Analysis

  • max time kernel
    145s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    21/05/2024, 07:57

General

  • Target

    1f2d0d245c91e112cb44208bd4f47bdd067f6a1ef9c7f8e33f3d49db784f715a_NeikiAnalytics.exe

  • Size

    96KB

  • MD5

    7ec381c4b60d6d4bb8c153c3e1827110

  • SHA1

    0f41884d1f4093b53849a3de27b1886f621c63a4

  • SHA256

    1f2d0d245c91e112cb44208bd4f47bdd067f6a1ef9c7f8e33f3d49db784f715a

  • SHA512

    0e05d6e74b8a229f5f14e8e76d60d2d7bbdb8d536bba330900ac9394eb8d6ba8b661abedeff9dfc3f6055b788b43a9bd1ade38889a8c98af0c7ed8945cb989fd

  • SSDEEP

    1536:KnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:KGs8cd8eXlYairZYqMddH13L

Score
10/10

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 7 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1f2d0d245c91e112cb44208bd4f47bdd067f6a1ef9c7f8e33f3d49db784f715a_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\1f2d0d245c91e112cb44208bd4f47bdd067f6a1ef9c7f8e33f3d49db784f715a_NeikiAnalytics.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2732
    • C:\Users\Admin\AppData\Local\Temp\1f2d0d245c91e112cb44208bd4f47bdd067f6a1ef9c7f8e33f3d49db784f715a_NeikiAnalytics.exe
      C:\Users\Admin\AppData\Local\Temp\1f2d0d245c91e112cb44208bd4f47bdd067f6a1ef9c7f8e33f3d49db784f715a_NeikiAnalytics.exe
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2828
      • C:\Users\Admin\AppData\Roaming\omsecor.exe
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2776
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • Suspicious use of WriteProcessMemory
          PID:2568
          • C:\Windows\SysWOW64\omsecor.exe
            C:\Windows\System32\omsecor.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:828
            • C:\Windows\SysWOW64\omsecor.exe
              C:\Windows\SysWOW64\omsecor.exe
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of WriteProcessMemory
              PID:1432
              • C:\Users\Admin\AppData\Roaming\omsecor.exe
                C:\Users\Admin\AppData\Roaming\omsecor.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:2260
                • C:\Users\Admin\AppData\Roaming\omsecor.exe
                  C:\Users\Admin\AppData\Roaming\omsecor.exe
                  8⤵
                  • Executes dropped EXE
                  PID:2064

Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • \Users\Admin\AppData\Roaming\omsecor.exe

          Filesize

          96KB

          MD5

          6a8c8a73b03450d86d4c97f3529fa3e5

          SHA1

          b44d79345d0e4084c6dbc847c17dc9fad5d6771d

          SHA256

          a12ab56994ee18450c824c471e765909453754e70e01af6f30e693cc1e3ee3b0

          SHA512

          cf84248d40548f7019ff4a03b86762d155cb1513e7c3fd3a2902b8a4761b03b2f8288f9e8116011e632f68ea33e094d47d35c13778439136a6468fb80e65d3ef

        • \Users\Admin\AppData\Roaming\omsecor.exe

          Filesize

          96KB

          MD5

          58c2442275c7b29002230fd04a02e091

          SHA1

          010b64d8acfe08c70edbed4faf49bce9a581c3d7

          SHA256

          0704ba0210e50b1329e566c93092dbe7df161e2ca6556209d3a9c392b8c4c790

          SHA512

          517d52e5e798873e72134258ca32f1cb599e7892d335c761289a1aa16e91609e85d3f404060593d2b155b4b071bcec2ba1db3a9c80cfbd4c430428855b158265

        • \Windows\SysWOW64\omsecor.exe

          Filesize

          96KB

          MD5

          f526abddb6fec7600212d4d7274def18

          SHA1

          9e0a57d6a3cd90cb8c153f66277962ec4d1a07a7

          SHA256

          cf519c76c1e21a602a6983d1734ae3e579b95fc035307369ce602787603a02fd

          SHA512

          282494beb306fbb9d92dd4ee84ddb7ace95f2ca62bda3a089ddf935f3b1764a840de8e0fd0c5cef3e001a943cc4e63e4cc67810a56f4e1a97784e957798741ae

        • memory/828-69-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

        • memory/828-59-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

        • memory/2064-94-0x0000000000400000-0x0000000000429000-memory.dmp

          Filesize

          164KB

        • memory/2064-91-0x0000000000400000-0x0000000000429000-memory.dmp

          Filesize

          164KB

        • memory/2260-88-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

        • memory/2260-81-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

        • memory/2568-57-0x0000000000400000-0x0000000000429000-memory.dmp

          Filesize

          164KB

        • memory/2568-46-0x0000000000400000-0x0000000000429000-memory.dmp

          Filesize

          164KB

        • memory/2568-49-0x0000000002380000-0x00000000023A3000-memory.dmp

          Filesize

          140KB

        • memory/2568-36-0x0000000000400000-0x0000000000429000-memory.dmp

          Filesize

          164KB

        • memory/2568-40-0x0000000000400000-0x0000000000429000-memory.dmp

          Filesize

          164KB

        • memory/2568-43-0x0000000000400000-0x0000000000429000-memory.dmp

          Filesize

          164KB

        • memory/2732-0-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

        • memory/2732-7-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

        • memory/2776-23-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

        • memory/2776-33-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

        • memory/2828-19-0x0000000000230000-0x0000000000253000-memory.dmp

          Filesize

          140KB

        • memory/2828-21-0x0000000000230000-0x0000000000253000-memory.dmp

          Filesize

          140KB

        • memory/2828-5-0x0000000000400000-0x0000000000429000-memory.dmp

          Filesize

          164KB

        • memory/2828-11-0x0000000000400000-0x0000000000429000-memory.dmp

          Filesize

          164KB

        • memory/2828-9-0x0000000000400000-0x0000000000429000-memory.dmp

          Filesize

          164KB

        • memory/2828-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

        • memory/2828-2-0x0000000000400000-0x0000000000429000-memory.dmp

          Filesize

          164KB