neconyd | d31484795baf627696616856ba6d748b9f72e329644b736266bb51ffa5c6537c

Analysis

max time kernel
145s
max time network
146s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08-06-2024 22:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02970d89e3fe7000bc5904735cbe68c0_NeikiAnalytics.exe
Size

92KB
MD5

02970d89e3fe7000bc5904735cbe68c0
SHA1

a30daa5e7194d34ade91dad2c8f3ab2afe4c02c3
SHA256

d31484795baf627696616856ba6d748b9f72e329644b736266bb51ffa5c6537c
SHA512

8890982daedadd507d46a1832e19bdc5d9c3911cf85c1fae84949155d03d4b365ab0701a9b16d8387ec009493f296c704e3abff3145626043bd153a86d6f9d16
SSDEEP

1536:/d9dseIOcEr3bIvYvZEyF4EEOF6N4yS+AQmZTl/5:3dseIOyEZEyFjEOFqTiQm5l/5

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 3 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exe

pid process

2200 omsecor.exe
2320 omsecor.exe
1496 omsecor.exe

pid	process
2200	omsecor.exe
2320	omsecor.exe
1496	omsecor.exe

Loads dropped DLL 6 IoCs

Processes:

02970d89e3fe7000bc5904735cbe68c0_NeikiAnalytics.exeomsecor.exeomsecor.exe

pid	process
2276	02970d89e3fe7000bc5904735cbe68c0_NeikiAnalytics.exe
2276	02970d89e3fe7000bc5904735cbe68c0_NeikiAnalytics.exe
2200	omsecor.exe
2200	omsecor.exe
2320	omsecor.exe
2320	omsecor.exe

Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

02970d89e3fe7000bc5904735cbe68c0_NeikiAnalytics.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 2276 wrote to memory of 2200	2276	02970d89e3fe7000bc5904735cbe68c0_NeikiAnalytics.exe	omsecor.exe
PID 2276 wrote to memory of 2200	2276	02970d89e3fe7000bc5904735cbe68c0_NeikiAnalytics.exe	omsecor.exe
PID 2276 wrote to memory of 2200	2276	02970d89e3fe7000bc5904735cbe68c0_NeikiAnalytics.exe	omsecor.exe
PID 2276 wrote to memory of 2200	2276	02970d89e3fe7000bc5904735cbe68c0_NeikiAnalytics.exe	omsecor.exe
PID 2200 wrote to memory of 2320	2200	omsecor.exe	omsecor.exe
PID 2200 wrote to memory of 2320	2200	omsecor.exe	omsecor.exe
PID 2200 wrote to memory of 2320	2200	omsecor.exe	omsecor.exe
PID 2200 wrote to memory of 2320	2200	omsecor.exe	omsecor.exe
PID 2320 wrote to memory of 1496	2320	omsecor.exe	omsecor.exe
PID 2320 wrote to memory of 1496	2320	omsecor.exe	omsecor.exe
PID 2320 wrote to memory of 1496	2320	omsecor.exe	omsecor.exe
PID 2320 wrote to memory of 1496	2320	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\02970d89e3fe7000bc5904735cbe68c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\02970d89e3fe7000bc5904735cbe68c0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2276

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2200

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2320

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
PID:1496

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
92KB

MD5
ec0b8560b8b2e6422a7de4f410830a01

SHA1
e368d1900d25530db699e551a316f21715b8e90b

SHA256
bd4c256146ffb60a6cbfe3a6366d4854ded03c2cdfb8e795eaff426338786a3f

SHA512
e57a909e50b22b044c3c3e29f2c1d5a38f158c09be986d582c9e3667511192cad7dd3fa2730686fdeaa9ebc859b2d66257e6a6bfd33cae3af3e69441f27cd986

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
92KB

MD5
c56c0bef9598b5dc547ab73a23ab9114

SHA1
4d090dfe2bf80f2f5448e36fe479880b89752c30

SHA256
bd663f68410fc4b7fa94282106dad2b3d0a9b071b35b7edc753873f6541ae275

SHA512
8861f588f05131f3654fe2db56268d69739daf33fea20baadd0deb13af56ce69f34d4a9b3d9a77a5ec46e81822b0372d730f30134b15417fc55ca3cfdf3bea9d

Download Submit
\Windows\SysWOW64\omsecor.exe
Filesize
92KB

MD5
ccaa003eabb5b94bb441c0ade5121b99

SHA1
42d279fe92e08275c603d27bbdfb46d6a7058493

SHA256
13d36294d2bd29a57a6a0b9644f18de188f5c396c70098a1793a3d18bdb7e50c

SHA512
8762d82689d0feed670ee509735b3597a32ca3efba76f03fafe60cb10b1b72b04ed7ce647f06a92a93a86293be7d47a36836451dc94c18a5b9e37e26ac6f0f84

Download Submit
memory/1496-38-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1496-37-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2200-10-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2200-17-0x0000000000300000-0x000000000032B000-memory.dmp

Filesize
172KB

Download
memory/2200-23-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2200-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2276-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2276-8-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2320-25-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2320-34-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download