neconyd | 03ee083975d66f6bd7c462cf94df6b97fff2441af6a977756efdb749111e0cc6

General

Target

03ee083975d66f6bd7c462cf94df6b97fff2441af6a977756efdb749111e0cc6_NeikiAnalytics.exe
Size

134KB
MD5

f4a09f8b63822d6dd1497a25630415d0
SHA1

ca7bb73060d757f7b94b336f713e893d5b093417
SHA256

03ee083975d66f6bd7c462cf94df6b97fff2441af6a977756efdb749111e0cc6
SHA512

5640592b4f29875d4af29d7f21a5f600e5a695fbc787fd066508813f7e3c488590a69e2124475193e4b4ff9bb87b9ebc27a658560e5632a06982d2296e24f1d2
SSDEEP

1536:9DfDbhERTatPLTH0NqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwC7M:NiRTeH0NqAW6J6f1tqF6dngNmaZC7M

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 6 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exe

pid process

2600 omsecor.exe
2612 omsecor.exe
2160 omsecor.exe
2836 omsecor.exe
1308 omsecor.exe
2880 omsecor.exe

pid	process
2600	omsecor.exe
2612	omsecor.exe
2160	omsecor.exe
2836	omsecor.exe
1308	omsecor.exe
2880	omsecor.exe

Loads dropped DLL 7 IoCs

Processes:

03ee083975d66f6bd7c462cf94df6b97fff2441af6a977756efdb749111e0cc6_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exe

pid	process
2076	03ee083975d66f6bd7c462cf94df6b97fff2441af6a977756efdb749111e0cc6_NeikiAnalytics.exe
2076	03ee083975d66f6bd7c462cf94df6b97fff2441af6a977756efdb749111e0cc6_NeikiAnalytics.exe
2600	omsecor.exe
2612	omsecor.exe
2612	omsecor.exe
2836	omsecor.exe
2836	omsecor.exe

Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

03ee083975d66f6bd7c462cf94df6b97fff2441af6a977756efdb749111e0cc6_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 2020 set thread context of 2076	2020	03ee083975d66f6bd7c462cf94df6b97fff2441af6a977756efdb749111e0cc6_NeikiAnalytics.exe	03ee083975d66f6bd7c462cf94df6b97fff2441af6a977756efdb749111e0cc6_NeikiAnalytics.exe
PID 2600 set thread context of 2612	2600	omsecor.exe	omsecor.exe
PID 2160 set thread context of 2836	2160	omsecor.exe	omsecor.exe
PID 1308 set thread context of 2880	1308	omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

03ee083975d66f6bd7c462cf94df6b97fff2441af6a977756efdb749111e0cc6_NeikiAnalytics.exe03ee083975d66f6bd7c462cf94df6b97fff2441af6a977756efdb749111e0cc6_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 2020 wrote to memory of 2076	2020	03ee083975d66f6bd7c462cf94df6b97fff2441af6a977756efdb749111e0cc6_NeikiAnalytics.exe	03ee083975d66f6bd7c462cf94df6b97fff2441af6a977756efdb749111e0cc6_NeikiAnalytics.exe
PID 2020 wrote to memory of 2076	2020	03ee083975d66f6bd7c462cf94df6b97fff2441af6a977756efdb749111e0cc6_NeikiAnalytics.exe	03ee083975d66f6bd7c462cf94df6b97fff2441af6a977756efdb749111e0cc6_NeikiAnalytics.exe
PID 2020 wrote to memory of 2076	2020	03ee083975d66f6bd7c462cf94df6b97fff2441af6a977756efdb749111e0cc6_NeikiAnalytics.exe	03ee083975d66f6bd7c462cf94df6b97fff2441af6a977756efdb749111e0cc6_NeikiAnalytics.exe
PID 2020 wrote to memory of 2076	2020	03ee083975d66f6bd7c462cf94df6b97fff2441af6a977756efdb749111e0cc6_NeikiAnalytics.exe	03ee083975d66f6bd7c462cf94df6b97fff2441af6a977756efdb749111e0cc6_NeikiAnalytics.exe
PID 2020 wrote to memory of 2076	2020	03ee083975d66f6bd7c462cf94df6b97fff2441af6a977756efdb749111e0cc6_NeikiAnalytics.exe	03ee083975d66f6bd7c462cf94df6b97fff2441af6a977756efdb749111e0cc6_NeikiAnalytics.exe
PID 2020 wrote to memory of 2076	2020	03ee083975d66f6bd7c462cf94df6b97fff2441af6a977756efdb749111e0cc6_NeikiAnalytics.exe	03ee083975d66f6bd7c462cf94df6b97fff2441af6a977756efdb749111e0cc6_NeikiAnalytics.exe
PID 2076 wrote to memory of 2600	2076	03ee083975d66f6bd7c462cf94df6b97fff2441af6a977756efdb749111e0cc6_NeikiAnalytics.exe	omsecor.exe
PID 2076 wrote to memory of 2600	2076	03ee083975d66f6bd7c462cf94df6b97fff2441af6a977756efdb749111e0cc6_NeikiAnalytics.exe	omsecor.exe
PID 2076 wrote to memory of 2600	2076	03ee083975d66f6bd7c462cf94df6b97fff2441af6a977756efdb749111e0cc6_NeikiAnalytics.exe	omsecor.exe
PID 2076 wrote to memory of 2600	2076	03ee083975d66f6bd7c462cf94df6b97fff2441af6a977756efdb749111e0cc6_NeikiAnalytics.exe	omsecor.exe
PID 2600 wrote to memory of 2612	2600	omsecor.exe	omsecor.exe
PID 2600 wrote to memory of 2612	2600	omsecor.exe	omsecor.exe
PID 2600 wrote to memory of 2612	2600	omsecor.exe	omsecor.exe
PID 2600 wrote to memory of 2612	2600	omsecor.exe	omsecor.exe
PID 2600 wrote to memory of 2612	2600	omsecor.exe	omsecor.exe
PID 2600 wrote to memory of 2612	2600	omsecor.exe	omsecor.exe
PID 2612 wrote to memory of 2160	2612	omsecor.exe	omsecor.exe
PID 2612 wrote to memory of 2160	2612	omsecor.exe	omsecor.exe
PID 2612 wrote to memory of 2160	2612	omsecor.exe	omsecor.exe
PID 2612 wrote to memory of 2160	2612	omsecor.exe	omsecor.exe
PID 2160 wrote to memory of 2836	2160	omsecor.exe	omsecor.exe
PID 2160 wrote to memory of 2836	2160	omsecor.exe	omsecor.exe
PID 2160 wrote to memory of 2836	2160	omsecor.exe	omsecor.exe
PID 2160 wrote to memory of 2836	2160	omsecor.exe	omsecor.exe
PID 2160 wrote to memory of 2836	2160	omsecor.exe	omsecor.exe
PID 2160 wrote to memory of 2836	2160	omsecor.exe	omsecor.exe
PID 2836 wrote to memory of 1308	2836	omsecor.exe	omsecor.exe
PID 2836 wrote to memory of 1308	2836	omsecor.exe	omsecor.exe
PID 2836 wrote to memory of 1308	2836	omsecor.exe	omsecor.exe
PID 2836 wrote to memory of 1308	2836	omsecor.exe	omsecor.exe
PID 1308 wrote to memory of 2880	1308	omsecor.exe	omsecor.exe
PID 1308 wrote to memory of 2880	1308	omsecor.exe	omsecor.exe
PID 1308 wrote to memory of 2880	1308	omsecor.exe	omsecor.exe
PID 1308 wrote to memory of 2880	1308	omsecor.exe	omsecor.exe
PID 1308 wrote to memory of 2880	1308	omsecor.exe	omsecor.exe
PID 1308 wrote to memory of 2880	1308	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\03ee083975d66f6bd7c462cf94df6b97fff2441af6a977756efdb749111e0cc6_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\03ee083975d66f6bd7c462cf94df6b97fff2441af6a977756efdb749111e0cc6_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2020

C:\Users\Admin\AppData\Local\Temp\03ee083975d66f6bd7c462cf94df6b97fff2441af6a977756efdb749111e0cc6_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\03ee083975d66f6bd7c462cf94df6b97fff2441af6a977756efdb749111e0cc6_NeikiAnalytics.exe
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2076

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2600

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2612

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2160

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2836

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1308

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
8⤵
- Executes dropped EXE
PID:2880

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
134KB

MD5
17aa07f790c23d3eff89b4e2df6ad9cc

SHA1
0030de1eb2612979da2bbaac44f7003c798bd736

SHA256
1a6370206dd730ff51382ae11218f9874de4e70cd25f328fabca123fd01f75be

SHA512
bb1b5ec6cff6bc9ea33a120c0887bde82f836601bde19ec4b6786a7d46acec7d849349f786843828ddce90618fba302640ada4a3bc4203a69ed6dea1ee01e395

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
134KB

MD5
36fc31ad989ff441bfb7351a59476ce8

SHA1
76b8e4e41450ea55445dedc6fcb34e63b4f06b9f

SHA256
8d4f1e2c2c6b913ba2cd925b5d8f81ee6ae05c9e30b9b0e3334673598b84352a

SHA512
d3359e4906268d3da2b0d67f6035b3b70d49664cc086dc2c136d1007eaef6868b1062ed95d1001347dfca7123ca83e4289bd062f4cba0704ca715b86b5f080c2

Download Submit
\Windows\SysWOW64\omsecor.exe
Filesize
134KB

MD5
0d8e88598f75eac662af28586b962824

SHA1
9b96d9d3b192514affd047ae13168f8cfc56ced5

SHA256
aabf5bf30c9ce494afeafff2ecd35b08b7afed9086edfbc395af1a69b90cf82c

SHA512
a45c480a11fee17ffd64aa7f2cd5ec66dd59263bdee69b3eea66f825418ffd8af1d734750dcee3fa94698352ef90bef42c4f3080e0461946b336f434a20ac7d8

Download Submit
memory/1308-83-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1308-76-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2020-6-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2020-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2076-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2076-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2076-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2076-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2076-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2160-54-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2160-61-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2600-20-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2600-29-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2612-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2612-44-0x0000000000290000-0x00000000002B4000-memory.dmp

Filesize
144KB

Download
memory/2612-52-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2612-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2612-32-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2836-68-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/2880-85-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2880-88-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads