neconyd | 2c71a105e35323d85221d06c9afe678b1d3c559c66b8f480b3921884da031a9d

General

Target

2c71a105e35323d85221d06c9afe678b1d3c559c66b8f480b3921884da031a9d_NeikiAnalytics.exe
Size

92KB
MD5

df9637f695d2cc97bf4cce55db23adc0
SHA1

3792f1675e647c2369cdac30cc4c3fefc83d3b84
SHA256

2c71a105e35323d85221d06c9afe678b1d3c559c66b8f480b3921884da031a9d
SHA512

43079b5c3a50065a36c2d6cefcd4cf9b553586d0f80c237266555830e3dfbd2f57155668b34f9acb9c14bc767f091651718c05b1599034c52959b8d57af2b8e5
SSDEEP

768:aMEIvFGvZEr8LFK0ic4PN47eSdYAHwmZNp6JXXlaa5uA:abIvYvZEyFKFPN4yS+AQmZol/5

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 3 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exe

pid process

2856 omsecor.exe
1660 omsecor.exe
1948 omsecor.exe

pid	process
2856	omsecor.exe
1660	omsecor.exe
1948	omsecor.exe

Loads dropped DLL 6 IoCs

Processes:

2c71a105e35323d85221d06c9afe678b1d3c559c66b8f480b3921884da031a9d_NeikiAnalytics.exeomsecor.exeomsecor.exe

pid	process
2024	2c71a105e35323d85221d06c9afe678b1d3c559c66b8f480b3921884da031a9d_NeikiAnalytics.exe
2024	2c71a105e35323d85221d06c9afe678b1d3c559c66b8f480b3921884da031a9d_NeikiAnalytics.exe
2856	omsecor.exe
2856	omsecor.exe
1660	omsecor.exe
1660	omsecor.exe

Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

2c71a105e35323d85221d06c9afe678b1d3c559c66b8f480b3921884da031a9d_NeikiAnalytics.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 2024 wrote to memory of 2856	2024	2c71a105e35323d85221d06c9afe678b1d3c559c66b8f480b3921884da031a9d_NeikiAnalytics.exe	omsecor.exe
PID 2024 wrote to memory of 2856	2024	2c71a105e35323d85221d06c9afe678b1d3c559c66b8f480b3921884da031a9d_NeikiAnalytics.exe	omsecor.exe
PID 2024 wrote to memory of 2856	2024	2c71a105e35323d85221d06c9afe678b1d3c559c66b8f480b3921884da031a9d_NeikiAnalytics.exe	omsecor.exe
PID 2024 wrote to memory of 2856	2024	2c71a105e35323d85221d06c9afe678b1d3c559c66b8f480b3921884da031a9d_NeikiAnalytics.exe	omsecor.exe
PID 2856 wrote to memory of 1660	2856	omsecor.exe	omsecor.exe
PID 2856 wrote to memory of 1660	2856	omsecor.exe	omsecor.exe
PID 2856 wrote to memory of 1660	2856	omsecor.exe	omsecor.exe
PID 2856 wrote to memory of 1660	2856	omsecor.exe	omsecor.exe
PID 1660 wrote to memory of 1948	1660	omsecor.exe	omsecor.exe
PID 1660 wrote to memory of 1948	1660	omsecor.exe	omsecor.exe
PID 1660 wrote to memory of 1948	1660	omsecor.exe	omsecor.exe
PID 1660 wrote to memory of 1948	1660	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\2c71a105e35323d85221d06c9afe678b1d3c559c66b8f480b3921884da031a9d_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2c71a105e35323d85221d06c9afe678b1d3c559c66b8f480b3921884da031a9d_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2024

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2856

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1660

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
PID:1948

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
92KB

MD5
b1cb404d160cb242c92680f06300a141

SHA1
ed38781896d6016816054ea84b18a313fd37df01

SHA256
d1ed9d421c6222b537b5e122c50144783048626a4f4e3399ab77fd6c92f6ae72

SHA512
0e40395b9a8ccb6b5301da10d8904f64a6c15f165ceb280e15073ec272b1e23097f38fcf83182a1e26e0548f58b2dadd99e511ddd3adbeeddb1bc41e05d3efdf

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
92KB

MD5
3e57d0171831b8725e08852bd2e5907a

SHA1
140ee4fb80689532cb823a1f30f5a268dcb78925

SHA256
0fb24fa940af1f4404fad5ff0749dfa1e76e5f6c9e3b1028703da12d82347d1c

SHA512
15964e853dda5262158029bb5d9ff5009cbc243088a3fda5f2b36d79fb4fcfe507040ed42457da68844facae8eb7508e16d4012e784bdee60e117ca0699c772a

Download Submit
\Windows\SysWOW64\omsecor.exe
Filesize
92KB

MD5
8bbb7fe2ad64eceb091b4132397b28e6

SHA1
25e7e5b9bf75f6013d9eb295d6c6f1c613b5d0ec

SHA256
e5f7fc0faae582fcf56a8a869c5e9d3f8f634e84f0c5cc595175b0f52050fedb

SHA512
b9c5a700046dc0b56c7b8679c41b261f7bcb470e7eaad6405fe9d20bffc0259b249ffe6559ad1048d8c222378d5061e7a49cfabfb55dc417302cccc3e5f568f3

Download Submit
memory/1660-34-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1948-36-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1948-38-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2024-9-0x00000000002C0000-0x00000000002EB000-memory.dmp

Filesize
172KB

Download
memory/2024-4-0x00000000002C0000-0x00000000002EB000-memory.dmp

Filesize
172KB

Download
memory/2024-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2024-10-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2856-13-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2856-18-0x0000000000440000-0x000000000046B000-memory.dmp

Filesize
172KB

Download
memory/2856-24-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing