neconyd | 996e6e5bf4da0c16851e78c8ec3bf2796318b4b67379737919f80729144acd11

Analysis

max time kernel
145s
max time network
147s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
08-06-2024 00:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7be6f006702222359aaab85c08030290_NeikiAnalytics.exe
Size

92KB
MD5

7be6f006702222359aaab85c08030290
SHA1

f4d19da40017ad2209d577453bf5e15d995bbdd2
SHA256

996e6e5bf4da0c16851e78c8ec3bf2796318b4b67379737919f80729144acd11
SHA512

2de90d20195f7d14f4733c16f54ada5de9711e0ece1bf0d63baead1f4dd6f7aeae18afe4114683aa814a160877458148f67b6e35f5b242cf1a1fd669a9a1c0a0
SSDEEP

1536:qd9dseIOcEr3bIvYvZEyF4EEOF6N4yS+AQmZTl/5:qdseIOyEZEyFjEOFqTiQm5l/5

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 3 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exe

pid process

1900 omsecor.exe
292 omsecor.exe
2236 omsecor.exe

pid	process
1900	omsecor.exe
292	omsecor.exe
2236	omsecor.exe

Loads dropped DLL 6 IoCs

Processes:

7be6f006702222359aaab85c08030290_NeikiAnalytics.exeomsecor.exeomsecor.exe

pid	process
2284	7be6f006702222359aaab85c08030290_NeikiAnalytics.exe
2284	7be6f006702222359aaab85c08030290_NeikiAnalytics.exe
1900	omsecor.exe
1900	omsecor.exe
292	omsecor.exe
292	omsecor.exe

Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

7be6f006702222359aaab85c08030290_NeikiAnalytics.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 2284 wrote to memory of 1900	2284	7be6f006702222359aaab85c08030290_NeikiAnalytics.exe	omsecor.exe
PID 2284 wrote to memory of 1900	2284	7be6f006702222359aaab85c08030290_NeikiAnalytics.exe	omsecor.exe
PID 2284 wrote to memory of 1900	2284	7be6f006702222359aaab85c08030290_NeikiAnalytics.exe	omsecor.exe
PID 2284 wrote to memory of 1900	2284	7be6f006702222359aaab85c08030290_NeikiAnalytics.exe	omsecor.exe
PID 1900 wrote to memory of 292	1900	omsecor.exe	omsecor.exe
PID 1900 wrote to memory of 292	1900	omsecor.exe	omsecor.exe
PID 1900 wrote to memory of 292	1900	omsecor.exe	omsecor.exe
PID 1900 wrote to memory of 292	1900	omsecor.exe	omsecor.exe
PID 292 wrote to memory of 2236	292	omsecor.exe	omsecor.exe
PID 292 wrote to memory of 2236	292	omsecor.exe	omsecor.exe
PID 292 wrote to memory of 2236	292	omsecor.exe	omsecor.exe
PID 292 wrote to memory of 2236	292	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\7be6f006702222359aaab85c08030290_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7be6f006702222359aaab85c08030290_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2284

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1900

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:292

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
PID:2236

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
92KB

MD5
f8eab149475faa921f14b2d6ccadd28c

SHA1
47d208c69e0ec49b983c192ccd6ff329569d92a7

SHA256
7b3f33915f80c6bafd9864311bcc9a0b597f76f79e5c0ae34ad33d1fffaf740a

SHA512
9215926e8e7c288cb590b2b0c46911b4c1551e69abb573227e044cb5ad92b307cf2ffeee6658e9d14a6e110d5215e95d99564d036627ff0fc76ee0faafb77797

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
92KB

MD5
1041a33a2d879dcd7546703182f7a90a

SHA1
45f40a68010ee0a1bd1c5d22fb18119b2241f3e0

SHA256
f17c231c586187364e5a0005f43aa292f18e15f23acd6df055c15f132d93d425

SHA512
0b13af763c3e33af05fcb6f7da6d22d0dbb536d3f90cacabd64b68cd1d8fa4816a1ad4544c273b01372b83e2a9a09403a97e5a7f68034e999bdd46d814455c77

Download Submit
\Windows\SysWOW64\omsecor.exe
Filesize
92KB

MD5
e52a462ed278e73936444bb87336ff7e

SHA1
dabdbbb0ba3b7afc7bfa30a9ad12f1cb93dc0258

SHA256
ecaecc6dc23c292982e68fbedba9cbbfd35262f6d8a435defef501a6123c802e

SHA512
a57cf430b8bb4875979bc557e4121fe3ead053fd16d5d3e7cc706692a8613bc144682e87fb8d6a3f879916b28b95bdb78e4c00a920d7afb22387ee4e23202a46

Download Submit
memory/292-28-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/292-35-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1900-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1900-13-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1900-18-0x0000000000310000-0x000000000033B000-memory.dmp

Filesize
172KB

Download
memory/1900-25-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2236-37-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2236-39-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2284-9-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2284-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2284-3-0x00000000002B0000-0x00000000002DB000-memory.dmp

Filesize
172KB

Download