neconyd | 8e32299c8e982f7abc23e78bec39c817935fef529f72a0bcd1bf7f105e0fc746

Analysis

max time kernel
146s
max time network
149s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
11/06/2024, 09:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2fb12b014697a72a94273c76873eda60_NeikiAnalytics.exe
Size

90KB
MD5

2fb12b014697a72a94273c76873eda60
SHA1

5b38c722c8b3fc71bc4d5efc5ca16e21e7f5afb1
SHA256

8e32299c8e982f7abc23e78bec39c817935fef529f72a0bcd1bf7f105e0fc746
SHA512

75974567489cef769db559ae5af400adf343d61d6776f1ad9759d9e75be43c82612f207bed4fa59e3ef36675fb46370dd93e1fd348da74d5cdb8889e7b96df3c
SSDEEP

768:9MEIYFGvoErlLFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:9bIYYvoE1FKF6N4yS+AQmZTl/5

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 3 IoCs

pid	Process
2192	omsecor.exe
1036	omsecor.exe
2492	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2116	2fb12b014697a72a94273c76873eda60_NeikiAnalytics.exe
2116	2fb12b014697a72a94273c76873eda60_NeikiAnalytics.exe
2192	omsecor.exe
2192	omsecor.exe
1036	omsecor.exe
1036	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 2192	2116	2fb12b014697a72a94273c76873eda60_NeikiAnalytics.exe	28
PID 2116 wrote to memory of 2192	2116	2fb12b014697a72a94273c76873eda60_NeikiAnalytics.exe	28
PID 2116 wrote to memory of 2192	2116	2fb12b014697a72a94273c76873eda60_NeikiAnalytics.exe	28
PID 2116 wrote to memory of 2192	2116	2fb12b014697a72a94273c76873eda60_NeikiAnalytics.exe	28
PID 2192 wrote to memory of 1036	2192	omsecor.exe	32
PID 2192 wrote to memory of 1036	2192	omsecor.exe	32
PID 2192 wrote to memory of 1036	2192	omsecor.exe	32
PID 2192 wrote to memory of 1036	2192	omsecor.exe	32
PID 1036 wrote to memory of 2492	1036	omsecor.exe	33
PID 1036 wrote to memory of 2492	1036	omsecor.exe	33
PID 1036 wrote to memory of 2492	1036	omsecor.exe	33
PID 1036 wrote to memory of 2492	1036	omsecor.exe	33

C:\Users\Admin\AppData\Local\Temp\2fb12b014697a72a94273c76873eda60_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2fb12b014697a72a94273c76873eda60_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1036
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      PID:2492

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
90KB

MD5
e541788e0f17e0c34d0bf386abf6bf4f

SHA1
b7107ee6553e065e7b79bd932f2ea033f906ea8b

SHA256
ca85ce50874fca4245e08136c90feb405b19da54da3aaadaf2cc72bfd6ba1ff1

SHA512
d55c4c18d0da0a5f7db13318446d2596feb5a9de42cbc6f924189ca7dcf080061261a4e12cf0b25c6a40d52e85dd6798271efb5ce463246a370ed093118de34b

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
90KB

MD5
2832889a812b997986f629f07c1d4de5

SHA1
67d2e9ca4318a2ce3b3687d85520c75dd9fa18d7

SHA256
3b5040e94935b5651f8383597210e11a33d1c2513546c08d83ccae8438ca2b3e

SHA512
78a8dfb23d9252cbcb5f384c51dd192bee3dfbc711f308ca827f216c7ab2f8707ac1205b61fdf711ac5616078ac34b94704f175f9b36bd6528a2ee4229c11f46

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
90KB

MD5
558f8e1700a8cf69bbe6d60a39f30f4c

SHA1
d14edc4c8c318dfe57854db561e9542f69d42661

SHA256
f77f6e830409a6db5fd14335231d96295f73df5779df3984d44b2702d2558385

SHA512
ecb428c8cf6d2ec738a92bf9e7f83c42ef589de495149d93d333355b2c8b0fd290e8220d02871d14452517e03f5aa91eb8625c5947e7ba56f0643e9d6243bb53

Download Submit
memory/1036-22-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1036-33-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1036-27-0x0000000000220000-0x000000000024B000-memory.dmp

Filesize
172KB

Download
memory/2116-7-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2192-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2192-20-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2192-14-0x0000000000730000-0x000000000075B000-memory.dmp

Filesize
172KB

Download
memory/2192-9-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2492-35-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2492-36-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download