neconyd | 6cb4cf95755434b530b0b45ba0ebd0842a3c381cbdb80750c9e4f3c6e3fcf4a6

Analysis

max time kernel
145s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
23-06-2024 12:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6cb4cf95755434b530b0b45ba0ebd0842a3c381cbdb80750c9e4f3c6e3fcf4a6_NeikiAnalytics.exe
Size

92KB
MD5

7d50d23aaae2a0c930c46d06d1dc39f0
SHA1

54726201b79b712384fba1c267971091450fdb9a
SHA256

6cb4cf95755434b530b0b45ba0ebd0842a3c381cbdb80750c9e4f3c6e3fcf4a6
SHA512

b2144379373d3bec5624bc60130686f28644a58cd3393776383c6016dfbfb01d7fddfc37bce181f71541d181c5f6eafb176558a75fc5f8460752d3609a2038a7
SSDEEP

768:VMEIYFGvoErlLFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:VbIYYvoE1FKF6N4yS+AQmZTl/5

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 3 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exe

pid process

2716 omsecor.exe
4844 omsecor.exe
2992 omsecor.exe
Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

pid	process
2716	omsecor.exe
4844	omsecor.exe
2992	omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

6cb4cf95755434b530b0b45ba0ebd0842a3c381cbdb80750c9e4f3c6e3fcf4a6_NeikiAnalytics.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 1424 wrote to memory of 2716	1424	6cb4cf95755434b530b0b45ba0ebd0842a3c381cbdb80750c9e4f3c6e3fcf4a6_NeikiAnalytics.exe	omsecor.exe
PID 1424 wrote to memory of 2716	1424	6cb4cf95755434b530b0b45ba0ebd0842a3c381cbdb80750c9e4f3c6e3fcf4a6_NeikiAnalytics.exe	omsecor.exe
PID 1424 wrote to memory of 2716	1424	6cb4cf95755434b530b0b45ba0ebd0842a3c381cbdb80750c9e4f3c6e3fcf4a6_NeikiAnalytics.exe	omsecor.exe
PID 2716 wrote to memory of 4844	2716	omsecor.exe	omsecor.exe
PID 2716 wrote to memory of 4844	2716	omsecor.exe	omsecor.exe
PID 2716 wrote to memory of 4844	2716	omsecor.exe	omsecor.exe
PID 4844 wrote to memory of 2992	4844	omsecor.exe	omsecor.exe
PID 4844 wrote to memory of 2992	4844	omsecor.exe	omsecor.exe
PID 4844 wrote to memory of 2992	4844	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\6cb4cf95755434b530b0b45ba0ebd0842a3c381cbdb80750c9e4f3c6e3fcf4a6_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6cb4cf95755434b530b0b45ba0ebd0842a3c381cbdb80750c9e4f3c6e3fcf4a6_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1424

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2716

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4844

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
PID:2992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1276,i,7977653611488681184,6839495125838449898,262144 --variations-seed-version --mojo-platform-channel-handle=4384 /prefetch:8
1⤵
PID:656

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
92KB

MD5
e3807c1088b20497fc32a34d9ab3a824

SHA1
c31e9b84cd5a800770524ea9a6e2a358f359876b

SHA256
75b118e23ffd386607259f80194bb5c796f30fe1e1b78d661c6accf61b5fe8bd

SHA512
47218e24d83f36e269159cac6b0005cd17f684a3434734dbc3b3b22162578a77d9df9aa09a3a3b3f9f1c0c0b5b5984d9c27d897ff9a5dff2de6d063319ea803a

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
92KB

MD5
e0b8cf155fa7b36155ed15cec0ab2c9d

SHA1
8019ecf3a5a1e109d3c08d40af57da66928980c9

SHA256
fbc6ac2db862e5b96186d89f9a8cfd69e0c5c473626c18743a37dc1327baddbf

SHA512
cf5e0670ec2d65fc7f5b5b429ef296b8d2b1f69738c63b2ee4c99a0080bac1fedf1a2b5d3c6e37d80797d99c08a9933cbb1c44c596bb259cfb47c226ae18a87b

Download Submit
C:\Windows\SysWOW64\omsecor.exe
Filesize
92KB

MD5
2321b7433af3ee864e3a4f53df750bc6

SHA1
f1d4389944e617b5a672a7723651b5574611f079

SHA256
9cd26245f867a95ca61d98ac9912d09cc357c8438fcfda8b15581e7cb91e1f5f

SHA512
fdb7480aed5e761fef3f6808f810cd5ff17060dc6a0f573001d9fe2f71d74f949c3ac94ae7add8fb16fbd8372e587b3e3d479f8c53462dba6a55824b1e076eaf

Download Submit
memory/1424-4-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1424-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2716-6-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2716-7-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2716-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2992-19-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2992-20-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4844-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4844-17-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download