neconyd | e66c6a8c77184285cc0b03571ec3694c334cf1a56b089ea5abf02d7dfa26af26

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 02:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77bc636ff796f371de0293a5706729b0_NeikiAnalytics.exe
Size

72KB
MD5

77bc636ff796f371de0293a5706729b0
SHA1

9fc9297ab140f4d8d304c8359c05ce919cb95eff
SHA256

e66c6a8c77184285cc0b03571ec3694c334cf1a56b089ea5abf02d7dfa26af26
SHA512

7d40f1ca8bab42bd0677c4df8e489b5e80070eb169805a3375c31ebdbb5ddf467b67476c6a84dd7eccc5aa5dd5932d5fc1f02b814c0b8ea523d41013b4c3c2a0
SSDEEP

768:lMEIvFGvoEr8LFK0ic46N47eSvYAHwmZGp6JXXlaa5uA:lbIvYvoEyFKF6N4ySAAQmZTl/5

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 3 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exe

pid process

3300 omsecor.exe
2512 omsecor.exe
2264 omsecor.exe
Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

pid	process
3300	omsecor.exe
2512	omsecor.exe
2264	omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

77bc636ff796f371de0293a5706729b0_NeikiAnalytics.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 3076 wrote to memory of 3300	3076	77bc636ff796f371de0293a5706729b0_NeikiAnalytics.exe	omsecor.exe
PID 3076 wrote to memory of 3300	3076	77bc636ff796f371de0293a5706729b0_NeikiAnalytics.exe	omsecor.exe
PID 3076 wrote to memory of 3300	3076	77bc636ff796f371de0293a5706729b0_NeikiAnalytics.exe	omsecor.exe
PID 3300 wrote to memory of 2512	3300	omsecor.exe	omsecor.exe
PID 3300 wrote to memory of 2512	3300	omsecor.exe	omsecor.exe
PID 3300 wrote to memory of 2512	3300	omsecor.exe	omsecor.exe
PID 2512 wrote to memory of 2264	2512	omsecor.exe	omsecor.exe
PID 2512 wrote to memory of 2264	2512	omsecor.exe	omsecor.exe
PID 2512 wrote to memory of 2264	2512	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\77bc636ff796f371de0293a5706729b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\77bc636ff796f371de0293a5706729b0_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3076

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3300

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2512

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
PID:2264

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
9a0f907be9ce87e8f07975ed78aacf84

SHA1
6734dc8ee32548c49a10dfb8fb198176817108db

SHA256
9f0a4f6cec1246ec896785bf06eadf8eef0e5d5e77b315d865af604839ad6357

SHA512
80c55283a56fc5f12dd8861c351e2dc4d21eeb9bc19dddb5b7466a051ec580be429bb2afc1af819a2ee21d4b993d113e9b7cc3a8b3b98c196c5ff74a21f012f1

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
c3298ed9da3fd6921d6d1b14cca1ab65

SHA1
69a15043f2b2296132edfe770bb75852cfc60247

SHA256
e20cad1b2606146de40b024eb98a7369eea7e079c015a2a9dfad62bbffe28c2d

SHA512
f9eeb908be9264a772c70c8566ce8d4f0516da12859af4a1cfca87569027b4d2c58263661534b6939de2177636021370f84da061085bf9fc3349ee531528767e

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
72KB

MD5
a9aabe5b44e6dff47047bf6fe008584e

SHA1
e3c6ea8afde7a53bdea2104d38d4c97d63990eef

SHA256
e2647e7fcebcd9126a337aa542b69e605e1397079cac832158e4c315b7ed623b

SHA512
bcdadf27e29b8d565dcc7e31e759e5bba0bbdc0500bc8f0592de691e2330603c33e9b3b08304e419ccc9229b853a4861401caedcf5114d55a81482ad91c9a734

Download Submit
memory/2264-18-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2264-20-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2512-13-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2512-16-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3076-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3076-5-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3300-6-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3300-7-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3300-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download