neconyd | e66c6a8c77184285cc0b03571ec3694c334cf1a56b089ea5abf02d7dfa26af26

Analysis

max time kernel
145s
max time network
148s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 02:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77bc636ff796f371de0293a5706729b0_NeikiAnalytics.exe
Size

72KB
MD5

77bc636ff796f371de0293a5706729b0
SHA1

9fc9297ab140f4d8d304c8359c05ce919cb95eff
SHA256

e66c6a8c77184285cc0b03571ec3694c334cf1a56b089ea5abf02d7dfa26af26
SHA512

7d40f1ca8bab42bd0677c4df8e489b5e80070eb169805a3375c31ebdbb5ddf467b67476c6a84dd7eccc5aa5dd5932d5fc1f02b814c0b8ea523d41013b4c3c2a0
SSDEEP

768:lMEIvFGvoEr8LFK0ic46N47eSvYAHwmZGp6JXXlaa5uA:lbIvYvoEyFKF6N4ySAAQmZTl/5

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 3 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exe

pid process

2992 omsecor.exe
1800 omsecor.exe
1500 omsecor.exe

pid	process
2992	omsecor.exe
1800	omsecor.exe
1500	omsecor.exe

Loads dropped DLL 6 IoCs

Processes:

77bc636ff796f371de0293a5706729b0_NeikiAnalytics.exeomsecor.exeomsecor.exe

pid	process
2912	77bc636ff796f371de0293a5706729b0_NeikiAnalytics.exe
2912	77bc636ff796f371de0293a5706729b0_NeikiAnalytics.exe
2992	omsecor.exe
2992	omsecor.exe
1800	omsecor.exe
1800	omsecor.exe

Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

77bc636ff796f371de0293a5706729b0_NeikiAnalytics.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 2912 wrote to memory of 2992	2912	77bc636ff796f371de0293a5706729b0_NeikiAnalytics.exe	omsecor.exe
PID 2912 wrote to memory of 2992	2912	77bc636ff796f371de0293a5706729b0_NeikiAnalytics.exe	omsecor.exe
PID 2912 wrote to memory of 2992	2912	77bc636ff796f371de0293a5706729b0_NeikiAnalytics.exe	omsecor.exe
PID 2912 wrote to memory of 2992	2912	77bc636ff796f371de0293a5706729b0_NeikiAnalytics.exe	omsecor.exe
PID 2992 wrote to memory of 1800	2992	omsecor.exe	omsecor.exe
PID 2992 wrote to memory of 1800	2992	omsecor.exe	omsecor.exe
PID 2992 wrote to memory of 1800	2992	omsecor.exe	omsecor.exe
PID 2992 wrote to memory of 1800	2992	omsecor.exe	omsecor.exe
PID 1800 wrote to memory of 1500	1800	omsecor.exe	omsecor.exe
PID 1800 wrote to memory of 1500	1800	omsecor.exe	omsecor.exe
PID 1800 wrote to memory of 1500	1800	omsecor.exe	omsecor.exe
PID 1800 wrote to memory of 1500	1800	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\77bc636ff796f371de0293a5706729b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\77bc636ff796f371de0293a5706729b0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2992

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1800

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
PID:1500

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
72KB

MD5
808d38c503420b28a362b339f44f901d

SHA1
00e872de4fca40bca73bf60a446ead65ddb6f4c8

SHA256
eb72a385e62d1573c772202e9f7d71ddabb9782dab92b59b2ec52f125e69711f

SHA512
de396994af82f123a61d46beabcef3d6cc6c6d94cb1d15d36f634cd7f66910822b26ee31037f193f0cb8171950fbf2677856f30e14f173ef5a8ba6a3d47dbc8b

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
72KB

MD5
c3298ed9da3fd6921d6d1b14cca1ab65

SHA1
69a15043f2b2296132edfe770bb75852cfc60247

SHA256
e20cad1b2606146de40b024eb98a7369eea7e079c015a2a9dfad62bbffe28c2d

SHA512
f9eeb908be9264a772c70c8566ce8d4f0516da12859af4a1cfca87569027b4d2c58263661534b6939de2177636021370f84da061085bf9fc3349ee531528767e

Download Submit
\Windows\SysWOW64\omsecor.exe
Filesize
72KB

MD5
3b3ef359003f13ffddb4247b4699a407

SHA1
dcffc735eef571583ab0c3aa9e0016c472b76827

SHA256
593732737355806f2c28004c1f037642f8685c6499c98580016966a27d5e7adf

SHA512
24b4c7e4127cad32ed0e53aa12f0071efa2f6e33950cb02cfd57dd92f82a3c3ad46aa17a54b892105227165f64f0e95d68cd5196fa174cc8d0b3bb8e0ece72d1

Download Submit
memory/1500-35-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1500-37-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1800-33-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1800-26-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2912-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2912-8-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2992-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2992-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2992-22-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download