neconyd | 593f759b4fd9511b1c41f7b47d39b8e6f56640fe9fb433be197632d228d52ece

Analysis

max time kernel
146s
max time network
153s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08-06-2024 00:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7bec506d6ed7c387188fac3ab3f6f9e0_NeikiAnalytics.exe
Size

76KB
MD5

7bec506d6ed7c387188fac3ab3f6f9e0
SHA1

090b14d975054bbce8c5f0a04f17dd3bcfddc352
SHA256

593f759b4fd9511b1c41f7b47d39b8e6f56640fe9fb433be197632d228d52ece
SHA512

870514b19355c58264d0078056bcdcfec0c65dc9f0d3b392c2af44bb14ec3e72f08e664e4c5ff01db7f8ead48a7e38003f67d44b2c55286738c7b15dd318e435
SSDEEP

1536:Hd9dseIOcE93dIvYvZEyF4EEOF6N4yS+AQmZTl/5011:vdseIOKEZEyFjEOFqTiQm5l/5011

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 3 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exe

pid process

2504 omsecor.exe
2944 omsecor.exe
2508 omsecor.exe

pid	process
2504	omsecor.exe
2944	omsecor.exe
2508	omsecor.exe

Loads dropped DLL 6 IoCs

Processes:

7bec506d6ed7c387188fac3ab3f6f9e0_NeikiAnalytics.exeomsecor.exeomsecor.exe

pid	process
3024	7bec506d6ed7c387188fac3ab3f6f9e0_NeikiAnalytics.exe
3024	7bec506d6ed7c387188fac3ab3f6f9e0_NeikiAnalytics.exe
2504	omsecor.exe
2504	omsecor.exe
2944	omsecor.exe
2944	omsecor.exe

Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

7bec506d6ed7c387188fac3ab3f6f9e0_NeikiAnalytics.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 3024 wrote to memory of 2504	3024	7bec506d6ed7c387188fac3ab3f6f9e0_NeikiAnalytics.exe	omsecor.exe
PID 3024 wrote to memory of 2504	3024	7bec506d6ed7c387188fac3ab3f6f9e0_NeikiAnalytics.exe	omsecor.exe
PID 3024 wrote to memory of 2504	3024	7bec506d6ed7c387188fac3ab3f6f9e0_NeikiAnalytics.exe	omsecor.exe
PID 3024 wrote to memory of 2504	3024	7bec506d6ed7c387188fac3ab3f6f9e0_NeikiAnalytics.exe	omsecor.exe
PID 2504 wrote to memory of 2944	2504	omsecor.exe	omsecor.exe
PID 2504 wrote to memory of 2944	2504	omsecor.exe	omsecor.exe
PID 2504 wrote to memory of 2944	2504	omsecor.exe	omsecor.exe
PID 2504 wrote to memory of 2944	2504	omsecor.exe	omsecor.exe
PID 2944 wrote to memory of 2508	2944	omsecor.exe	omsecor.exe
PID 2944 wrote to memory of 2508	2944	omsecor.exe	omsecor.exe
PID 2944 wrote to memory of 2508	2944	omsecor.exe	omsecor.exe
PID 2944 wrote to memory of 2508	2944	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\7bec506d6ed7c387188fac3ab3f6f9e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7bec506d6ed7c387188fac3ab3f6f9e0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3024

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2504

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2944

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
PID:2508

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
76KB

MD5
5dce5a3639f3d8a5c268e44e25b165ff

SHA1
9e7c74351a63cf3d2d135057657951dfca2bacb9

SHA256
e373b4dedc0a732dd5e8cbc73eb8359ae9ba650ef30c8221945e81a5f097cdc3

SHA512
35e75f85912d2f69f30fa980988ad3a1e77a1085cbf35059bc416eabe391b2d1db8c2c230b65ba55f66095a0469ec1e62ceb2d7e875b0da56153611acc1676ba

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
76KB

MD5
e022177365ab2da6273e566b0402f65e

SHA1
2352f257c25ffd9f6287376fd9cd1f1d8cd81012

SHA256
128d5d754c66b73b6b073f31d9d584be23877c5ab9c51dc848d83c5e6412eef4

SHA512
3207b19eedd3f66da0199e58c6588973e082fc607e48d2a5368034e9fa683f51adfa20cccc2d0ff3cbb70478f729df6503eac168313414cd6f7dbeb91145e68c

Download Submit
\Windows\SysWOW64\omsecor.exe
Filesize
76KB

MD5
86b65fea77b306c584e899df4a112d94

SHA1
97795d40ebf8a51df868554a1e8d9b93e7385a6b

SHA256
31b4926b11f106ac7695552d6f335253fa4b6e647fcab0c97c57eff15d93c955

SHA512
c1ab76cde917ba6928a0c31a5aa6f5b95086421b10181fcafd7050d969df5025786e30625d4d37b6ac03f4312906ec756d4ee389925ee8d5dbe8f6d03bbd5bec

Download Submit
memory/2504-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2504-17-0x0000000000390000-0x00000000003BA000-memory.dmp

Filesize
168KB

Download
memory/2504-23-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2508-35-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2508-37-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2944-27-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3024-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3024-4-0x0000000000430000-0x000000000045A000-memory.dmp

Filesize
168KB

Download
memory/3024-9-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download