neconyd | 6ed443366a00b45ba405dc7e710f8fceb34683d97ddf14d1f3e79f113206be94

Analysis

max time kernel
145s
max time network
147s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26/05/2024, 23:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b291e1681d27801782c43013bc35810_NeikiAnalytics.exe
Size

65KB
MD5

0b291e1681d27801782c43013bc35810
SHA1

cfd1e8cf2953456f8041da203ea9f9e1b046aa22
SHA256

6ed443366a00b45ba405dc7e710f8fceb34683d97ddf14d1f3e79f113206be94
SHA512

0f6f52598ca9e571957e0d027031cd00afd1779ea9ede642d3f26dabc6c8957b5ee2a58d8d1b6a026f82ff90852067aa7b81c6e576145f44fa64b63b7efb88c8
SSDEEP

1536:Td9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZcl/5:TdseIO+EZEyFjEOFqTiQmOl/5

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 3 IoCs

pid	Process
2820	omsecor.exe
1460	omsecor.exe
2192	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
1736	0b291e1681d27801782c43013bc35810_NeikiAnalytics.exe
1736	0b291e1681d27801782c43013bc35810_NeikiAnalytics.exe
2820	omsecor.exe
2820	omsecor.exe
1460	omsecor.exe
1460	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 2820	1736	0b291e1681d27801782c43013bc35810_NeikiAnalytics.exe	28
PID 1736 wrote to memory of 2820	1736	0b291e1681d27801782c43013bc35810_NeikiAnalytics.exe	28
PID 1736 wrote to memory of 2820	1736	0b291e1681d27801782c43013bc35810_NeikiAnalytics.exe	28
PID 1736 wrote to memory of 2820	1736	0b291e1681d27801782c43013bc35810_NeikiAnalytics.exe	28
PID 2820 wrote to memory of 1460	2820	omsecor.exe	32
PID 2820 wrote to memory of 1460	2820	omsecor.exe	32
PID 2820 wrote to memory of 1460	2820	omsecor.exe	32
PID 2820 wrote to memory of 1460	2820	omsecor.exe	32
PID 1460 wrote to memory of 2192	1460	omsecor.exe	33
PID 1460 wrote to memory of 2192	1460	omsecor.exe	33
PID 1460 wrote to memory of 2192	1460	omsecor.exe	33
PID 1460 wrote to memory of 2192	1460	omsecor.exe	33

C:\Users\Admin\AppData\Local\Temp\0b291e1681d27801782c43013bc35810_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0b291e1681d27801782c43013bc35810_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1460
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      PID:2192

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
3a7831a502100176e93d9db3044dd6c6

SHA1
be46c6a2dbfefdbf7aaad2d37460612bddf7edcd

SHA256
b91b6ff99bf4e4ea5c0247b9790c1604b8057abd77b78f575162b82f6cb2c8a5

SHA512
9172cd6723c2921a6c38c683b1e5832ea492a045379d89408d091c016c4debfc4fe6e991a574072757755d6aaff862147b9ccf4df343361cccbff43d5390a68a

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
417cf13f32493e44602d8d206c3fa1c6

SHA1
0532f3156ec3d14a328f3aba79aeb0ee0d0974ac

SHA256
2c21c624765fb503a40f588e0a1a80e12745d785c6b2b18c2917a1b7ff87b369

SHA512
f5e651aa27c0614437f8924d4447b73c1ff8053cb17b302e4f6f843eb6878a3149fc126aa611ad8284d0ae2a4ff67dd72212f579cac141aabc3d47a9b81aa447

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
65KB

MD5
356c48e0cc37b7851335867384703f31

SHA1
26b0aa2711aef2374caf23b8a71d2d8f270baf66

SHA256
eb9b9b512c5653ca0bb60c2d16b6d39e3660fa3a559451e5a11bfdc9f8ac96a6

SHA512
1f26474389f38ba7c35f17d4d8d495833bb9b1e1107d1356a58355b55f9212ad99048a01822898d2bbe6a3a1e3dc8ffde06921c2fbbdd144c251ad581d16efb9

Download Submit
memory/1460-29-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1460-36-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1736-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1736-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1736-9-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/1736-8-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/2192-40-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2192-38-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2820-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2820-25-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2820-19-0x0000000000330000-0x000000000035A000-memory.dmp

Filesize
168KB

Download
memory/2820-14-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download