neconyd | 6ed443366a00b45ba405dc7e710f8fceb34683d97ddf14d1f3e79f113206be94

Analysis

max time kernel
145s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 23:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b291e1681d27801782c43013bc35810_NeikiAnalytics.exe
Size

65KB
MD5

0b291e1681d27801782c43013bc35810
SHA1

cfd1e8cf2953456f8041da203ea9f9e1b046aa22
SHA256

6ed443366a00b45ba405dc7e710f8fceb34683d97ddf14d1f3e79f113206be94
SHA512

0f6f52598ca9e571957e0d027031cd00afd1779ea9ede642d3f26dabc6c8957b5ee2a58d8d1b6a026f82ff90852067aa7b81c6e576145f44fa64b63b7efb88c8
SSDEEP

1536:Td9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZcl/5:TdseIO+EZEyFjEOFqTiQmOl/5

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 3 IoCs

pid	Process
1492	omsecor.exe
3268	omsecor.exe
1548	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4564 wrote to memory of 1492	4564	0b291e1681d27801782c43013bc35810_NeikiAnalytics.exe	83
PID 4564 wrote to memory of 1492	4564	0b291e1681d27801782c43013bc35810_NeikiAnalytics.exe	83
PID 4564 wrote to memory of 1492	4564	0b291e1681d27801782c43013bc35810_NeikiAnalytics.exe	83
PID 1492 wrote to memory of 3268	1492	omsecor.exe	100
PID 1492 wrote to memory of 3268	1492	omsecor.exe	100
PID 1492 wrote to memory of 3268	1492	omsecor.exe	100
PID 3268 wrote to memory of 1548	3268	omsecor.exe	101
PID 3268 wrote to memory of 1548	3268	omsecor.exe	101
PID 3268 wrote to memory of 1548	3268	omsecor.exe	101

C:\Users\Admin\AppData\Local\Temp\0b291e1681d27801782c43013bc35810_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0b291e1681d27801782c43013bc35810_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4564
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1492
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3268
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      PID:1548

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
3cbaed4080a79d8f92f9ed30decc2f64

SHA1
2533901e102075af65c8f34fd81f8ae3c7f1eaf9

SHA256
d3893921ab6aec5efe22447e8eea3d5b4d3078bb44d031dfe680a521d915431a

SHA512
ad8d6adfc256ccc1e2ed1942067e75c3d790030ee982cea4e72ccfb78301847579ce23877c06525844dda17340796de1e10fc47f4efa0b41063255963ddcd60a

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
417cf13f32493e44602d8d206c3fa1c6

SHA1
0532f3156ec3d14a328f3aba79aeb0ee0d0974ac

SHA256
2c21c624765fb503a40f588e0a1a80e12745d785c6b2b18c2917a1b7ff87b369

SHA512
f5e651aa27c0614437f8924d4447b73c1ff8053cb17b302e4f6f843eb6878a3149fc126aa611ad8284d0ae2a4ff67dd72212f579cac141aabc3d47a9b81aa447

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
65KB

MD5
e3c91d131b400f6de65bfb4975147d5b

SHA1
66f6dc79a3a0fec9106de8c59c735c7ce4417738

SHA256
5cda86d99de2056c8f5fa5e7d4689bffdf130fc13b6ffe6ece55ef1bc138a4d0

SHA512
adf9eeec8d0cdf5346d4b6c6d93474a2cd47ed56a1eda642ffc34d316bcc118dc7e667f2bb720c5d0f9566ef74047827c943a66d67ffa84d347c404e32669d00

Download Submit
memory/1492-6-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1492-7-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1492-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1548-17-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1548-20-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3268-13-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3268-18-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4564-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4564-5-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download