neconyd | 59883ed7189f0a39bfa0d6b4948d13dae2caac9a71d335684d3cffd63716fefa

General

Target

59883ed7189f0a39bfa0d6b4948d13dae2caac9a71d335684d3cffd63716fefa_NeikiAnalytics.exe
Size

134KB
MD5

4aab679075e9e6c417bb2aa96673bb00
SHA1

9f563f11135e3463d46a5821b82de600e45047d3
SHA256

59883ed7189f0a39bfa0d6b4948d13dae2caac9a71d335684d3cffd63716fefa
SHA512

26c918575d024dd2cb7f3fc8e0546ca198ff26c768349374b1001a2f9d3a2a3fe62266f8322c72d6019186f124512d3bb3687af69c98bc7b08d26bb70b68cad7
SSDEEP

1536:BDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCia:hiRTeH0iqAW6J6f1tqF6dngNmaZCia

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 6 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exe

pid process

2144 omsecor.exe
2720 omsecor.exe
1772 omsecor.exe
924 omsecor.exe
1608 omsecor.exe
1960 omsecor.exe

pid	process
2144	omsecor.exe
2720	omsecor.exe
1772	omsecor.exe
924	omsecor.exe
1608	omsecor.exe
1960	omsecor.exe

Loads dropped DLL 7 IoCs

Processes:

59883ed7189f0a39bfa0d6b4948d13dae2caac9a71d335684d3cffd63716fefa_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exe

pid	process
1944	59883ed7189f0a39bfa0d6b4948d13dae2caac9a71d335684d3cffd63716fefa_NeikiAnalytics.exe
1944	59883ed7189f0a39bfa0d6b4948d13dae2caac9a71d335684d3cffd63716fefa_NeikiAnalytics.exe
2144	omsecor.exe
2720	omsecor.exe
2720	omsecor.exe
924	omsecor.exe
924	omsecor.exe

Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

59883ed7189f0a39bfa0d6b4948d13dae2caac9a71d335684d3cffd63716fefa_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 2084 set thread context of 1944	2084	59883ed7189f0a39bfa0d6b4948d13dae2caac9a71d335684d3cffd63716fefa_NeikiAnalytics.exe	59883ed7189f0a39bfa0d6b4948d13dae2caac9a71d335684d3cffd63716fefa_NeikiAnalytics.exe
PID 2144 set thread context of 2720	2144	omsecor.exe	omsecor.exe
PID 1772 set thread context of 924	1772	omsecor.exe	omsecor.exe
PID 1608 set thread context of 1960	1608	omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

59883ed7189f0a39bfa0d6b4948d13dae2caac9a71d335684d3cffd63716fefa_NeikiAnalytics.exe59883ed7189f0a39bfa0d6b4948d13dae2caac9a71d335684d3cffd63716fefa_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 2084 wrote to memory of 1944	2084	59883ed7189f0a39bfa0d6b4948d13dae2caac9a71d335684d3cffd63716fefa_NeikiAnalytics.exe	59883ed7189f0a39bfa0d6b4948d13dae2caac9a71d335684d3cffd63716fefa_NeikiAnalytics.exe
PID 2084 wrote to memory of 1944	2084	59883ed7189f0a39bfa0d6b4948d13dae2caac9a71d335684d3cffd63716fefa_NeikiAnalytics.exe	59883ed7189f0a39bfa0d6b4948d13dae2caac9a71d335684d3cffd63716fefa_NeikiAnalytics.exe
PID 2084 wrote to memory of 1944	2084	59883ed7189f0a39bfa0d6b4948d13dae2caac9a71d335684d3cffd63716fefa_NeikiAnalytics.exe	59883ed7189f0a39bfa0d6b4948d13dae2caac9a71d335684d3cffd63716fefa_NeikiAnalytics.exe
PID 2084 wrote to memory of 1944	2084	59883ed7189f0a39bfa0d6b4948d13dae2caac9a71d335684d3cffd63716fefa_NeikiAnalytics.exe	59883ed7189f0a39bfa0d6b4948d13dae2caac9a71d335684d3cffd63716fefa_NeikiAnalytics.exe
PID 2084 wrote to memory of 1944	2084	59883ed7189f0a39bfa0d6b4948d13dae2caac9a71d335684d3cffd63716fefa_NeikiAnalytics.exe	59883ed7189f0a39bfa0d6b4948d13dae2caac9a71d335684d3cffd63716fefa_NeikiAnalytics.exe
PID 2084 wrote to memory of 1944	2084	59883ed7189f0a39bfa0d6b4948d13dae2caac9a71d335684d3cffd63716fefa_NeikiAnalytics.exe	59883ed7189f0a39bfa0d6b4948d13dae2caac9a71d335684d3cffd63716fefa_NeikiAnalytics.exe
PID 1944 wrote to memory of 2144	1944	59883ed7189f0a39bfa0d6b4948d13dae2caac9a71d335684d3cffd63716fefa_NeikiAnalytics.exe	omsecor.exe
PID 1944 wrote to memory of 2144	1944	59883ed7189f0a39bfa0d6b4948d13dae2caac9a71d335684d3cffd63716fefa_NeikiAnalytics.exe	omsecor.exe
PID 1944 wrote to memory of 2144	1944	59883ed7189f0a39bfa0d6b4948d13dae2caac9a71d335684d3cffd63716fefa_NeikiAnalytics.exe	omsecor.exe
PID 1944 wrote to memory of 2144	1944	59883ed7189f0a39bfa0d6b4948d13dae2caac9a71d335684d3cffd63716fefa_NeikiAnalytics.exe	omsecor.exe
PID 2144 wrote to memory of 2720	2144	omsecor.exe	omsecor.exe
PID 2144 wrote to memory of 2720	2144	omsecor.exe	omsecor.exe
PID 2144 wrote to memory of 2720	2144	omsecor.exe	omsecor.exe
PID 2144 wrote to memory of 2720	2144	omsecor.exe	omsecor.exe
PID 2144 wrote to memory of 2720	2144	omsecor.exe	omsecor.exe
PID 2144 wrote to memory of 2720	2144	omsecor.exe	omsecor.exe
PID 2720 wrote to memory of 1772	2720	omsecor.exe	omsecor.exe
PID 2720 wrote to memory of 1772	2720	omsecor.exe	omsecor.exe
PID 2720 wrote to memory of 1772	2720	omsecor.exe	omsecor.exe
PID 2720 wrote to memory of 1772	2720	omsecor.exe	omsecor.exe
PID 1772 wrote to memory of 924	1772	omsecor.exe	omsecor.exe
PID 1772 wrote to memory of 924	1772	omsecor.exe	omsecor.exe
PID 1772 wrote to memory of 924	1772	omsecor.exe	omsecor.exe
PID 1772 wrote to memory of 924	1772	omsecor.exe	omsecor.exe
PID 1772 wrote to memory of 924	1772	omsecor.exe	omsecor.exe
PID 1772 wrote to memory of 924	1772	omsecor.exe	omsecor.exe
PID 924 wrote to memory of 1608	924	omsecor.exe	omsecor.exe
PID 924 wrote to memory of 1608	924	omsecor.exe	omsecor.exe
PID 924 wrote to memory of 1608	924	omsecor.exe	omsecor.exe
PID 924 wrote to memory of 1608	924	omsecor.exe	omsecor.exe
PID 1608 wrote to memory of 1960	1608	omsecor.exe	omsecor.exe
PID 1608 wrote to memory of 1960	1608	omsecor.exe	omsecor.exe
PID 1608 wrote to memory of 1960	1608	omsecor.exe	omsecor.exe
PID 1608 wrote to memory of 1960	1608	omsecor.exe	omsecor.exe
PID 1608 wrote to memory of 1960	1608	omsecor.exe	omsecor.exe
PID 1608 wrote to memory of 1960	1608	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\59883ed7189f0a39bfa0d6b4948d13dae2caac9a71d335684d3cffd63716fefa_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\59883ed7189f0a39bfa0d6b4948d13dae2caac9a71d335684d3cffd63716fefa_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2084

C:\Users\Admin\AppData\Local\Temp\59883ed7189f0a39bfa0d6b4948d13dae2caac9a71d335684d3cffd63716fefa_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\59883ed7189f0a39bfa0d6b4948d13dae2caac9a71d335684d3cffd63716fefa_NeikiAnalytics.exe
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1944

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2144

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2720

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1772

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:924

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1608

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
8⤵
- Executes dropped EXE
PID:1960

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
134KB

MD5
4cc2a7af5684231ad933dea15c3b8d21

SHA1
ace38f108fa84be6aed696ccf643e56fa230f0de

SHA256
8c174378d7230d9c0a707b5d88be8d8744e225a5a80c3c34b3723553d375daf3

SHA512
ea00dc25ef1f0aa048f5ec6304d8d30d1591371697af7fb01c896280814192a11d6842ba5f5a6a2ba481f6b35456a3ea37de9b6228ecf810d698ebe0c06980cb

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
134KB

MD5
707df6f92718536432a37725677c88cd

SHA1
78df910aeb42503852dc41ba68ad99f84ba4a431

SHA256
73a0e1e49820c37a6aea064e63da9a193c09b86e33dd1595c93f9875e6dab9d0

SHA512
abcf69aaaa74004e374f75c0c7e8859ebfbbf806ca298a482ae9ab7e67a837c35fca257b5b1c7bbcd40b6b13972e313f20b097654a5b0681b75f0c31097645d2

Download Submit
\Windows\SysWOW64\omsecor.exe
Filesize
134KB

MD5
5a27515712d66dbe7b9f711ec7e419c7

SHA1
d4f3de54cd7c4c29a35c41304e1535f7d317c49e

SHA256
232c6bd6098084318bf5b6857553c244346d492676d964afca383751bc4de683

SHA512
eeb6ffd149529bf9accc90faaad8a24c81c89196e2b643efd18dd6be6c2785f661077a86199aeca4ae438a9d10fb2eb0817951e4532006516130d620a7c78835

Download Submit
memory/1608-83-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1608-76-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1772-65-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1772-55-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1944-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1944-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1944-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1944-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1944-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1960-88-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1960-85-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2084-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2084-6-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2144-23-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/2144-30-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2144-20-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2720-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2720-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2720-45-0x00000000020C0000-0x00000000020E4000-memory.dmp

Filesize
144KB

Download
memory/2720-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2720-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2720-33-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads