neconyd | cb02fa7466189f81d6f0aa2bd844f71646022ae413ea4043dac19b065e0f4163

General

Target

17415538c00d202a5cb4e0169cf83f90_NeikiAnalytics.exe
Size

96KB
MD5

17415538c00d202a5cb4e0169cf83f90
SHA1

a9ef8332227b94b3d2a943066127a9b7f622a105
SHA256

cb02fa7466189f81d6f0aa2bd844f71646022ae413ea4043dac19b065e0f4163
SHA512

9bef0dea2f0446cdcfbbe66fc7b79bac11ebd0bbcf21dc4ca4f65f0f51b3f2daca0829f336daf56b8d55f062525a0933db9e066462f33a621a4902fb67aa92b8
SSDEEP

1536:1nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:1Gs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 6 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exe

pid process

1100 omsecor.exe
2308 omsecor.exe
364 omsecor.exe
5060 omsecor.exe
2468 omsecor.exe
3552 omsecor.exe
Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

pid	process
1100	omsecor.exe
2308	omsecor.exe
364	omsecor.exe
5060	omsecor.exe
2468	omsecor.exe
3552	omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

17415538c00d202a5cb4e0169cf83f90_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 3084 set thread context of 764	3084	17415538c00d202a5cb4e0169cf83f90_NeikiAnalytics.exe	17415538c00d202a5cb4e0169cf83f90_NeikiAnalytics.exe
PID 1100 set thread context of 2308	1100	omsecor.exe	omsecor.exe
PID 364 set thread context of 5060	364	omsecor.exe	omsecor.exe
PID 2468 set thread context of 3552	2468	omsecor.exe	omsecor.exe

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2640	3084	WerFault.exe	17415538c00d202a5cb4e0169cf83f90_NeikiAnalytics.exe
2196	1100	WerFault.exe	omsecor.exe
984	2468	WerFault.exe
3116	364	WerFault.exe	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

17415538c00d202a5cb4e0169cf83f90_NeikiAnalytics.exe17415538c00d202a5cb4e0169cf83f90_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 3084 wrote to memory of 764	3084	17415538c00d202a5cb4e0169cf83f90_NeikiAnalytics.exe	17415538c00d202a5cb4e0169cf83f90_NeikiAnalytics.exe
PID 3084 wrote to memory of 764	3084	17415538c00d202a5cb4e0169cf83f90_NeikiAnalytics.exe	17415538c00d202a5cb4e0169cf83f90_NeikiAnalytics.exe
PID 3084 wrote to memory of 764	3084	17415538c00d202a5cb4e0169cf83f90_NeikiAnalytics.exe	17415538c00d202a5cb4e0169cf83f90_NeikiAnalytics.exe
PID 3084 wrote to memory of 764	3084	17415538c00d202a5cb4e0169cf83f90_NeikiAnalytics.exe	17415538c00d202a5cb4e0169cf83f90_NeikiAnalytics.exe
PID 3084 wrote to memory of 764	3084	17415538c00d202a5cb4e0169cf83f90_NeikiAnalytics.exe	17415538c00d202a5cb4e0169cf83f90_NeikiAnalytics.exe
PID 764 wrote to memory of 1100	764	17415538c00d202a5cb4e0169cf83f90_NeikiAnalytics.exe	omsecor.exe
PID 764 wrote to memory of 1100	764	17415538c00d202a5cb4e0169cf83f90_NeikiAnalytics.exe	omsecor.exe
PID 764 wrote to memory of 1100	764	17415538c00d202a5cb4e0169cf83f90_NeikiAnalytics.exe	omsecor.exe
PID 1100 wrote to memory of 2308	1100	omsecor.exe	omsecor.exe
PID 1100 wrote to memory of 2308	1100	omsecor.exe	omsecor.exe
PID 1100 wrote to memory of 2308	1100	omsecor.exe	omsecor.exe
PID 1100 wrote to memory of 2308	1100	omsecor.exe	omsecor.exe
PID 1100 wrote to memory of 2308	1100	omsecor.exe	omsecor.exe
PID 2308 wrote to memory of 364	2308	omsecor.exe	omsecor.exe
PID 2308 wrote to memory of 364	2308	omsecor.exe	omsecor.exe
PID 2308 wrote to memory of 364	2308	omsecor.exe	omsecor.exe
PID 364 wrote to memory of 5060	364	omsecor.exe	omsecor.exe
PID 364 wrote to memory of 5060	364	omsecor.exe	omsecor.exe
PID 364 wrote to memory of 5060	364	omsecor.exe	omsecor.exe
PID 364 wrote to memory of 5060	364	omsecor.exe	omsecor.exe
PID 364 wrote to memory of 5060	364	omsecor.exe	omsecor.exe
PID 5060 wrote to memory of 2468	5060	omsecor.exe	omsecor.exe
PID 5060 wrote to memory of 2468	5060	omsecor.exe	omsecor.exe
PID 5060 wrote to memory of 2468	5060	omsecor.exe	omsecor.exe
PID 2468 wrote to memory of 3552	2468	omsecor.exe	omsecor.exe
PID 2468 wrote to memory of 3552	2468	omsecor.exe	omsecor.exe
PID 2468 wrote to memory of 3552	2468	omsecor.exe	omsecor.exe
PID 2468 wrote to memory of 3552	2468	omsecor.exe	omsecor.exe
PID 2468 wrote to memory of 3552	2468	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\17415538c00d202a5cb4e0169cf83f90_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\17415538c00d202a5cb4e0169cf83f90_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3084

C:\Users\Admin\AppData\Local\Temp\17415538c00d202a5cb4e0169cf83f90_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\17415538c00d202a5cb4e0169cf83f90_NeikiAnalytics.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:764

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1100

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2308

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:364

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5060

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2468

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
8⤵
- Executes dropped EXE
PID:3552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 256
8⤵
- Program crash
PID:984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 364 -s 292
6⤵
- Program crash
PID:3116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1100 -s 296
4⤵
- Program crash
PID:2196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 300
2⤵
- Program crash
PID:2640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3084 -ip 3084
1⤵
PID:1532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1100 -ip 1100
1⤵
PID:4504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 364 -ip 364
1⤵
PID:4364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2468 -ip 2468
1⤵
PID:2116

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
96KB

MD5
d70e45eea8cf7048f765ad3edaa6c831

SHA1
498772cefe809be004e9a984ba7b604d5a1e44ce

SHA256
00a7509e41b141c4cf11c9b621bfb640733af36a56e131f4141a38fc744f1859

SHA512
41351f94c743da55ee3ba183527b1756a04d163a4a3508f685d4fb090f25e3e56828ac1e681b23481ecc40f647a2520c7c968a8d9d611cc13e59e65a1f772c8a

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
96KB

MD5
236525cad0fd80992807c1f8b6eef799

SHA1
133e1d0b2a9cc7ba21a8fa52241bf781c349fc0f

SHA256
ea5142b53fa42bbdbd3ab4fb2d0228202e40aa0d53aabf7336b69e37c53322c1

SHA512
1054059a0a81f2efc101e843dca6186e43980c92eb265ea503cae5c80bc004638b55dcd6aed492371d18e7566195b6390a7a19e651f2a12aaa21c1714a072280

Download Submit
C:\Windows\SysWOW64\omsecor.exe
Filesize
96KB

MD5
ce1f497a363496629ddbe3fcc95a784b

SHA1
b406cdbc64876494ba89469fb1732c2cc9c84a39

SHA256
7ce4814268c083828771204270e2527bc9f175297f39a39fefbd40090f03d29b

SHA512
e5fd9c7c6c346c846692b39731d19337a91be26654339360446096640c1ee3ef1a21c4f700729b2ce6d9374f3975779ab0407b00274aec7a36766288a86a840b

Download Submit
memory/364-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/364-51-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/764-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/764-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/764-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/764-7-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1100-11-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2308-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2308-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2308-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2308-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2308-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2308-30-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2308-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2468-44-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3084-18-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3084-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3552-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3552-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3552-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3552-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5060-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5060-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5060-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads