neconyd | 636543f94098d30089c1953d2300ac92807ba523bcca91e218cf2c3fd67a0226

General

Target

636543f94098d30089c1953d2300ac92807ba523bcca91e218cf2c3fd67a0226_NeikiAnalytics.exe
Size

96KB
MD5

aee1c8fe9ab04f07b7cbc5453a577950
SHA1

f9bbe4d44be48d76bad611fb4cd1e8eb742daac3
SHA256

636543f94098d30089c1953d2300ac92807ba523bcca91e218cf2c3fd67a0226
SHA512

1643ff56122101741a1af337347c972a770a3a0a25e6ba245d3fd7f0ae9737138c024578f61fa823f5c05ed5ef3518d5caebeea68d0bfeedca9ffbb8472b1e0c
SSDEEP

1536:rnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:rGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 6 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exe

pid process

396 omsecor.exe
4608 omsecor.exe
2884 omsecor.exe
1156 omsecor.exe
1372 omsecor.exe
4800 omsecor.exe
Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

pid	process
396	omsecor.exe
4608	omsecor.exe
2884	omsecor.exe
1156	omsecor.exe
1372	omsecor.exe
4800	omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

636543f94098d30089c1953d2300ac92807ba523bcca91e218cf2c3fd67a0226_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 264 set thread context of 2696	264	636543f94098d30089c1953d2300ac92807ba523bcca91e218cf2c3fd67a0226_NeikiAnalytics.exe	636543f94098d30089c1953d2300ac92807ba523bcca91e218cf2c3fd67a0226_NeikiAnalytics.exe
PID 396 set thread context of 4608	396	omsecor.exe	omsecor.exe
PID 2884 set thread context of 1156	2884	omsecor.exe	omsecor.exe
PID 1372 set thread context of 4800	1372	omsecor.exe	omsecor.exe

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
428	264	WerFault.exe	636543f94098d30089c1953d2300ac92807ba523bcca91e218cf2c3fd67a0226_NeikiAnalytics.exe
5008	396	WerFault.exe	omsecor.exe
3620	2884	WerFault.exe	omsecor.exe
812	1372	WerFault.exe	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

636543f94098d30089c1953d2300ac92807ba523bcca91e218cf2c3fd67a0226_NeikiAnalytics.exe636543f94098d30089c1953d2300ac92807ba523bcca91e218cf2c3fd67a0226_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 264 wrote to memory of 2696	264	636543f94098d30089c1953d2300ac92807ba523bcca91e218cf2c3fd67a0226_NeikiAnalytics.exe	636543f94098d30089c1953d2300ac92807ba523bcca91e218cf2c3fd67a0226_NeikiAnalytics.exe
PID 264 wrote to memory of 2696	264	636543f94098d30089c1953d2300ac92807ba523bcca91e218cf2c3fd67a0226_NeikiAnalytics.exe	636543f94098d30089c1953d2300ac92807ba523bcca91e218cf2c3fd67a0226_NeikiAnalytics.exe
PID 264 wrote to memory of 2696	264	636543f94098d30089c1953d2300ac92807ba523bcca91e218cf2c3fd67a0226_NeikiAnalytics.exe	636543f94098d30089c1953d2300ac92807ba523bcca91e218cf2c3fd67a0226_NeikiAnalytics.exe
PID 264 wrote to memory of 2696	264	636543f94098d30089c1953d2300ac92807ba523bcca91e218cf2c3fd67a0226_NeikiAnalytics.exe	636543f94098d30089c1953d2300ac92807ba523bcca91e218cf2c3fd67a0226_NeikiAnalytics.exe
PID 264 wrote to memory of 2696	264	636543f94098d30089c1953d2300ac92807ba523bcca91e218cf2c3fd67a0226_NeikiAnalytics.exe	636543f94098d30089c1953d2300ac92807ba523bcca91e218cf2c3fd67a0226_NeikiAnalytics.exe
PID 2696 wrote to memory of 396	2696	636543f94098d30089c1953d2300ac92807ba523bcca91e218cf2c3fd67a0226_NeikiAnalytics.exe	omsecor.exe
PID 2696 wrote to memory of 396	2696	636543f94098d30089c1953d2300ac92807ba523bcca91e218cf2c3fd67a0226_NeikiAnalytics.exe	omsecor.exe
PID 2696 wrote to memory of 396	2696	636543f94098d30089c1953d2300ac92807ba523bcca91e218cf2c3fd67a0226_NeikiAnalytics.exe	omsecor.exe
PID 396 wrote to memory of 4608	396	omsecor.exe	omsecor.exe
PID 396 wrote to memory of 4608	396	omsecor.exe	omsecor.exe
PID 396 wrote to memory of 4608	396	omsecor.exe	omsecor.exe
PID 396 wrote to memory of 4608	396	omsecor.exe	omsecor.exe
PID 396 wrote to memory of 4608	396	omsecor.exe	omsecor.exe
PID 4608 wrote to memory of 2884	4608	omsecor.exe	omsecor.exe
PID 4608 wrote to memory of 2884	4608	omsecor.exe	omsecor.exe
PID 4608 wrote to memory of 2884	4608	omsecor.exe	omsecor.exe
PID 2884 wrote to memory of 1156	2884	omsecor.exe	omsecor.exe
PID 2884 wrote to memory of 1156	2884	omsecor.exe	omsecor.exe
PID 2884 wrote to memory of 1156	2884	omsecor.exe	omsecor.exe
PID 2884 wrote to memory of 1156	2884	omsecor.exe	omsecor.exe
PID 2884 wrote to memory of 1156	2884	omsecor.exe	omsecor.exe
PID 1156 wrote to memory of 1372	1156	omsecor.exe	omsecor.exe
PID 1156 wrote to memory of 1372	1156	omsecor.exe	omsecor.exe
PID 1156 wrote to memory of 1372	1156	omsecor.exe	omsecor.exe
PID 1372 wrote to memory of 4800	1372	omsecor.exe	omsecor.exe
PID 1372 wrote to memory of 4800	1372	omsecor.exe	omsecor.exe
PID 1372 wrote to memory of 4800	1372	omsecor.exe	omsecor.exe
PID 1372 wrote to memory of 4800	1372	omsecor.exe	omsecor.exe
PID 1372 wrote to memory of 4800	1372	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\636543f94098d30089c1953d2300ac92807ba523bcca91e218cf2c3fd67a0226_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\636543f94098d30089c1953d2300ac92807ba523bcca91e218cf2c3fd67a0226_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:264

C:\Users\Admin\AppData\Local\Temp\636543f94098d30089c1953d2300ac92807ba523bcca91e218cf2c3fd67a0226_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\636543f94098d30089c1953d2300ac92807ba523bcca91e218cf2c3fd67a0226_NeikiAnalytics.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2696

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:396

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4608

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2884

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1156

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1372

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
8⤵
- Executes dropped EXE
PID:4800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1372 -s 240
8⤵
- Program crash
PID:812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 292
6⤵
- Program crash
PID:3620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 288
4⤵
- Program crash
PID:5008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 264 -s 288
2⤵
- Program crash
PID:428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 264 -ip 264
1⤵
PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 396 -ip 396
1⤵
PID:412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2884 -ip 2884
1⤵
PID:3004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1372 -ip 1372
1⤵
PID:3320

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
96KB

MD5
8958172a4944d7c4bc35a1d91485ef99

SHA1
a4d88406c7b4a44aeccf68ae5f5c9bd71ed7b215

SHA256
f3e72714b242f2877f171c3689a57f1e8a1de243346242af3ff2caa7ddc13aa7

SHA512
d33980a33199bb5d76e6bd269ccab7c73781b9b91aaaf34e3ffe00e88feb8c1b053128f654dd16fde458ce3032eb8d0cf71c2f0f81c5b699b1e8e7b181f1106a

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
96KB

MD5
8ddd3b9219a3ba7dbfbfcb20ec0bae8f

SHA1
5a61daaa07928c0c7d071bac49c821ac95dc0861

SHA256
0d2c8d2dd37a06b8870b6e1fc83c9c96c36d90026405476d13524591a4bb29e9

SHA512
fa8a7aa842d2e6675036d36e2d0b025267a974ffd25ea7d7806a13ebe899959711a5470d08990f4889e58318d41773ff0bfa82eb1159110235b79e7befe30561

Download Submit
C:\Windows\SysWOW64\omsecor.exe
Filesize
96KB

MD5
760ccf986d70aa45bc8ca913c80bf3c7

SHA1
80567eb339b28563bbe5f16f7679f14a5310a8ee

SHA256
5478d531886a24f3b6a3356f62a8b0c25f3237157bdb24db3a002b09c4032eb6

SHA512
5a9c075f9eb5a21252a9d84976071d71fa4a92eddab1023505ae2b3b45769a70fe6cb436bb7ef3370aad29ca6b961a23a02e1816e4858df985355503d94df6e8

Download Submit
memory/264-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/264-19-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/396-11-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1156-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1156-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1156-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1372-42-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2696-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2696-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2696-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2696-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2884-50-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2884-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4608-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4608-29-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4608-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4608-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4608-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4608-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4608-16-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4800-47-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4800-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4800-52-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4800-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4800-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4800-58-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads