neconyd | 6591c343a1b5912089950087d6c926cae3f7ee46d521170311eab844fe59e2ec

Analysis

max time kernel
120s
max time network
133s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
29-05-2024 23:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59cd4a7353fe28d1e68e3e6a7f23a5f0_NeikiAnalytics.exe
Size

76KB
MD5

59cd4a7353fe28d1e68e3e6a7f23a5f0
SHA1

0084d644c8f8f0e117b8861520dbed60ad27e6cc
SHA256

6591c343a1b5912089950087d6c926cae3f7ee46d521170311eab844fe59e2ec
SHA512

4ebf2d809c20203c71163587c52bda1619cbe5a76057d202b9b5bab21c65645c26fe0787104b4c1cf649e690d33087c0169e108d9bc3960ce7040776606a21dc
SSDEEP

1536:Ud9dseIOcE93dIvYvZEyF4EEOF6N4yS+AQmZTl/5R11:sdseIOKEZEyFjEOFqTiQm5l/5R11

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 3 IoCs

pid	Process
2072	omsecor.exe
2752	omsecor.exe
1592	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2208	59cd4a7353fe28d1e68e3e6a7f23a5f0_NeikiAnalytics.exe
2208	59cd4a7353fe28d1e68e3e6a7f23a5f0_NeikiAnalytics.exe
2072	omsecor.exe
2072	omsecor.exe
2752	omsecor.exe
2752	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2072	2208	59cd4a7353fe28d1e68e3e6a7f23a5f0_NeikiAnalytics.exe	28
PID 2208 wrote to memory of 2072	2208	59cd4a7353fe28d1e68e3e6a7f23a5f0_NeikiAnalytics.exe	28
PID 2208 wrote to memory of 2072	2208	59cd4a7353fe28d1e68e3e6a7f23a5f0_NeikiAnalytics.exe	28
PID 2208 wrote to memory of 2072	2208	59cd4a7353fe28d1e68e3e6a7f23a5f0_NeikiAnalytics.exe	28
PID 2072 wrote to memory of 2752	2072	omsecor.exe	32
PID 2072 wrote to memory of 2752	2072	omsecor.exe	32
PID 2072 wrote to memory of 2752	2072	omsecor.exe	32
PID 2072 wrote to memory of 2752	2072	omsecor.exe	32
PID 2752 wrote to memory of 1592	2752	omsecor.exe	33
PID 2752 wrote to memory of 1592	2752	omsecor.exe	33
PID 2752 wrote to memory of 1592	2752	omsecor.exe	33
PID 2752 wrote to memory of 1592	2752	omsecor.exe	33

C:\Users\Admin\AppData\Local\Temp\59cd4a7353fe28d1e68e3e6a7f23a5f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\59cd4a7353fe28d1e68e3e6a7f23a5f0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      PID:1592

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
5ed3bf388bdcce2e7aee14ac529eecc9

SHA1
7c92c7f89e60f3db52c63cf2bdb88fd8bdf7e6b0

SHA256
c5adb4934aeca136437e555268bd544f51841340e4836eb2821df297631e2af3

SHA512
1839ffc38c4e9d01052c3ea239dfaac959add3c0f37ccc02fb7c4b05261584df466d80ee308210cf1560eb166cbcc36fb6f9b5f5b13cd54611be2c47cb761414

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
26aa34fea85a91870157916eed4e983d

SHA1
809b7dd383d2649c5a2565d0931e06f1c2edd138

SHA256
2aa372b536f28bcc893e43e729d05f35f44c0ae9960992e179c70d2716fdc79e

SHA512
4a239a57251068a8b6ba6c1888c7bd55a0aadbfcb8f92c8012ff6e1b9b4cf9f192ee1f32c2fe817cd51943f9df4941dcc4ba9a5d68f632f81ad47699bcb5040b

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
03dad284e348a89b25a5baee4d6fc0af

SHA1
d1460918e97d720a79d8ddc373c51bfe80535564

SHA256
270d7c1e4a5b7ca5923df1cf2e2c436455d937ec4bd767068c4c30734dcb9224

SHA512
31d5a161e57ae4ee01a547da99467ba15c0b05a1b826b897a22fc735ebad62c2c7df2a6b94284c47cf37214eb3040a166fa358615346adaf414a3a26aaf2e229

Download Submit
memory/1592-35-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2072-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2072-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2072-15-0x00000000003B0000-0x00000000003DA000-memory.dmp

Filesize
168KB

Download
memory/2072-21-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2208-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2208-8-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2752-27-0x00000000001B0000-0x00000000001DA000-memory.dmp

Filesize
168KB

Download
memory/2752-33-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download