neconyd | 0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712

General

Target

0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe
Size

134KB
MD5

532b2d4f27e940632c8c0f5b97d126a0
SHA1

2a72232e820bd8ceb2c1887f0d9a9aab35276f61
SHA256

0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712
SHA512

03c3748ef7433a9d88ba26765f695382a3a14eab69240ff3882296ef6220d1acc001fe586e358260e4e381f0dd9230a24ccdc3daf8b14cbb621c9c707a23161f
SSDEEP

1536:EDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCia:aiRTeH0iqAW6J6f1tqF6dngNmaZCia

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 6 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exe

pid process

1808 omsecor.exe
4920 omsecor.exe
4748 omsecor.exe
4604 omsecor.exe
3892 omsecor.exe
3804 omsecor.exe
Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

pid	process
1808	omsecor.exe
4920	omsecor.exe
4748	omsecor.exe
4604	omsecor.exe
3892	omsecor.exe
3804	omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 4420 set thread context of 2872	4420	0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe	0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe
PID 1808 set thread context of 4920	1808	omsecor.exe	omsecor.exe
PID 4748 set thread context of 4604	4748	omsecor.exe	omsecor.exe
PID 3892 set thread context of 3804	3892	omsecor.exe	omsecor.exe

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid pid_target process

3272 1808 WerFault.exe
2728 4420 WerFault.exe
3356 4748 WerFault.exe omsecor.exe
3476 3892 WerFault.exe omsecor.exe

pid	pid_target	process
3272	1808	WerFault.exe
2728	4420	WerFault.exe
3356	4748	WerFault.exe	omsecor.exe
3476	3892	WerFault.exe	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 4420 wrote to memory of 2872	4420	0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe	0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe
PID 4420 wrote to memory of 2872	4420	0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe	0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe
PID 4420 wrote to memory of 2872	4420	0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe	0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe
PID 4420 wrote to memory of 2872	4420	0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe	0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe
PID 4420 wrote to memory of 2872	4420	0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe	0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe
PID 2872 wrote to memory of 1808	2872	0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe	omsecor.exe
PID 2872 wrote to memory of 1808	2872	0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe	omsecor.exe
PID 2872 wrote to memory of 1808	2872	0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe	omsecor.exe
PID 1808 wrote to memory of 4920	1808	omsecor.exe	omsecor.exe
PID 1808 wrote to memory of 4920	1808	omsecor.exe	omsecor.exe
PID 1808 wrote to memory of 4920	1808	omsecor.exe	omsecor.exe
PID 1808 wrote to memory of 4920	1808	omsecor.exe	omsecor.exe
PID 1808 wrote to memory of 4920	1808	omsecor.exe	omsecor.exe
PID 4920 wrote to memory of 4748	4920	omsecor.exe	omsecor.exe
PID 4920 wrote to memory of 4748	4920	omsecor.exe	omsecor.exe
PID 4920 wrote to memory of 4748	4920	omsecor.exe	omsecor.exe
PID 4748 wrote to memory of 4604	4748	omsecor.exe	omsecor.exe
PID 4748 wrote to memory of 4604	4748	omsecor.exe	omsecor.exe
PID 4748 wrote to memory of 4604	4748	omsecor.exe	omsecor.exe
PID 4748 wrote to memory of 4604	4748	omsecor.exe	omsecor.exe
PID 4748 wrote to memory of 4604	4748	omsecor.exe	omsecor.exe
PID 4604 wrote to memory of 3892	4604	omsecor.exe	omsecor.exe
PID 4604 wrote to memory of 3892	4604	omsecor.exe	omsecor.exe
PID 4604 wrote to memory of 3892	4604	omsecor.exe	omsecor.exe
PID 3892 wrote to memory of 3804	3892	omsecor.exe	omsecor.exe
PID 3892 wrote to memory of 3804	3892	omsecor.exe	omsecor.exe
PID 3892 wrote to memory of 3804	3892	omsecor.exe	omsecor.exe
PID 3892 wrote to memory of 3804	3892	omsecor.exe	omsecor.exe
PID 3892 wrote to memory of 3804	3892	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4420

C:\Users\Admin\AppData\Local\Temp\0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\0830b3964efe6d691d55eadc89b4f7ea245ca4c57b14151571ebca9e13d08712_NeikiAnalytics.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2872

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1808

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4920

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4748

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4604

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3892

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
8⤵
- Executes dropped EXE
PID:3804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3892 -s 268
8⤵
- Program crash
PID:3476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4748 -s 292
6⤵
- Program crash
PID:3356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 292
4⤵
- Program crash
PID:3272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 296
2⤵
- Program crash
PID:2728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4420 -ip 4420
1⤵
PID:2780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1808 -ip 1808
1⤵
PID:640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4748 -ip 4748
1⤵
PID:3160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3892 -ip 3892
1⤵
PID:4576

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
134KB

MD5
1d70056766471cbe20b90aaa2679535b

SHA1
1a872b735c5f6a562618cf3a10a194876711f300

SHA256
06e22d72a342fb7dc228caf3f452d9de0eebc4ef5c056268135487cc3a3c133e

SHA512
b7e9b545c99a921999b7c69fd803da8cefdadf8ad2fd9cb3f4821bf100c7bf1f80c3f58ef11e28b4070a28ef54e6b6f7345057e0238c72cb1037a30637a35ddd

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
134KB

MD5
bd0ed18ae07c6561166cb812b786003d

SHA1
6fddd95aa756366892fce50fda6d8ec7c004316f

SHA256
82af52c9e585409fd030e0a2a034bc42619f40f47e46a1e7306c9f7712fb7f35

SHA512
74e15c419e7de5c90319c876bea51466bb71d2c0d60f3be055837ecb45d33d0d472bdb7cbdc7dae2447f268cb5cc6bdb2f726afdabb1a5578307a47f85488477

Download Submit
C:\Windows\SysWOW64\omsecor.exe
Filesize
134KB

MD5
9289cb9a89dee541fa644e4e42a205dc

SHA1
310425c7d036779442687c719bb0b59e0d3f499e

SHA256
12428ef21052e8a099831804ddc9c38c636b0811320a29999ff49c6295572157

SHA512
1de14ce1afc6a14dea422fec1ca47cc3a96326271fd3a5870ac3659e36cba5ae4daa3b0d0e9ba0ec5a2dc151ed49b950134e6bac76cef1111eafcb246b9d1bfa

Download Submit
memory/1808-17-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1808-11-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2872-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2872-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2872-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2872-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3804-46-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3804-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3804-51-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3804-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3804-47-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3804-45-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3892-41-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4420-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4420-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4604-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4604-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4604-33-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4748-30-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4920-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4920-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4920-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4920-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4920-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4920-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4920-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing