neconyd | 2ef8b61c2adbb09af5ac70a742b646f6bbe57e7bdd070f3e1fe503bd5a539613

General

Target

2ef8b61c2adbb09af5ac70a742b646f6bbe57e7bdd070f3e1fe503bd5a539613_NeikiAnalytics.exe
Size

96KB
MD5

d5c619cf84bd3be0470d3672568f1430
SHA1

2e58de2fadfe56549262efd14ba858b0c56b73a6
SHA256

2ef8b61c2adbb09af5ac70a742b646f6bbe57e7bdd070f3e1fe503bd5a539613
SHA512

74acaabd9d95ce1029d6a260413d9e7eb38e8bddefa2602ba370b92b54838437b896f42fcef74a0df5b771c8c15c1f01d7013abbb74525caca9d2d5c4f91d7b2
SSDEEP

1536:nnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:nGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 6 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exe

pid process

2432 omsecor.exe
2864 omsecor.exe
1860 omsecor.exe
2764 omsecor.exe
2880 omsecor.exe
2240 omsecor.exe

pid	process
2432	omsecor.exe
2864	omsecor.exe
1860	omsecor.exe
2764	omsecor.exe
2880	omsecor.exe
2240	omsecor.exe

Loads dropped DLL 7 IoCs

Processes:

2ef8b61c2adbb09af5ac70a742b646f6bbe57e7bdd070f3e1fe503bd5a539613_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exe

pid	process
2232	2ef8b61c2adbb09af5ac70a742b646f6bbe57e7bdd070f3e1fe503bd5a539613_NeikiAnalytics.exe
2232	2ef8b61c2adbb09af5ac70a742b646f6bbe57e7bdd070f3e1fe503bd5a539613_NeikiAnalytics.exe
2432	omsecor.exe
2864	omsecor.exe
2864	omsecor.exe
2764	omsecor.exe
2764	omsecor.exe

Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

2ef8b61c2adbb09af5ac70a742b646f6bbe57e7bdd070f3e1fe503bd5a539613_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 352 set thread context of 2232	352	2ef8b61c2adbb09af5ac70a742b646f6bbe57e7bdd070f3e1fe503bd5a539613_NeikiAnalytics.exe	2ef8b61c2adbb09af5ac70a742b646f6bbe57e7bdd070f3e1fe503bd5a539613_NeikiAnalytics.exe
PID 2432 set thread context of 2864	2432	omsecor.exe	omsecor.exe
PID 1860 set thread context of 2764	1860	omsecor.exe	omsecor.exe
PID 2880 set thread context of 2240	2880	omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

2ef8b61c2adbb09af5ac70a742b646f6bbe57e7bdd070f3e1fe503bd5a539613_NeikiAnalytics.exe2ef8b61c2adbb09af5ac70a742b646f6bbe57e7bdd070f3e1fe503bd5a539613_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 352 wrote to memory of 2232	352	2ef8b61c2adbb09af5ac70a742b646f6bbe57e7bdd070f3e1fe503bd5a539613_NeikiAnalytics.exe	2ef8b61c2adbb09af5ac70a742b646f6bbe57e7bdd070f3e1fe503bd5a539613_NeikiAnalytics.exe
PID 352 wrote to memory of 2232	352	2ef8b61c2adbb09af5ac70a742b646f6bbe57e7bdd070f3e1fe503bd5a539613_NeikiAnalytics.exe	2ef8b61c2adbb09af5ac70a742b646f6bbe57e7bdd070f3e1fe503bd5a539613_NeikiAnalytics.exe
PID 352 wrote to memory of 2232	352	2ef8b61c2adbb09af5ac70a742b646f6bbe57e7bdd070f3e1fe503bd5a539613_NeikiAnalytics.exe	2ef8b61c2adbb09af5ac70a742b646f6bbe57e7bdd070f3e1fe503bd5a539613_NeikiAnalytics.exe
PID 352 wrote to memory of 2232	352	2ef8b61c2adbb09af5ac70a742b646f6bbe57e7bdd070f3e1fe503bd5a539613_NeikiAnalytics.exe	2ef8b61c2adbb09af5ac70a742b646f6bbe57e7bdd070f3e1fe503bd5a539613_NeikiAnalytics.exe
PID 352 wrote to memory of 2232	352	2ef8b61c2adbb09af5ac70a742b646f6bbe57e7bdd070f3e1fe503bd5a539613_NeikiAnalytics.exe	2ef8b61c2adbb09af5ac70a742b646f6bbe57e7bdd070f3e1fe503bd5a539613_NeikiAnalytics.exe
PID 352 wrote to memory of 2232	352	2ef8b61c2adbb09af5ac70a742b646f6bbe57e7bdd070f3e1fe503bd5a539613_NeikiAnalytics.exe	2ef8b61c2adbb09af5ac70a742b646f6bbe57e7bdd070f3e1fe503bd5a539613_NeikiAnalytics.exe
PID 2232 wrote to memory of 2432	2232	2ef8b61c2adbb09af5ac70a742b646f6bbe57e7bdd070f3e1fe503bd5a539613_NeikiAnalytics.exe	omsecor.exe
PID 2232 wrote to memory of 2432	2232	2ef8b61c2adbb09af5ac70a742b646f6bbe57e7bdd070f3e1fe503bd5a539613_NeikiAnalytics.exe	omsecor.exe
PID 2232 wrote to memory of 2432	2232	2ef8b61c2adbb09af5ac70a742b646f6bbe57e7bdd070f3e1fe503bd5a539613_NeikiAnalytics.exe	omsecor.exe
PID 2232 wrote to memory of 2432	2232	2ef8b61c2adbb09af5ac70a742b646f6bbe57e7bdd070f3e1fe503bd5a539613_NeikiAnalytics.exe	omsecor.exe
PID 2432 wrote to memory of 2864	2432	omsecor.exe	omsecor.exe
PID 2432 wrote to memory of 2864	2432	omsecor.exe	omsecor.exe
PID 2432 wrote to memory of 2864	2432	omsecor.exe	omsecor.exe
PID 2432 wrote to memory of 2864	2432	omsecor.exe	omsecor.exe
PID 2432 wrote to memory of 2864	2432	omsecor.exe	omsecor.exe
PID 2432 wrote to memory of 2864	2432	omsecor.exe	omsecor.exe
PID 2864 wrote to memory of 1860	2864	omsecor.exe	omsecor.exe
PID 2864 wrote to memory of 1860	2864	omsecor.exe	omsecor.exe
PID 2864 wrote to memory of 1860	2864	omsecor.exe	omsecor.exe
PID 2864 wrote to memory of 1860	2864	omsecor.exe	omsecor.exe
PID 1860 wrote to memory of 2764	1860	omsecor.exe	omsecor.exe
PID 1860 wrote to memory of 2764	1860	omsecor.exe	omsecor.exe
PID 1860 wrote to memory of 2764	1860	omsecor.exe	omsecor.exe
PID 1860 wrote to memory of 2764	1860	omsecor.exe	omsecor.exe
PID 1860 wrote to memory of 2764	1860	omsecor.exe	omsecor.exe
PID 1860 wrote to memory of 2764	1860	omsecor.exe	omsecor.exe
PID 2764 wrote to memory of 2880	2764	omsecor.exe	omsecor.exe
PID 2764 wrote to memory of 2880	2764	omsecor.exe	omsecor.exe
PID 2764 wrote to memory of 2880	2764	omsecor.exe	omsecor.exe
PID 2764 wrote to memory of 2880	2764	omsecor.exe	omsecor.exe
PID 2880 wrote to memory of 2240	2880	omsecor.exe	omsecor.exe
PID 2880 wrote to memory of 2240	2880	omsecor.exe	omsecor.exe
PID 2880 wrote to memory of 2240	2880	omsecor.exe	omsecor.exe
PID 2880 wrote to memory of 2240	2880	omsecor.exe	omsecor.exe
PID 2880 wrote to memory of 2240	2880	omsecor.exe	omsecor.exe
PID 2880 wrote to memory of 2240	2880	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\2ef8b61c2adbb09af5ac70a742b646f6bbe57e7bdd070f3e1fe503bd5a539613_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2ef8b61c2adbb09af5ac70a742b646f6bbe57e7bdd070f3e1fe503bd5a539613_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:352

C:\Users\Admin\AppData\Local\Temp\2ef8b61c2adbb09af5ac70a742b646f6bbe57e7bdd070f3e1fe503bd5a539613_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2ef8b61c2adbb09af5ac70a742b646f6bbe57e7bdd070f3e1fe503bd5a539613_NeikiAnalytics.exe
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2232

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2432

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2864

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1860

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2764

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2880

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
8⤵
- Executes dropped EXE
PID:2240

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
96KB

MD5
ee22b2728166bc4beb3471706d7ee9e7

SHA1
2039c210b1d4538cbd56a0a116aff0c5034e5701

SHA256
c6e25fe50ba56e7cdfe5fdaad0b8fb158e9132ec14ef28aaecc57baf6859a621

SHA512
9f266ba04f310e364b4c009c831621e79790ab14a16a22ee88c302cb7ba8f051d7ab8809a2d6bbc90cb354199b936a8a4182e4a4b9057e1fe0bdd70bb354be56

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
96KB

MD5
63daa3f21793094b98f96c65d3719d5c

SHA1
76d443af2b4e5340cdb77b62d7f078fa61ce5a9c

SHA256
1a02250d3164965269290eb205b848f44ee80abeaed5f0fbedd26ad6b139f1d8

SHA512
1523297aeeb705d934ecfcdadabf3131591a40ee00061c7caef4d1a7f4efd3731536224d76a9bbb3f8ebd9698aa14e060570a40251bdda58e9a958f8c6c35643

Download Submit
\Windows\SysWOW64\omsecor.exe
Filesize
96KB

MD5
360768c7e9f38afe4f7996b1c5eef065

SHA1
72f9c83bac37749da927ff97f99e86268ac31fe7

SHA256
0151b139c9afe2209ff2d1126c6d6c2037a9d749d58b8cc7c696d1a8e0a31c74

SHA512
a01577305137e7095a78b1565efb11c05d00b0433497c9025e9241095832501b132c0d2c47d102240d19e23759936ee8e9ab9dfaa73169f4a20d3c1562b82964

Download Submit
memory/352-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/352-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1860-64-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1860-56-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2232-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2232-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2232-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2232-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2232-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2240-88-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2240-91-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2432-31-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2432-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2764-71-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2864-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2864-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2864-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2864-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2864-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2864-46-0x0000000000330000-0x0000000000353000-memory.dmp

Filesize
140KB

Download
memory/2880-79-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2880-85-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads