neconyd | 0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712

General

Target

0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe
Size

134KB
MD5

532b2d4f27e940632c8c0f5b97d126a0
SHA1

2a72232e820bd8ceb2c1887f0d9a9aab35276f61
SHA256

0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712
SHA512

03c3748ef7433a9d88ba26765f695382a3a14eab69240ff3882296ef6220d1acc001fe586e358260e4e381f0dd9230a24ccdc3daf8b14cbb621c9c707a23161f
SSDEEP

1536:EDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCia:aiRTeH0iqAW6J6f1tqF6dngNmaZCia

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 6 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exe

pid process

2540 omsecor.exe
2692 omsecor.exe
1532 omsecor.exe
684 omsecor.exe
1504 omsecor.exe
1852 omsecor.exe

pid	process
2540	omsecor.exe
2692	omsecor.exe
1532	omsecor.exe
684	omsecor.exe
1504	omsecor.exe
1852	omsecor.exe

Loads dropped DLL 7 IoCs

Processes:

0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exe

pid	process
1648	0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe
1648	0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe
2540	omsecor.exe
2692	omsecor.exe
2692	omsecor.exe
684	omsecor.exe
684	omsecor.exe

Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 2528 set thread context of 1648	2528	0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe	0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe
PID 2540 set thread context of 2692	2540	omsecor.exe	omsecor.exe
PID 1532 set thread context of 684	1532	omsecor.exe	omsecor.exe
PID 1504 set thread context of 1852	1504	omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 2528 wrote to memory of 1648	2528	0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe	0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe
PID 2528 wrote to memory of 1648	2528	0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe	0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe
PID 2528 wrote to memory of 1648	2528	0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe	0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe
PID 2528 wrote to memory of 1648	2528	0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe	0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe
PID 2528 wrote to memory of 1648	2528	0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe	0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe
PID 2528 wrote to memory of 1648	2528	0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe	0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe
PID 1648 wrote to memory of 2540	1648	0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe	omsecor.exe
PID 1648 wrote to memory of 2540	1648	0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe	omsecor.exe
PID 1648 wrote to memory of 2540	1648	0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe	omsecor.exe
PID 1648 wrote to memory of 2540	1648	0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe	omsecor.exe
PID 2540 wrote to memory of 2692	2540	omsecor.exe	omsecor.exe
PID 2540 wrote to memory of 2692	2540	omsecor.exe	omsecor.exe
PID 2540 wrote to memory of 2692	2540	omsecor.exe	omsecor.exe
PID 2540 wrote to memory of 2692	2540	omsecor.exe	omsecor.exe
PID 2540 wrote to memory of 2692	2540	omsecor.exe	omsecor.exe
PID 2540 wrote to memory of 2692	2540	omsecor.exe	omsecor.exe
PID 2692 wrote to memory of 1532	2692	omsecor.exe	omsecor.exe
PID 2692 wrote to memory of 1532	2692	omsecor.exe	omsecor.exe
PID 2692 wrote to memory of 1532	2692	omsecor.exe	omsecor.exe
PID 2692 wrote to memory of 1532	2692	omsecor.exe	omsecor.exe
PID 1532 wrote to memory of 684	1532	omsecor.exe	omsecor.exe
PID 1532 wrote to memory of 684	1532	omsecor.exe	omsecor.exe
PID 1532 wrote to memory of 684	1532	omsecor.exe	omsecor.exe
PID 1532 wrote to memory of 684	1532	omsecor.exe	omsecor.exe
PID 1532 wrote to memory of 684	1532	omsecor.exe	omsecor.exe
PID 1532 wrote to memory of 684	1532	omsecor.exe	omsecor.exe
PID 684 wrote to memory of 1504	684	omsecor.exe	omsecor.exe
PID 684 wrote to memory of 1504	684	omsecor.exe	omsecor.exe
PID 684 wrote to memory of 1504	684	omsecor.exe	omsecor.exe
PID 684 wrote to memory of 1504	684	omsecor.exe	omsecor.exe
PID 1504 wrote to memory of 1852	1504	omsecor.exe	omsecor.exe
PID 1504 wrote to memory of 1852	1504	omsecor.exe	omsecor.exe
PID 1504 wrote to memory of 1852	1504	omsecor.exe	omsecor.exe
PID 1504 wrote to memory of 1852	1504	omsecor.exe	omsecor.exe
PID 1504 wrote to memory of 1852	1504	omsecor.exe	omsecor.exe
PID 1504 wrote to memory of 1852	1504	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2528

C:\Users\Admin\AppData\Local\Temp\0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1648

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2540

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2692

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1532

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:684

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1504

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
8⤵
- Executes dropped EXE
PID:1852

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
134KB

MD5
1d70056766471cbe20b90aaa2679535b

SHA1
1a872b735c5f6a562618cf3a10a194876711f300

SHA256
06e22d72a342fb7dc228caf3f452d9de0eebc4ef5c056268135487cc3a3c133e

SHA512
b7e9b545c99a921999b7c69fd803da8cefdadf8ad2fd9cb3f4821bf100c7bf1f80c3f58ef11e28b4070a28ef54e6b6f7345057e0238c72cb1037a30637a35ddd

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
134KB

MD5
d8616b63a7914f91b878f2a37b369827

SHA1
7cba1c028a8bec3a37a03a78329c57a81504dd1f

SHA256
ec31b349584d3468cb5a917b355b16a102ab1542d8aaa291f67e7bdd3e6500fa

SHA512
6e2079c161e86934f185724ae501f14b5a2e28d73dfed4835453062c8cbfa0e5944973672eb47b818bb75f478a3b4f3172fd6267093d1d5dee8001121cdfcb51

Download Submit
\Windows\SysWOW64\omsecor.exe
Filesize
134KB

MD5
801b4def57ebc571d486412be137b09e

SHA1
c7b2d2c9e628d46fa1fb5d93b1c0146f5cbe289e

SHA256
a12a155219e8722cd08fa5d3ba01bd82f413c7f798f9214effa7913412efb8e9

SHA512
f0913557d33a3b29116075214fe174ef40fd25ac6fa177c906cbc8a74f689b977a7c518e7fd43977ebf63908727c6653cf1266f56edbb659e07b584e0d72d6ed

Download Submit
memory/1504-83-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1504-76-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1532-63-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1532-55-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1648-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1648-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1648-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1648-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1648-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1648-13-0x0000000000430000-0x0000000000454000-memory.dmp

Filesize
144KB

Download
memory/1852-88-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1852-85-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2528-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2528-6-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2540-29-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2540-21-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2692-45-0x0000000000390000-0x00000000003B4000-memory.dmp

Filesize
144KB

Download
memory/2692-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2692-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2692-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2692-33-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads