neconyd | cb02fa7466189f81d6f0aa2bd844f71646022ae413ea4043dac19b065e0f4163

General

Target

17415538c00d202a5cb4e0169cf83f90_NeikiAnalytics.exe
Size

96KB
MD5

17415538c00d202a5cb4e0169cf83f90
SHA1

a9ef8332227b94b3d2a943066127a9b7f622a105
SHA256

cb02fa7466189f81d6f0aa2bd844f71646022ae413ea4043dac19b065e0f4163
SHA512

9bef0dea2f0446cdcfbbe66fc7b79bac11ebd0bbcf21dc4ca4f65f0f51b3f2daca0829f336daf56b8d55f062525a0933db9e066462f33a621a4902fb67aa92b8
SSDEEP

1536:1nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:1Gs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 6 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exe

pid process

2172 omsecor.exe
2584 omsecor.exe
1908 omsecor.exe
2232 omsecor.exe
1332 omsecor.exe
2128 omsecor.exe

pid	process
2172	omsecor.exe
2584	omsecor.exe
1908	omsecor.exe
2232	omsecor.exe
1332	omsecor.exe
2128	omsecor.exe

Loads dropped DLL 7 IoCs

Processes:

17415538c00d202a5cb4e0169cf83f90_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exe

pid	process
1616	17415538c00d202a5cb4e0169cf83f90_NeikiAnalytics.exe
1616	17415538c00d202a5cb4e0169cf83f90_NeikiAnalytics.exe
2172	omsecor.exe
2584	omsecor.exe
2584	omsecor.exe
2232	omsecor.exe
2232	omsecor.exe

Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

17415538c00d202a5cb4e0169cf83f90_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 1984 set thread context of 1616	1984	17415538c00d202a5cb4e0169cf83f90_NeikiAnalytics.exe	17415538c00d202a5cb4e0169cf83f90_NeikiAnalytics.exe
PID 2172 set thread context of 2584	2172	omsecor.exe	omsecor.exe
PID 1908 set thread context of 2232	1908	omsecor.exe	omsecor.exe
PID 1332 set thread context of 2128	1332	omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

17415538c00d202a5cb4e0169cf83f90_NeikiAnalytics.exe17415538c00d202a5cb4e0169cf83f90_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 1984 wrote to memory of 1616	1984	17415538c00d202a5cb4e0169cf83f90_NeikiAnalytics.exe	17415538c00d202a5cb4e0169cf83f90_NeikiAnalytics.exe
PID 1984 wrote to memory of 1616	1984	17415538c00d202a5cb4e0169cf83f90_NeikiAnalytics.exe	17415538c00d202a5cb4e0169cf83f90_NeikiAnalytics.exe
PID 1984 wrote to memory of 1616	1984	17415538c00d202a5cb4e0169cf83f90_NeikiAnalytics.exe	17415538c00d202a5cb4e0169cf83f90_NeikiAnalytics.exe
PID 1984 wrote to memory of 1616	1984	17415538c00d202a5cb4e0169cf83f90_NeikiAnalytics.exe	17415538c00d202a5cb4e0169cf83f90_NeikiAnalytics.exe
PID 1984 wrote to memory of 1616	1984	17415538c00d202a5cb4e0169cf83f90_NeikiAnalytics.exe	17415538c00d202a5cb4e0169cf83f90_NeikiAnalytics.exe
PID 1984 wrote to memory of 1616	1984	17415538c00d202a5cb4e0169cf83f90_NeikiAnalytics.exe	17415538c00d202a5cb4e0169cf83f90_NeikiAnalytics.exe
PID 1616 wrote to memory of 2172	1616	17415538c00d202a5cb4e0169cf83f90_NeikiAnalytics.exe	omsecor.exe
PID 1616 wrote to memory of 2172	1616	17415538c00d202a5cb4e0169cf83f90_NeikiAnalytics.exe	omsecor.exe
PID 1616 wrote to memory of 2172	1616	17415538c00d202a5cb4e0169cf83f90_NeikiAnalytics.exe	omsecor.exe
PID 1616 wrote to memory of 2172	1616	17415538c00d202a5cb4e0169cf83f90_NeikiAnalytics.exe	omsecor.exe
PID 2172 wrote to memory of 2584	2172	omsecor.exe	omsecor.exe
PID 2172 wrote to memory of 2584	2172	omsecor.exe	omsecor.exe
PID 2172 wrote to memory of 2584	2172	omsecor.exe	omsecor.exe
PID 2172 wrote to memory of 2584	2172	omsecor.exe	omsecor.exe
PID 2172 wrote to memory of 2584	2172	omsecor.exe	omsecor.exe
PID 2172 wrote to memory of 2584	2172	omsecor.exe	omsecor.exe
PID 2584 wrote to memory of 1908	2584	omsecor.exe	omsecor.exe
PID 2584 wrote to memory of 1908	2584	omsecor.exe	omsecor.exe
PID 2584 wrote to memory of 1908	2584	omsecor.exe	omsecor.exe
PID 2584 wrote to memory of 1908	2584	omsecor.exe	omsecor.exe
PID 1908 wrote to memory of 2232	1908	omsecor.exe	omsecor.exe
PID 1908 wrote to memory of 2232	1908	omsecor.exe	omsecor.exe
PID 1908 wrote to memory of 2232	1908	omsecor.exe	omsecor.exe
PID 1908 wrote to memory of 2232	1908	omsecor.exe	omsecor.exe
PID 1908 wrote to memory of 2232	1908	omsecor.exe	omsecor.exe
PID 1908 wrote to memory of 2232	1908	omsecor.exe	omsecor.exe
PID 2232 wrote to memory of 1332	2232	omsecor.exe	omsecor.exe
PID 2232 wrote to memory of 1332	2232	omsecor.exe	omsecor.exe
PID 2232 wrote to memory of 1332	2232	omsecor.exe	omsecor.exe
PID 2232 wrote to memory of 1332	2232	omsecor.exe	omsecor.exe
PID 1332 wrote to memory of 2128	1332	omsecor.exe	omsecor.exe
PID 1332 wrote to memory of 2128	1332	omsecor.exe	omsecor.exe
PID 1332 wrote to memory of 2128	1332	omsecor.exe	omsecor.exe
PID 1332 wrote to memory of 2128	1332	omsecor.exe	omsecor.exe
PID 1332 wrote to memory of 2128	1332	omsecor.exe	omsecor.exe
PID 1332 wrote to memory of 2128	1332	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\17415538c00d202a5cb4e0169cf83f90_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\17415538c00d202a5cb4e0169cf83f90_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1984

C:\Users\Admin\AppData\Local\Temp\17415538c00d202a5cb4e0169cf83f90_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\17415538c00d202a5cb4e0169cf83f90_NeikiAnalytics.exe
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1616

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2172

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2584

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1908

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2232

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1332

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
8⤵
- Executes dropped EXE
PID:2128

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
96KB

MD5
236525cad0fd80992807c1f8b6eef799

SHA1
133e1d0b2a9cc7ba21a8fa52241bf781c349fc0f

SHA256
ea5142b53fa42bbdbd3ab4fb2d0228202e40aa0d53aabf7336b69e37c53322c1

SHA512
1054059a0a81f2efc101e843dca6186e43980c92eb265ea503cae5c80bc004638b55dcd6aed492371d18e7566195b6390a7a19e651f2a12aaa21c1714a072280

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
96KB

MD5
df981405c516cb91e906111788f300e7

SHA1
11f563dc5e8a881e86245ec02a4cb0814a7867d5

SHA256
ce4e32bdaa24fb942ce23528b7f779086446269645719a243cd72bf5a9284273

SHA512
8c26bbefe513922341663ad1154742580afd1d6129aa73664df9026cc9dcc5759af4394fa4483e3e54afbbab25689f72029789c438493919dfaf43744a94b85a

Download Submit
\Windows\SysWOW64\omsecor.exe
Filesize
96KB

MD5
2b6173856b4677aaafc776d6e41ccb15

SHA1
efcab6bb838dd133e8fc2a1dbdb986c6d05bd1ca

SHA256
c6550cafb88467acea38cc2fccdef17647426aba4968d61f026b1af1e2cdc62b

SHA512
7e9d4800c0c71f50a1d19343fda7e032c2e6ef49816df170bfdc3655b558f6a141ae4ff1e04150af015564e95d1328ac9b1c2ddd3f9d99c297db4eee14ea03e2

Download Submit
memory/1332-89-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1332-81-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1616-4-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1616-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1616-6-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1616-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1616-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1908-58-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1908-67-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1984-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1984-1-0x0000000000240000-0x0000000000263000-memory.dmp

Filesize
140KB

Download
memory/1984-9-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2128-94-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2128-91-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2172-34-0x00000000003D0000-0x00000000003F3000-memory.dmp

Filesize
140KB

Download
memory/2172-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2172-22-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2232-73-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2584-45-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2584-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2584-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2584-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2584-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2584-48-0x00000000002C0000-0x00000000002E3000-memory.dmp

Filesize
140KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads