2cd9a9616266103c033c4cd5af543a0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\d2cd9a9616266103c033c4cd5af543a0_NeikiAnalytics.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1328
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1324
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        PID:2616
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          PID:4404

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    92KB

    MD5

    a00eab46c5f0ba93984257d595e6db62

    SHA1

    b3850fc3e177a762cc3a8f5ee266c49967480b41

    SHA256

    a130fa28aadc20d9ea3ad4c2b8a24bcaefa8c5e00e50405e2696cea02885d901

    SHA512

    407eb1498990ac000f69770fe21a9934f374ab330263b819adb46ef83d36ccaa1cce50f89a74526c039d4e2299101dfc162a262f2768a3190c6951b16a2917d0

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    92KB

    MD5

    84230afd5a8a2644094660f014b02995

    SHA1

    36e2352fdce75e7afd6300e7fc527232eb140ce4

    SHA256

    78b98f9e1b0b085472a8d9c0d15b2aa44d7185859c5020b4e948cb0e72d7299c

    SHA512

    4a8223eff219b57af9d6e603e5aad94715ed0674d4b2f87ee05573e3cf404a4491253aebf95bc9e9ba442bd1a6884ce732ed923252dbd27c81e27365733edc98

  • C:\Windows\SysWOW64\omsecor.exe

    Filesize

    92KB

    MD5

    13f49e4a4a81b2dfaa5471c3c897469e

    SHA1

    f2edbb98b9fd5e4ab2bc68840ef22a5f49a746c9

    SHA256

    e3eac5d9abb48a6271d0b9c3f1a870fd631e630866a3b75a72725e9ee9655235

    SHA512

    5e472b1fb5cb3948014bf2f8f80d1feb40a1e0ec1087f275b4c3938bb5929df170aaec2b8747269cbe82fef2d5f21c6e22d6ff77b6773b80a51d07ce053f4ae7

  • memory/1324-6-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/1324-7-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/1324-11-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/1328-0-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/1328-5-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/2616-12-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/2616-14-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/4404-15-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/4404-16-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB