neconyd | 2ef8b61c2adbb09af5ac70a742b646f6bbe57e7bdd070f3e1fe503bd5a539613

General

Target

2ef8b61c2adbb09af5ac70a742b646f6bbe57e7bdd070f3e1fe503bd5a539613_NeikiAnalytics.exe
Size

96KB
MD5

d5c619cf84bd3be0470d3672568f1430
SHA1

2e58de2fadfe56549262efd14ba858b0c56b73a6
SHA256

2ef8b61c2adbb09af5ac70a742b646f6bbe57e7bdd070f3e1fe503bd5a539613
SHA512

74acaabd9d95ce1029d6a260413d9e7eb38e8bddefa2602ba370b92b54838437b896f42fcef74a0df5b771c8c15c1f01d7013abbb74525caca9d2d5c4f91d7b2
SSDEEP

1536:nnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:nGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 6 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exe

pid process

3592 omsecor.exe
744 omsecor.exe
1952 omsecor.exe
956 omsecor.exe
1864 omsecor.exe
4344 omsecor.exe
Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

pid	process
3592	omsecor.exe
744	omsecor.exe
1952	omsecor.exe
956	omsecor.exe
1864	omsecor.exe
4344	omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

2ef8b61c2adbb09af5ac70a742b646f6bbe57e7bdd070f3e1fe503bd5a539613_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 3468 set thread context of 1916	3468	2ef8b61c2adbb09af5ac70a742b646f6bbe57e7bdd070f3e1fe503bd5a539613_NeikiAnalytics.exe	2ef8b61c2adbb09af5ac70a742b646f6bbe57e7bdd070f3e1fe503bd5a539613_NeikiAnalytics.exe
PID 3592 set thread context of 744	3592	omsecor.exe	omsecor.exe
PID 1952 set thread context of 956	1952	omsecor.exe	omsecor.exe
PID 1864 set thread context of 4344	1864	omsecor.exe	omsecor.exe

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
5092	3592	WerFault.exe	omsecor.exe
3752	3468	WerFault.exe	2ef8b61c2adbb09af5ac70a742b646f6bbe57e7bdd070f3e1fe503bd5a539613_NeikiAnalytics.exe
4972	1952	WerFault.exe	omsecor.exe
5040	1864	WerFault.exe	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

2ef8b61c2adbb09af5ac70a742b646f6bbe57e7bdd070f3e1fe503bd5a539613_NeikiAnalytics.exe2ef8b61c2adbb09af5ac70a742b646f6bbe57e7bdd070f3e1fe503bd5a539613_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 3468 wrote to memory of 1916	3468	2ef8b61c2adbb09af5ac70a742b646f6bbe57e7bdd070f3e1fe503bd5a539613_NeikiAnalytics.exe	2ef8b61c2adbb09af5ac70a742b646f6bbe57e7bdd070f3e1fe503bd5a539613_NeikiAnalytics.exe
PID 3468 wrote to memory of 1916	3468	2ef8b61c2adbb09af5ac70a742b646f6bbe57e7bdd070f3e1fe503bd5a539613_NeikiAnalytics.exe	2ef8b61c2adbb09af5ac70a742b646f6bbe57e7bdd070f3e1fe503bd5a539613_NeikiAnalytics.exe
PID 3468 wrote to memory of 1916	3468	2ef8b61c2adbb09af5ac70a742b646f6bbe57e7bdd070f3e1fe503bd5a539613_NeikiAnalytics.exe	2ef8b61c2adbb09af5ac70a742b646f6bbe57e7bdd070f3e1fe503bd5a539613_NeikiAnalytics.exe
PID 3468 wrote to memory of 1916	3468	2ef8b61c2adbb09af5ac70a742b646f6bbe57e7bdd070f3e1fe503bd5a539613_NeikiAnalytics.exe	2ef8b61c2adbb09af5ac70a742b646f6bbe57e7bdd070f3e1fe503bd5a539613_NeikiAnalytics.exe
PID 3468 wrote to memory of 1916	3468	2ef8b61c2adbb09af5ac70a742b646f6bbe57e7bdd070f3e1fe503bd5a539613_NeikiAnalytics.exe	2ef8b61c2adbb09af5ac70a742b646f6bbe57e7bdd070f3e1fe503bd5a539613_NeikiAnalytics.exe
PID 1916 wrote to memory of 3592	1916	2ef8b61c2adbb09af5ac70a742b646f6bbe57e7bdd070f3e1fe503bd5a539613_NeikiAnalytics.exe	omsecor.exe
PID 1916 wrote to memory of 3592	1916	2ef8b61c2adbb09af5ac70a742b646f6bbe57e7bdd070f3e1fe503bd5a539613_NeikiAnalytics.exe	omsecor.exe
PID 1916 wrote to memory of 3592	1916	2ef8b61c2adbb09af5ac70a742b646f6bbe57e7bdd070f3e1fe503bd5a539613_NeikiAnalytics.exe	omsecor.exe
PID 3592 wrote to memory of 744	3592	omsecor.exe	omsecor.exe
PID 3592 wrote to memory of 744	3592	omsecor.exe	omsecor.exe
PID 3592 wrote to memory of 744	3592	omsecor.exe	omsecor.exe
PID 3592 wrote to memory of 744	3592	omsecor.exe	omsecor.exe
PID 3592 wrote to memory of 744	3592	omsecor.exe	omsecor.exe
PID 744 wrote to memory of 1952	744	omsecor.exe	omsecor.exe
PID 744 wrote to memory of 1952	744	omsecor.exe	omsecor.exe
PID 744 wrote to memory of 1952	744	omsecor.exe	omsecor.exe
PID 1952 wrote to memory of 956	1952	omsecor.exe	omsecor.exe
PID 1952 wrote to memory of 956	1952	omsecor.exe	omsecor.exe
PID 1952 wrote to memory of 956	1952	omsecor.exe	omsecor.exe
PID 1952 wrote to memory of 956	1952	omsecor.exe	omsecor.exe
PID 1952 wrote to memory of 956	1952	omsecor.exe	omsecor.exe
PID 956 wrote to memory of 1864	956	omsecor.exe	omsecor.exe
PID 956 wrote to memory of 1864	956	omsecor.exe	omsecor.exe
PID 956 wrote to memory of 1864	956	omsecor.exe	omsecor.exe
PID 1864 wrote to memory of 4344	1864	omsecor.exe	omsecor.exe
PID 1864 wrote to memory of 4344	1864	omsecor.exe	omsecor.exe
PID 1864 wrote to memory of 4344	1864	omsecor.exe	omsecor.exe
PID 1864 wrote to memory of 4344	1864	omsecor.exe	omsecor.exe
PID 1864 wrote to memory of 4344	1864	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\2ef8b61c2adbb09af5ac70a742b646f6bbe57e7bdd070f3e1fe503bd5a539613_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2ef8b61c2adbb09af5ac70a742b646f6bbe57e7bdd070f3e1fe503bd5a539613_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3468

C:\Users\Admin\AppData\Local\Temp\2ef8b61c2adbb09af5ac70a742b646f6bbe57e7bdd070f3e1fe503bd5a539613_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2ef8b61c2adbb09af5ac70a742b646f6bbe57e7bdd070f3e1fe503bd5a539613_NeikiAnalytics.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1916

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3592

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:744

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1952

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:956

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1864

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
8⤵
- Executes dropped EXE
PID:4344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1864 -s 256
8⤵
- Program crash
PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 292
6⤵
- Program crash
PID:4972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 288
4⤵
- Program crash
PID:5092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3468 -s 296
2⤵
- Program crash
PID:3752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3468 -ip 3468
1⤵
PID:4136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3592 -ip 3592
1⤵
PID:2456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1952 -ip 1952
1⤵
PID:4376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1864 -ip 1864
1⤵
PID:4368

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
96KB

MD5
ee22b2728166bc4beb3471706d7ee9e7

SHA1
2039c210b1d4538cbd56a0a116aff0c5034e5701

SHA256
c6e25fe50ba56e7cdfe5fdaad0b8fb158e9132ec14ef28aaecc57baf6859a621

SHA512
9f266ba04f310e364b4c009c831621e79790ab14a16a22ee88c302cb7ba8f051d7ab8809a2d6bbc90cb354199b936a8a4182e4a4b9057e1fe0bdd70bb354be56

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
96KB

MD5
dd4ad9ea6b975193b29499944e7086da

SHA1
6a8ae085713c9ae32c4fac30c94a28679e306b54

SHA256
0650cc4475f7614dd951bec159bfb35259d3f5c41e44295946620998f5086ee8

SHA512
4517f28b6551b9a1aabdaaec79eea65fe53254442c099da55b01612107709ececd6b40618f625cf990a732c12e5b100d227d9e8c7010b9e18f6290d0ec034e0b

Download Submit
C:\Windows\SysWOW64\omsecor.exe
Filesize
96KB

MD5
35406d02f0099a630a292196d177910c

SHA1
0a7c4b2757cd9090bface392ef8d8c3a694e307d

SHA256
10b6b7dea6beb741f79745370f17d698a56f316f5f3c6ccb4bb7870e132d51a9

SHA512
396370dca4a8af17cefb10d0fe0f3c6b8d209e40642bb63ea602d196962f50804334ac7003ed5fc02467b9f21f8fd241a69f454b32ac4b8370067781867a8be8

Download Submit
memory/744-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/744-30-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/744-27-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/744-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/744-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/744-16-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/744-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/956-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/956-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/956-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1864-44-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1916-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1916-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1916-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1916-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1952-34-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3468-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3468-19-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3592-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3592-10-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4344-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4344-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4344-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4344-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads