neconyd | 996e6e5bf4da0c16851e78c8ec3bf2796318b4b67379737919f80729144acd11

Analysis

max time kernel
145s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
08-06-2024 00:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7be6f006702222359aaab85c08030290_NeikiAnalytics.exe
Size

92KB
MD5

7be6f006702222359aaab85c08030290
SHA1

f4d19da40017ad2209d577453bf5e15d995bbdd2
SHA256

996e6e5bf4da0c16851e78c8ec3bf2796318b4b67379737919f80729144acd11
SHA512

2de90d20195f7d14f4733c16f54ada5de9711e0ece1bf0d63baead1f4dd6f7aeae18afe4114683aa814a160877458148f67b6e35f5b242cf1a1fd669a9a1c0a0
SSDEEP

1536:qd9dseIOcEr3bIvYvZEyF4EEOF6N4yS+AQmZTl/5:qdseIOyEZEyFjEOFqTiQm5l/5

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 3 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exe

pid process

1480 omsecor.exe
2888 omsecor.exe
1624 omsecor.exe
Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

pid	process
1480	omsecor.exe
2888	omsecor.exe
1624	omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

7be6f006702222359aaab85c08030290_NeikiAnalytics.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 2656 wrote to memory of 1480	2656	7be6f006702222359aaab85c08030290_NeikiAnalytics.exe	omsecor.exe
PID 2656 wrote to memory of 1480	2656	7be6f006702222359aaab85c08030290_NeikiAnalytics.exe	omsecor.exe
PID 2656 wrote to memory of 1480	2656	7be6f006702222359aaab85c08030290_NeikiAnalytics.exe	omsecor.exe
PID 1480 wrote to memory of 2888	1480	omsecor.exe	omsecor.exe
PID 1480 wrote to memory of 2888	1480	omsecor.exe	omsecor.exe
PID 1480 wrote to memory of 2888	1480	omsecor.exe	omsecor.exe
PID 2888 wrote to memory of 1624	2888	omsecor.exe	omsecor.exe
PID 2888 wrote to memory of 1624	2888	omsecor.exe	omsecor.exe
PID 2888 wrote to memory of 1624	2888	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\7be6f006702222359aaab85c08030290_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7be6f006702222359aaab85c08030290_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2656

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1480

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
PID:1624

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
92KB

MD5
5a3eeb4e5b26795cc69a24f1089a4f32

SHA1
633395304581a413a6ffe07170aaa2f7061f5bdb

SHA256
ce4726e52c1c6518741023309bb9d635858674af6d867527b28f8ef747b99d1d

SHA512
4db7f5892cbbfcaa2b2ab5ab352c0898694b172927cefad97ced3604745580307c6b5088fdb26fc179b6d0331125eac49d9a120ec71980fe767673b4d0815176

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
92KB

MD5
f8eab149475faa921f14b2d6ccadd28c

SHA1
47d208c69e0ec49b983c192ccd6ff329569d92a7

SHA256
7b3f33915f80c6bafd9864311bcc9a0b597f76f79e5c0ae34ad33d1fffaf740a

SHA512
9215926e8e7c288cb590b2b0c46911b4c1551e69abb573227e044cb5ad92b307cf2ffeee6658e9d14a6e110d5215e95d99564d036627ff0fc76ee0faafb77797

Download Submit
C:\Windows\SysWOW64\omsecor.exe
Filesize
92KB

MD5
4ee7393f37436d2fb0475a188b78a3bd

SHA1
b478c0fbe6d35b5c5dc224f5f5a231b2c59276c8

SHA256
1ff8b7c77d5e29170c9cfda99b6cc01bd1881d9dbebe7735c84326f4ea11b0ae

SHA512
6a55ff70c35609768a29f12b681a1f6888e8d687c5f027eb5897be4dba6b85e195931876eb8252deefe2882a254353e1e323cd29bdc7ba37411ebfaf19bc9659

Download Submit
memory/1480-5-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1480-7-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1480-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1624-18-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1624-20-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2656-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2656-4-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2888-13-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2888-17-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download