neconyd | b9ae3f7c1c219bf84e862d9588da9d34f68f1bbbff242b86c814dcbf4c1b1707

Analysis

max time kernel
146s
max time network
152s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09-06-2024 03:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0cbf8a08556a92c3a9b8be1a0d423a20_NeikiAnalytics.exe
Size

92KB
MD5

0cbf8a08556a92c3a9b8be1a0d423a20
SHA1

1563c750b2fb0ab92b3e61124f56ba4021fcdac8
SHA256

b9ae3f7c1c219bf84e862d9588da9d34f68f1bbbff242b86c814dcbf4c1b1707
SHA512

9c08c107a479eaf3f95ff8bcb7406fb88e69118793b7174939bfc1b34bf2bead3ca21041addcb331f90f5b8fc12d6b6a9e3009a6d6dff90dc4c15e8a29dfe875
SSDEEP

768:wMTIvFGvZEh8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:wUIvYvZEgFKF6N4yS+AQmZTl/5

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 2 IoCs

Processes:

omsecor.exeomsecor.exe

pid process

2632 omsecor.exe
1432 omsecor.exe

pid	process
2632	omsecor.exe
1432	omsecor.exe

Loads dropped DLL 4 IoCs

Processes:

0cbf8a08556a92c3a9b8be1a0d423a20_NeikiAnalytics.exeomsecor.exe

pid	process
2812	0cbf8a08556a92c3a9b8be1a0d423a20_NeikiAnalytics.exe
2812	0cbf8a08556a92c3a9b8be1a0d423a20_NeikiAnalytics.exe
2632	omsecor.exe
2632	omsecor.exe

Drops file in System32 directory 2 IoCs

Processes:

omsecor.exeomsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe
File opened for modification C:\Windows\SysWOW64\merocz.xc6 omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

0cbf8a08556a92c3a9b8be1a0d423a20_NeikiAnalytics.exeomsecor.exe

description	pid	process	target process
PID 2812 wrote to memory of 2632	2812	0cbf8a08556a92c3a9b8be1a0d423a20_NeikiAnalytics.exe	omsecor.exe
PID 2812 wrote to memory of 2632	2812	0cbf8a08556a92c3a9b8be1a0d423a20_NeikiAnalytics.exe	omsecor.exe
PID 2812 wrote to memory of 2632	2812	0cbf8a08556a92c3a9b8be1a0d423a20_NeikiAnalytics.exe	omsecor.exe
PID 2812 wrote to memory of 2632	2812	0cbf8a08556a92c3a9b8be1a0d423a20_NeikiAnalytics.exe	omsecor.exe
PID 2632 wrote to memory of 1432	2632	omsecor.exe	omsecor.exe
PID 2632 wrote to memory of 1432	2632	omsecor.exe	omsecor.exe
PID 2632 wrote to memory of 1432	2632	omsecor.exe	omsecor.exe
PID 2632 wrote to memory of 1432	2632	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\0cbf8a08556a92c3a9b8be1a0d423a20_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0cbf8a08556a92c3a9b8be1a0d423a20_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2812

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2632

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
3⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1432

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
92KB

MD5
66666358dc85a10bb342681b6811942f

SHA1
ba53910509bc01f73a9a97aab3a66e935774f55d

SHA256
c302add7b955f5381fc1a3c1eeac1f54e6929d38e12caa15ccbb130a50356eda

SHA512
68d7392288d667759aaa520c32cab2bdfb37826f9d32f3834f96fd3adc07715beb779e8ccd46d5586cf7f1b698ad971e217acba1e10a51bdea8718b0c134a942

Download Submit
\Windows\SysWOW64\omsecor.exe
Filesize
92KB

MD5
a40048682d5eb5a0bb2df800e9d951ac

SHA1
24233ee13e5f02d3cf43bccabda471873f4bc73a

SHA256
bc9ae641e32638a924c9b9fed6866fe3072117ccd373c96481c3596fc398cf2f

SHA512
7d12ba4621523373a3f575ddc424788c8740f709cbe6676011db8056b441c80debc6cacefa905f339dc3dda858411ba4608786ebe6d473beb7194e1e2532e8a8

Download Submit
memory/1432-30-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1432-28-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2632-29-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2632-14-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2632-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2632-19-0x00000000024F0000-0x000000000251B000-memory.dmp

Filesize
172KB

Download
memory/2632-27-0x00000000024F0000-0x000000000251B000-memory.dmp

Filesize
172KB

Download
memory/2812-13-0x00000000001B0000-0x00000000001DB000-memory.dmp

Filesize
172KB

Download
memory/2812-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2812-9-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2812-4-0x00000000001B0000-0x00000000001DB000-memory.dmp

Filesize
172KB

Download