neconyd | 03ee083975d66f6bd7c462cf94df6b97fff2441af6a977756efdb749111e0cc6

General

Target

03ee083975d66f6bd7c462cf94df6b97fff2441af6a977756efdb749111e0cc6_NeikiAnalytics.exe
Size

134KB
MD5

f4a09f8b63822d6dd1497a25630415d0
SHA1

ca7bb73060d757f7b94b336f713e893d5b093417
SHA256

03ee083975d66f6bd7c462cf94df6b97fff2441af6a977756efdb749111e0cc6
SHA512

5640592b4f29875d4af29d7f21a5f600e5a695fbc787fd066508813f7e3c488590a69e2124475193e4b4ff9bb87b9ebc27a658560e5632a06982d2296e24f1d2
SSDEEP

1536:9DfDbhERTatPLTH0NqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwC7M:NiRTeH0NqAW6J6f1tqF6dngNmaZC7M

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 6 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exe

pid process

4856 omsecor.exe
3864 omsecor.exe
1464 omsecor.exe
2816 omsecor.exe
2968 omsecor.exe
1676 omsecor.exe
Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

pid	process
4856	omsecor.exe
3864	omsecor.exe
1464	omsecor.exe
2816	omsecor.exe
2968	omsecor.exe
1676	omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

03ee083975d66f6bd7c462cf94df6b97fff2441af6a977756efdb749111e0cc6_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 3448 set thread context of 4128	3448	03ee083975d66f6bd7c462cf94df6b97fff2441af6a977756efdb749111e0cc6_NeikiAnalytics.exe	03ee083975d66f6bd7c462cf94df6b97fff2441af6a977756efdb749111e0cc6_NeikiAnalytics.exe
PID 4856 set thread context of 3864	4856	omsecor.exe	omsecor.exe
PID 1464 set thread context of 2816	1464	omsecor.exe	omsecor.exe
PID 2968 set thread context of 1676	2968	omsecor.exe	omsecor.exe

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3128	3448	WerFault.exe	03ee083975d66f6bd7c462cf94df6b97fff2441af6a977756efdb749111e0cc6_NeikiAnalytics.exe
3596	4856	WerFault.exe	omsecor.exe
3128	1464	WerFault.exe	omsecor.exe
4364	2968	WerFault.exe	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

03ee083975d66f6bd7c462cf94df6b97fff2441af6a977756efdb749111e0cc6_NeikiAnalytics.exe03ee083975d66f6bd7c462cf94df6b97fff2441af6a977756efdb749111e0cc6_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 3448 wrote to memory of 4128	3448	03ee083975d66f6bd7c462cf94df6b97fff2441af6a977756efdb749111e0cc6_NeikiAnalytics.exe	03ee083975d66f6bd7c462cf94df6b97fff2441af6a977756efdb749111e0cc6_NeikiAnalytics.exe
PID 3448 wrote to memory of 4128	3448	03ee083975d66f6bd7c462cf94df6b97fff2441af6a977756efdb749111e0cc6_NeikiAnalytics.exe	03ee083975d66f6bd7c462cf94df6b97fff2441af6a977756efdb749111e0cc6_NeikiAnalytics.exe
PID 3448 wrote to memory of 4128	3448	03ee083975d66f6bd7c462cf94df6b97fff2441af6a977756efdb749111e0cc6_NeikiAnalytics.exe	03ee083975d66f6bd7c462cf94df6b97fff2441af6a977756efdb749111e0cc6_NeikiAnalytics.exe
PID 3448 wrote to memory of 4128	3448	03ee083975d66f6bd7c462cf94df6b97fff2441af6a977756efdb749111e0cc6_NeikiAnalytics.exe	03ee083975d66f6bd7c462cf94df6b97fff2441af6a977756efdb749111e0cc6_NeikiAnalytics.exe
PID 3448 wrote to memory of 4128	3448	03ee083975d66f6bd7c462cf94df6b97fff2441af6a977756efdb749111e0cc6_NeikiAnalytics.exe	03ee083975d66f6bd7c462cf94df6b97fff2441af6a977756efdb749111e0cc6_NeikiAnalytics.exe
PID 4128 wrote to memory of 4856	4128	03ee083975d66f6bd7c462cf94df6b97fff2441af6a977756efdb749111e0cc6_NeikiAnalytics.exe	omsecor.exe
PID 4128 wrote to memory of 4856	4128	03ee083975d66f6bd7c462cf94df6b97fff2441af6a977756efdb749111e0cc6_NeikiAnalytics.exe	omsecor.exe
PID 4128 wrote to memory of 4856	4128	03ee083975d66f6bd7c462cf94df6b97fff2441af6a977756efdb749111e0cc6_NeikiAnalytics.exe	omsecor.exe
PID 4856 wrote to memory of 3864	4856	omsecor.exe	omsecor.exe
PID 4856 wrote to memory of 3864	4856	omsecor.exe	omsecor.exe
PID 4856 wrote to memory of 3864	4856	omsecor.exe	omsecor.exe
PID 4856 wrote to memory of 3864	4856	omsecor.exe	omsecor.exe
PID 4856 wrote to memory of 3864	4856	omsecor.exe	omsecor.exe
PID 3864 wrote to memory of 1464	3864	omsecor.exe	omsecor.exe
PID 3864 wrote to memory of 1464	3864	omsecor.exe	omsecor.exe
PID 3864 wrote to memory of 1464	3864	omsecor.exe	omsecor.exe
PID 1464 wrote to memory of 2816	1464	omsecor.exe	omsecor.exe
PID 1464 wrote to memory of 2816	1464	omsecor.exe	omsecor.exe
PID 1464 wrote to memory of 2816	1464	omsecor.exe	omsecor.exe
PID 1464 wrote to memory of 2816	1464	omsecor.exe	omsecor.exe
PID 1464 wrote to memory of 2816	1464	omsecor.exe	omsecor.exe
PID 2816 wrote to memory of 2968	2816	omsecor.exe	omsecor.exe
PID 2816 wrote to memory of 2968	2816	omsecor.exe	omsecor.exe
PID 2816 wrote to memory of 2968	2816	omsecor.exe	omsecor.exe
PID 2968 wrote to memory of 1676	2968	omsecor.exe	omsecor.exe
PID 2968 wrote to memory of 1676	2968	omsecor.exe	omsecor.exe
PID 2968 wrote to memory of 1676	2968	omsecor.exe	omsecor.exe
PID 2968 wrote to memory of 1676	2968	omsecor.exe	omsecor.exe
PID 2968 wrote to memory of 1676	2968	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\03ee083975d66f6bd7c462cf94df6b97fff2441af6a977756efdb749111e0cc6_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\03ee083975d66f6bd7c462cf94df6b97fff2441af6a977756efdb749111e0cc6_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3448

C:\Users\Admin\AppData\Local\Temp\03ee083975d66f6bd7c462cf94df6b97fff2441af6a977756efdb749111e0cc6_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\03ee083975d66f6bd7c462cf94df6b97fff2441af6a977756efdb749111e0cc6_NeikiAnalytics.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:4128

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4856

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3864

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1464

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2968

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
8⤵
- Executes dropped EXE
PID:1676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 256
8⤵
- Program crash
PID:4364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1464 -s 292
6⤵
- Program crash
PID:3128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 288
4⤵
- Program crash
PID:3596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 288
2⤵
- Program crash
PID:3128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3448 -ip 3448
1⤵
PID:2252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4856 -ip 4856
1⤵
PID:1532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1464 -ip 1464
1⤵
PID:2900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2968 -ip 2968
1⤵
PID:1408

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
134KB

MD5
bf72b94545031c3508b689f0b664859f

SHA1
49b59157411377c77d07d4e4270bddbe70ca6566

SHA256
acf94358029cc75b53f2d441c93ce09db53622f1a8f3505f67b8f76950a92d1f

SHA512
d9cc739c654c105b9299b63202df00a2618504ed619c9a166f0051d05bbe6021603e2baa4e1c1c3ab45500665b4963abe5e586db3e90e9cb751aad85375eefd9

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
134KB

MD5
17aa07f790c23d3eff89b4e2df6ad9cc

SHA1
0030de1eb2612979da2bbaac44f7003c798bd736

SHA256
1a6370206dd730ff51382ae11218f9874de4e70cd25f328fabca123fd01f75be

SHA512
bb1b5ec6cff6bc9ea33a120c0887bde82f836601bde19ec4b6786a7d46acec7d849349f786843828ddce90618fba302640ada4a3bc4203a69ed6dea1ee01e395

Download Submit
C:\Windows\SysWOW64\omsecor.exe
Filesize
134KB

MD5
542703ab21485ba50171c7e350685b11

SHA1
02d1af5fe74b4a359ee1f7a6873a58bf939de162

SHA256
50882b88531e7c44912dda7e18f2089d7402ff87fc7a15cbaa93c5a36af1545d

SHA512
82bbdba199563705b447e542e73890d80dea347a461087443339e4b32fdc770371e3183616a3b8d876530ab70f5d1a1a87cf52bf26b905f0ab85b3cf5fc0ef60

Download Submit
memory/1464-32-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1676-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1676-51-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1676-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1676-47-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2816-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2816-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2816-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2968-50-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2968-43-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3448-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3448-17-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3864-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3864-29-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3864-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3864-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3864-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3864-16-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3864-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4128-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4128-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4128-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4128-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4856-11-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads