neconyd | b1411146ef2db38b8e22aaa9d593826912c9f7bb39169380fc58bb4a79ed3dea

Analysis

max time kernel
146s
max time network
147s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05/06/2024, 12:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5554d94414137efb9aa3439b28873820_NeikiAnalytics.exe
Size

92KB
MD5

5554d94414137efb9aa3439b28873820
SHA1

b4763594ab72008a883c8f926dba0e70b57d87cf
SHA256

b1411146ef2db38b8e22aaa9d593826912c9f7bb39169380fc58bb4a79ed3dea
SHA512

52d28bf2b0d007e9bda96d2a29cb6e2609176176a58f95b8385e2aa937c1ef52f30320fd6af6c9298a8bd935d928f3f36cafdae60d71d802f91d969d316c2875
SSDEEP

768:hMEIvFGvZEh8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:hbIvYvZEgFKF6N4yS+AQmZTl/5

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 3 IoCs

pid	Process
2192	omsecor.exe
2248	omsecor.exe
2836	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2364	5554d94414137efb9aa3439b28873820_NeikiAnalytics.exe
2364	5554d94414137efb9aa3439b28873820_NeikiAnalytics.exe
2192	omsecor.exe
2192	omsecor.exe
2248	omsecor.exe
2248	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2192	2364	5554d94414137efb9aa3439b28873820_NeikiAnalytics.exe	28
PID 2364 wrote to memory of 2192	2364	5554d94414137efb9aa3439b28873820_NeikiAnalytics.exe	28
PID 2364 wrote to memory of 2192	2364	5554d94414137efb9aa3439b28873820_NeikiAnalytics.exe	28
PID 2364 wrote to memory of 2192	2364	5554d94414137efb9aa3439b28873820_NeikiAnalytics.exe	28
PID 2192 wrote to memory of 2248	2192	omsecor.exe	32
PID 2192 wrote to memory of 2248	2192	omsecor.exe	32
PID 2192 wrote to memory of 2248	2192	omsecor.exe	32
PID 2192 wrote to memory of 2248	2192	omsecor.exe	32
PID 2248 wrote to memory of 2836	2248	omsecor.exe	33
PID 2248 wrote to memory of 2836	2248	omsecor.exe	33
PID 2248 wrote to memory of 2836	2248	omsecor.exe	33
PID 2248 wrote to memory of 2836	2248	omsecor.exe	33

C:\Users\Admin\AppData\Local\Temp\5554d94414137efb9aa3439b28873820_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5554d94414137efb9aa3439b28873820_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2248
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      PID:2836

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
92KB

MD5
acafa02fc5ad881052643978d793ec33

SHA1
99a8a52c6b630bb104cf60a513f174e7ccb36194

SHA256
c2cb8f02228d0c5377baf1934c4caa2175880ce74522a5696735c525159615c9

SHA512
b102cf2152f489e6431474ceca1c2ac3a16e928dad4ad5af4bad0da53819e19c5cbdd80ebb43a19641f22f3dbeed4954d6c0fa9744434a1e90785e3cb6f1ed2d

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
92KB

MD5
1500ba406bbab2c2fd8122630a20648d

SHA1
b292cd8420e6fbd9c8b53a33bcf4ae82433f4813

SHA256
11bde6a7a89cfc35f7d4479f9b8d238328487931ba34520a81b9d066e45d3a4f

SHA512
6b1fe1578adbb5cb34583e756f205ac11a215072fb506690095919dc0a1b2e7876b1d32762c61f2efd0def3884022e9597d0f6a63439d3c9d8e48a2848f21624

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
92KB

MD5
0e79d6a5ddd65f19ae701e5e3f6fb2ec

SHA1
35b09032de2df8dcd13a63363dc66790ffa425aa

SHA256
8fcc2209f994bf09771f293fbe505170ab45cf357c6298f83f0e5494f199c5cf

SHA512
f4929f21b7956f546c973b07fb43f26e47e216a50976934f8479567875dd809f41c7bd6a2db827b5ca7dc009f0992061080980d49d5dee9ac1fb1eb4427ab28e

Download Submit
memory/2192-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2192-13-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2192-18-0x0000000000300000-0x000000000032B000-memory.dmp

Filesize
172KB

Download
memory/2192-24-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2248-34-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2364-8-0x0000000000220000-0x000000000024B000-memory.dmp

Filesize
172KB

Download
memory/2364-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2364-10-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2836-37-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2836-38-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download