neconyd | 59883ed7189f0a39bfa0d6b4948d13dae2caac9a71d335684d3cffd63716fefa

General

Target

59883ed7189f0a39bfa0d6b4948d13dae2caac9a71d335684d3cffd63716fefa_NeikiAnalytics.exe
Size

134KB
MD5

4aab679075e9e6c417bb2aa96673bb00
SHA1

9f563f11135e3463d46a5821b82de600e45047d3
SHA256

59883ed7189f0a39bfa0d6b4948d13dae2caac9a71d335684d3cffd63716fefa
SHA512

26c918575d024dd2cb7f3fc8e0546ca198ff26c768349374b1001a2f9d3a2a3fe62266f8322c72d6019186f124512d3bb3687af69c98bc7b08d26bb70b68cad7
SSDEEP

1536:BDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCia:hiRTeH0iqAW6J6f1tqF6dngNmaZCia

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 6 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exe

pid process

2692 omsecor.exe
3792 omsecor.exe
4384 omsecor.exe
4240 omsecor.exe
3648 omsecor.exe
768 omsecor.exe
Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

pid	process
2692	omsecor.exe
3792	omsecor.exe
4384	omsecor.exe
4240	omsecor.exe
3648	omsecor.exe
768	omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

59883ed7189f0a39bfa0d6b4948d13dae2caac9a71d335684d3cffd63716fefa_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 4144 set thread context of 3332	4144	59883ed7189f0a39bfa0d6b4948d13dae2caac9a71d335684d3cffd63716fefa_NeikiAnalytics.exe	59883ed7189f0a39bfa0d6b4948d13dae2caac9a71d335684d3cffd63716fefa_NeikiAnalytics.exe
PID 2692 set thread context of 3792	2692	omsecor.exe	omsecor.exe
PID 4384 set thread context of 4240	4384	omsecor.exe	omsecor.exe
PID 3648 set thread context of 768	3648	omsecor.exe	omsecor.exe

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
872	4144	WerFault.exe	59883ed7189f0a39bfa0d6b4948d13dae2caac9a71d335684d3cffd63716fefa_NeikiAnalytics.exe
5040	2692	WerFault.exe	omsecor.exe
1168	4384	WerFault.exe	omsecor.exe
4892	3648	WerFault.exe	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

59883ed7189f0a39bfa0d6b4948d13dae2caac9a71d335684d3cffd63716fefa_NeikiAnalytics.exe59883ed7189f0a39bfa0d6b4948d13dae2caac9a71d335684d3cffd63716fefa_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 4144 wrote to memory of 3332	4144	59883ed7189f0a39bfa0d6b4948d13dae2caac9a71d335684d3cffd63716fefa_NeikiAnalytics.exe	59883ed7189f0a39bfa0d6b4948d13dae2caac9a71d335684d3cffd63716fefa_NeikiAnalytics.exe
PID 4144 wrote to memory of 3332	4144	59883ed7189f0a39bfa0d6b4948d13dae2caac9a71d335684d3cffd63716fefa_NeikiAnalytics.exe	59883ed7189f0a39bfa0d6b4948d13dae2caac9a71d335684d3cffd63716fefa_NeikiAnalytics.exe
PID 4144 wrote to memory of 3332	4144	59883ed7189f0a39bfa0d6b4948d13dae2caac9a71d335684d3cffd63716fefa_NeikiAnalytics.exe	59883ed7189f0a39bfa0d6b4948d13dae2caac9a71d335684d3cffd63716fefa_NeikiAnalytics.exe
PID 4144 wrote to memory of 3332	4144	59883ed7189f0a39bfa0d6b4948d13dae2caac9a71d335684d3cffd63716fefa_NeikiAnalytics.exe	59883ed7189f0a39bfa0d6b4948d13dae2caac9a71d335684d3cffd63716fefa_NeikiAnalytics.exe
PID 4144 wrote to memory of 3332	4144	59883ed7189f0a39bfa0d6b4948d13dae2caac9a71d335684d3cffd63716fefa_NeikiAnalytics.exe	59883ed7189f0a39bfa0d6b4948d13dae2caac9a71d335684d3cffd63716fefa_NeikiAnalytics.exe
PID 3332 wrote to memory of 2692	3332	59883ed7189f0a39bfa0d6b4948d13dae2caac9a71d335684d3cffd63716fefa_NeikiAnalytics.exe	omsecor.exe
PID 3332 wrote to memory of 2692	3332	59883ed7189f0a39bfa0d6b4948d13dae2caac9a71d335684d3cffd63716fefa_NeikiAnalytics.exe	omsecor.exe
PID 3332 wrote to memory of 2692	3332	59883ed7189f0a39bfa0d6b4948d13dae2caac9a71d335684d3cffd63716fefa_NeikiAnalytics.exe	omsecor.exe
PID 2692 wrote to memory of 3792	2692	omsecor.exe	omsecor.exe
PID 2692 wrote to memory of 3792	2692	omsecor.exe	omsecor.exe
PID 2692 wrote to memory of 3792	2692	omsecor.exe	omsecor.exe
PID 2692 wrote to memory of 3792	2692	omsecor.exe	omsecor.exe
PID 2692 wrote to memory of 3792	2692	omsecor.exe	omsecor.exe
PID 3792 wrote to memory of 4384	3792	omsecor.exe	omsecor.exe
PID 3792 wrote to memory of 4384	3792	omsecor.exe	omsecor.exe
PID 3792 wrote to memory of 4384	3792	omsecor.exe	omsecor.exe
PID 4384 wrote to memory of 4240	4384	omsecor.exe	omsecor.exe
PID 4384 wrote to memory of 4240	4384	omsecor.exe	omsecor.exe
PID 4384 wrote to memory of 4240	4384	omsecor.exe	omsecor.exe
PID 4384 wrote to memory of 4240	4384	omsecor.exe	omsecor.exe
PID 4384 wrote to memory of 4240	4384	omsecor.exe	omsecor.exe
PID 4240 wrote to memory of 3648	4240	omsecor.exe	omsecor.exe
PID 4240 wrote to memory of 3648	4240	omsecor.exe	omsecor.exe
PID 4240 wrote to memory of 3648	4240	omsecor.exe	omsecor.exe
PID 3648 wrote to memory of 768	3648	omsecor.exe	omsecor.exe
PID 3648 wrote to memory of 768	3648	omsecor.exe	omsecor.exe
PID 3648 wrote to memory of 768	3648	omsecor.exe	omsecor.exe
PID 3648 wrote to memory of 768	3648	omsecor.exe	omsecor.exe
PID 3648 wrote to memory of 768	3648	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\59883ed7189f0a39bfa0d6b4948d13dae2caac9a71d335684d3cffd63716fefa_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\59883ed7189f0a39bfa0d6b4948d13dae2caac9a71d335684d3cffd63716fefa_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4144

C:\Users\Admin\AppData\Local\Temp\59883ed7189f0a39bfa0d6b4948d13dae2caac9a71d335684d3cffd63716fefa_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\59883ed7189f0a39bfa0d6b4948d13dae2caac9a71d335684d3cffd63716fefa_NeikiAnalytics.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:3332

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2692

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3792

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4384

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4240

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3648

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
8⤵
- Executes dropped EXE
PID:768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 244
8⤵
- Program crash
PID:4892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 292
6⤵
- Program crash
PID:1168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 300
4⤵
- Program crash
PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4144 -s 288
2⤵
- Program crash
PID:872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4144 -ip 4144
1⤵
PID:724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2692 -ip 2692
1⤵
PID:4116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1276,i,7977653611488681184,6839495125838449898,262144 --variations-seed-version --mojo-platform-channel-handle=4384 /prefetch:8
1⤵
PID:448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4384 -ip 4384
1⤵
PID:4572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3648 -ip 3648
1⤵
PID:2492

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
134KB

MD5
e71f813f07d873165797b9ecd1d3735c

SHA1
38a73d59781f5c612630ee73123cb7207800327c

SHA256
4d9dad76f470632fc230a8ee330bce6f1eaa909dcf1223187f876b97c85af274

SHA512
08b3d881a41c3ddfdf0b3436ad15b6e649d13847fc2cc3178fbb35f553be51866f7cfbb00a5d6fb21a089a997bd13eac2842903941c999fa011c324c6cbf180f

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
134KB

MD5
707df6f92718536432a37725677c88cd

SHA1
78df910aeb42503852dc41ba68ad99f84ba4a431

SHA256
73a0e1e49820c37a6aea064e63da9a193c09b86e33dd1595c93f9875e6dab9d0

SHA512
abcf69aaaa74004e374f75c0c7e8859ebfbbf806ca298a482ae9ab7e67a837c35fca257b5b1c7bbcd40b6b13972e313f20b097654a5b0681b75f0c31097645d2

Download Submit
C:\Windows\SysWOW64\omsecor.exe
Filesize
134KB

MD5
b3975aa330e755ba0472a1edb76e890b

SHA1
ec3f5e7feca823e64eec40c349c50ab102fd17d1

SHA256
bc25d18431311737e77c66741b83ca6638a1dee0a78f079faf345e083dfc2c54

SHA512
c0ffd36ef9d89c87088d95b1f2d1049422b147e5cb4d84d3a4d549d227d2d42f8391b360522eb319c257b3e4cdacc1568eeed32ff4c0c23926ec2d443085218a

Download Submit
memory/768-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/768-47-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/768-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/768-51-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2692-15-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2692-9-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3332-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3332-6-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3332-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3332-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3648-50-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3648-42-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3792-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3792-31-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3792-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3792-17-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3792-13-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3792-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4144-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4144-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4240-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4240-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4240-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4384-32-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads