neconyd | 636543f94098d30089c1953d2300ac92807ba523bcca91e218cf2c3fd67a0226

General

Target

636543f94098d30089c1953d2300ac92807ba523bcca91e218cf2c3fd67a0226_NeikiAnalytics.exe
Size

96KB
MD5

aee1c8fe9ab04f07b7cbc5453a577950
SHA1

f9bbe4d44be48d76bad611fb4cd1e8eb742daac3
SHA256

636543f94098d30089c1953d2300ac92807ba523bcca91e218cf2c3fd67a0226
SHA512

1643ff56122101741a1af337347c972a770a3a0a25e6ba245d3fd7f0ae9737138c024578f61fa823f5c05ed5ef3518d5caebeea68d0bfeedca9ffbb8472b1e0c
SSDEEP

1536:rnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:rGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 6 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exe

pid process

2992 omsecor.exe
2928 omsecor.exe
1996 omsecor.exe
1776 omsecor.exe
792 omsecor.exe
2692 omsecor.exe

pid	process
2992	omsecor.exe
2928	omsecor.exe
1996	omsecor.exe
1776	omsecor.exe
792	omsecor.exe
2692	omsecor.exe

Loads dropped DLL 7 IoCs

Processes:

636543f94098d30089c1953d2300ac92807ba523bcca91e218cf2c3fd67a0226_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exe

pid	process
2912	636543f94098d30089c1953d2300ac92807ba523bcca91e218cf2c3fd67a0226_NeikiAnalytics.exe
2912	636543f94098d30089c1953d2300ac92807ba523bcca91e218cf2c3fd67a0226_NeikiAnalytics.exe
2992	omsecor.exe
2928	omsecor.exe
2928	omsecor.exe
1776	omsecor.exe
1776	omsecor.exe

Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

636543f94098d30089c1953d2300ac92807ba523bcca91e218cf2c3fd67a0226_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 2840 set thread context of 2912	2840	636543f94098d30089c1953d2300ac92807ba523bcca91e218cf2c3fd67a0226_NeikiAnalytics.exe	636543f94098d30089c1953d2300ac92807ba523bcca91e218cf2c3fd67a0226_NeikiAnalytics.exe
PID 2992 set thread context of 2928	2992	omsecor.exe	omsecor.exe
PID 1996 set thread context of 1776	1996	omsecor.exe	omsecor.exe
PID 792 set thread context of 2692	792	omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

636543f94098d30089c1953d2300ac92807ba523bcca91e218cf2c3fd67a0226_NeikiAnalytics.exe636543f94098d30089c1953d2300ac92807ba523bcca91e218cf2c3fd67a0226_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 2840 wrote to memory of 2912	2840	636543f94098d30089c1953d2300ac92807ba523bcca91e218cf2c3fd67a0226_NeikiAnalytics.exe	636543f94098d30089c1953d2300ac92807ba523bcca91e218cf2c3fd67a0226_NeikiAnalytics.exe
PID 2840 wrote to memory of 2912	2840	636543f94098d30089c1953d2300ac92807ba523bcca91e218cf2c3fd67a0226_NeikiAnalytics.exe	636543f94098d30089c1953d2300ac92807ba523bcca91e218cf2c3fd67a0226_NeikiAnalytics.exe
PID 2840 wrote to memory of 2912	2840	636543f94098d30089c1953d2300ac92807ba523bcca91e218cf2c3fd67a0226_NeikiAnalytics.exe	636543f94098d30089c1953d2300ac92807ba523bcca91e218cf2c3fd67a0226_NeikiAnalytics.exe
PID 2840 wrote to memory of 2912	2840	636543f94098d30089c1953d2300ac92807ba523bcca91e218cf2c3fd67a0226_NeikiAnalytics.exe	636543f94098d30089c1953d2300ac92807ba523bcca91e218cf2c3fd67a0226_NeikiAnalytics.exe
PID 2840 wrote to memory of 2912	2840	636543f94098d30089c1953d2300ac92807ba523bcca91e218cf2c3fd67a0226_NeikiAnalytics.exe	636543f94098d30089c1953d2300ac92807ba523bcca91e218cf2c3fd67a0226_NeikiAnalytics.exe
PID 2840 wrote to memory of 2912	2840	636543f94098d30089c1953d2300ac92807ba523bcca91e218cf2c3fd67a0226_NeikiAnalytics.exe	636543f94098d30089c1953d2300ac92807ba523bcca91e218cf2c3fd67a0226_NeikiAnalytics.exe
PID 2912 wrote to memory of 2992	2912	636543f94098d30089c1953d2300ac92807ba523bcca91e218cf2c3fd67a0226_NeikiAnalytics.exe	omsecor.exe
PID 2912 wrote to memory of 2992	2912	636543f94098d30089c1953d2300ac92807ba523bcca91e218cf2c3fd67a0226_NeikiAnalytics.exe	omsecor.exe
PID 2912 wrote to memory of 2992	2912	636543f94098d30089c1953d2300ac92807ba523bcca91e218cf2c3fd67a0226_NeikiAnalytics.exe	omsecor.exe
PID 2912 wrote to memory of 2992	2912	636543f94098d30089c1953d2300ac92807ba523bcca91e218cf2c3fd67a0226_NeikiAnalytics.exe	omsecor.exe
PID 2992 wrote to memory of 2928	2992	omsecor.exe	omsecor.exe
PID 2992 wrote to memory of 2928	2992	omsecor.exe	omsecor.exe
PID 2992 wrote to memory of 2928	2992	omsecor.exe	omsecor.exe
PID 2992 wrote to memory of 2928	2992	omsecor.exe	omsecor.exe
PID 2992 wrote to memory of 2928	2992	omsecor.exe	omsecor.exe
PID 2992 wrote to memory of 2928	2992	omsecor.exe	omsecor.exe
PID 2928 wrote to memory of 1996	2928	omsecor.exe	omsecor.exe
PID 2928 wrote to memory of 1996	2928	omsecor.exe	omsecor.exe
PID 2928 wrote to memory of 1996	2928	omsecor.exe	omsecor.exe
PID 2928 wrote to memory of 1996	2928	omsecor.exe	omsecor.exe
PID 1996 wrote to memory of 1776	1996	omsecor.exe	omsecor.exe
PID 1996 wrote to memory of 1776	1996	omsecor.exe	omsecor.exe
PID 1996 wrote to memory of 1776	1996	omsecor.exe	omsecor.exe
PID 1996 wrote to memory of 1776	1996	omsecor.exe	omsecor.exe
PID 1996 wrote to memory of 1776	1996	omsecor.exe	omsecor.exe
PID 1996 wrote to memory of 1776	1996	omsecor.exe	omsecor.exe
PID 1776 wrote to memory of 792	1776	omsecor.exe	omsecor.exe
PID 1776 wrote to memory of 792	1776	omsecor.exe	omsecor.exe
PID 1776 wrote to memory of 792	1776	omsecor.exe	omsecor.exe
PID 1776 wrote to memory of 792	1776	omsecor.exe	omsecor.exe
PID 792 wrote to memory of 2692	792	omsecor.exe	omsecor.exe
PID 792 wrote to memory of 2692	792	omsecor.exe	omsecor.exe
PID 792 wrote to memory of 2692	792	omsecor.exe	omsecor.exe
PID 792 wrote to memory of 2692	792	omsecor.exe	omsecor.exe
PID 792 wrote to memory of 2692	792	omsecor.exe	omsecor.exe
PID 792 wrote to memory of 2692	792	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\636543f94098d30089c1953d2300ac92807ba523bcca91e218cf2c3fd67a0226_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\636543f94098d30089c1953d2300ac92807ba523bcca91e218cf2c3fd67a0226_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2840

C:\Users\Admin\AppData\Local\Temp\636543f94098d30089c1953d2300ac92807ba523bcca91e218cf2c3fd67a0226_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\636543f94098d30089c1953d2300ac92807ba523bcca91e218cf2c3fd67a0226_NeikiAnalytics.exe
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2992

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2928

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1776

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:792

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
8⤵
- Executes dropped EXE
PID:2692

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
96KB

MD5
8ddd3b9219a3ba7dbfbfcb20ec0bae8f

SHA1
5a61daaa07928c0c7d071bac49c821ac95dc0861

SHA256
0d2c8d2dd37a06b8870b6e1fc83c9c96c36d90026405476d13524591a4bb29e9

SHA512
fa8a7aa842d2e6675036d36e2d0b025267a974ffd25ea7d7806a13ebe899959711a5470d08990f4889e58318d41773ff0bfa82eb1159110235b79e7befe30561

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
96KB

MD5
d8dbee55c88cf4a54dbcdefc71f31c49

SHA1
c1e62f27628d0bea28681ee239a0a4cee5b657fa

SHA256
632fb35a73df3de54deccc5b4990b195357607d50efd85f3fad7129537e00cf3

SHA512
ab9e4e395afab2ab1c935ae8cbd5fb8b3b9df2c68f4a6fe80a65e1dc4070700080f796af7307d4cceb44f191a0aec4710ae03fbf1757f9d8edd8a1e80e27a6fa

Download Submit
\Windows\SysWOW64\omsecor.exe
Filesize
96KB

MD5
8190845bfd1bfefdde5b07c6aa38341b

SHA1
8321d02c7f6b93f08d1bd3ac28ca031322476557

SHA256
d13059f543d3764bd722fc46f7cd45c36115adf2bfdf74880446e84e4a8ebaf1

SHA512
693caeb50ef014aab887312dd0eec696a81c20f19810d60d1ba264e5562c547a6b30637e854f3f3e40f39f52f4c29775cc5a26efacc83725ebe30d0dd214a66e

Download Submit
memory/792-88-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/792-81-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1776-73-0x00000000003D0000-0x00000000003F3000-memory.dmp

Filesize
140KB

Download
memory/1996-66-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1996-58-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2692-94-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2692-91-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2840-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2840-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2912-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2912-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2912-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2912-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2912-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2928-48-0x0000000000290000-0x00000000002B3000-memory.dmp

Filesize
140KB

Download
memory/2928-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2928-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2928-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2928-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2928-45-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2992-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2992-24-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2992-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads