neconyd | d31484795baf627696616856ba6d748b9f72e329644b736266bb51ffa5c6537c

Analysis

max time kernel
145s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
08-06-2024 22:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02970d89e3fe7000bc5904735cbe68c0_NeikiAnalytics.exe
Size

92KB
MD5

02970d89e3fe7000bc5904735cbe68c0
SHA1

a30daa5e7194d34ade91dad2c8f3ab2afe4c02c3
SHA256

d31484795baf627696616856ba6d748b9f72e329644b736266bb51ffa5c6537c
SHA512

8890982daedadd507d46a1832e19bdc5d9c3911cf85c1fae84949155d03d4b365ab0701a9b16d8387ec009493f296c704e3abff3145626043bd153a86d6f9d16
SSDEEP

1536:/d9dseIOcEr3bIvYvZEyF4EEOF6N4yS+AQmZTl/5:3dseIOyEZEyFjEOFqTiQm5l/5

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 3 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exe

pid process

2036 omsecor.exe
4320 omsecor.exe
60 omsecor.exe
Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

pid	process
2036	omsecor.exe
4320	omsecor.exe
60	omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

02970d89e3fe7000bc5904735cbe68c0_NeikiAnalytics.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 4816 wrote to memory of 2036	4816	02970d89e3fe7000bc5904735cbe68c0_NeikiAnalytics.exe	omsecor.exe
PID 4816 wrote to memory of 2036	4816	02970d89e3fe7000bc5904735cbe68c0_NeikiAnalytics.exe	omsecor.exe
PID 4816 wrote to memory of 2036	4816	02970d89e3fe7000bc5904735cbe68c0_NeikiAnalytics.exe	omsecor.exe
PID 2036 wrote to memory of 4320	2036	omsecor.exe	omsecor.exe
PID 2036 wrote to memory of 4320	2036	omsecor.exe	omsecor.exe
PID 2036 wrote to memory of 4320	2036	omsecor.exe	omsecor.exe
PID 4320 wrote to memory of 60	4320	omsecor.exe	omsecor.exe
PID 4320 wrote to memory of 60	4320	omsecor.exe	omsecor.exe
PID 4320 wrote to memory of 60	4320	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\02970d89e3fe7000bc5904735cbe68c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\02970d89e3fe7000bc5904735cbe68c0_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4816

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4320

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
PID:60

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4100,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=4020 /prefetch:8
1⤵
PID:1484

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
92KB

MD5
339e609d19cea381d1bd60a457fce223

SHA1
04858d3a668c9ced2fcdad4226c4cc374c2429e5

SHA256
ffabc904d4745e87c49c7313c082534adfe5abce5576b1bc3e236d2ca096f826

SHA512
d534f7c4bb629151370740547bd80f0db68e567fafb8fd0810a42010978fc77f8797abcc864e72cba6f44bdde786386a7fd28eda44dcfdf678fe2cb57be82ae4

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
92KB

MD5
c56c0bef9598b5dc547ab73a23ab9114

SHA1
4d090dfe2bf80f2f5448e36fe479880b89752c30

SHA256
bd663f68410fc4b7fa94282106dad2b3d0a9b071b35b7edc753873f6541ae275

SHA512
8861f588f05131f3654fe2db56268d69739daf33fea20baadd0deb13af56ce69f34d4a9b3d9a77a5ec46e81822b0372d730f30134b15417fc55ca3cfdf3bea9d

Download Submit
C:\Windows\SysWOW64\omsecor.exe
Filesize
92KB

MD5
a32547da1d775f5e614a35a4192ef9d6

SHA1
1fbd53915756ffee9f7e0b989f1dfde58334536b

SHA256
15dc8937d3c197f71db9146049d5cd3a27d7b1b92cbcdd06a57f9fc47f3f8886

SHA512
43532dc56a2ba96025d6020917cbfc9914fe2a25949749f89db035f7e05f2db7a30cbf883080b8297930111c047789f2e45ae9821396eb1375bc8400bbefd7a0

Download Submit
memory/60-18-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/60-20-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2036-6-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2036-7-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2036-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4320-13-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4320-16-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4816-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4816-5-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download