neconyd | 3ecdad85d0a304a0bca9a0c2b9c23b03bd5c57453192dfb0fcc4453e2433163e

General

Target

3ecdad85d0a304a0bca9a0c2b9c23b03bd5c57453192dfb0fcc4453e2433163e_NeikiAnalytics.exe
Size

76KB
MD5

1c871abc6a0113ded5251e63195619a0
SHA1

b5aa6601c179bba9b5c8f9e4b89d89241f380b43
SHA256

3ecdad85d0a304a0bca9a0c2b9c23b03bd5c57453192dfb0fcc4453e2433163e
SHA512

87d5f46eb94183da57d40e3ce28a8a0270bfedfc2f267392b6f4b9882c506f2af5507e8ea5a0ebc825f9284dc1a0f5ea1e0d6dcc8281c107d10202f5a62d5866
SSDEEP

1536:vd9dseIOcE93dIvYvZDyF4EEOF6N4yS+AQmZTl/5R11:HdseIOKEZDyFjEOFqTiQm5l/5R11

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 3 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exe

pid process

2104 omsecor.exe
2788 omsecor.exe
1972 omsecor.exe

pid	process
2104	omsecor.exe
2788	omsecor.exe
1972	omsecor.exe

Loads dropped DLL 6 IoCs

Processes:

3ecdad85d0a304a0bca9a0c2b9c23b03bd5c57453192dfb0fcc4453e2433163e_NeikiAnalytics.exeomsecor.exeomsecor.exe

pid	process
2820	3ecdad85d0a304a0bca9a0c2b9c23b03bd5c57453192dfb0fcc4453e2433163e_NeikiAnalytics.exe
2820	3ecdad85d0a304a0bca9a0c2b9c23b03bd5c57453192dfb0fcc4453e2433163e_NeikiAnalytics.exe
2104	omsecor.exe
2104	omsecor.exe
2788	omsecor.exe
2788	omsecor.exe

Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

3ecdad85d0a304a0bca9a0c2b9c23b03bd5c57453192dfb0fcc4453e2433163e_NeikiAnalytics.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 2820 wrote to memory of 2104	2820	3ecdad85d0a304a0bca9a0c2b9c23b03bd5c57453192dfb0fcc4453e2433163e_NeikiAnalytics.exe	omsecor.exe
PID 2820 wrote to memory of 2104	2820	3ecdad85d0a304a0bca9a0c2b9c23b03bd5c57453192dfb0fcc4453e2433163e_NeikiAnalytics.exe	omsecor.exe
PID 2820 wrote to memory of 2104	2820	3ecdad85d0a304a0bca9a0c2b9c23b03bd5c57453192dfb0fcc4453e2433163e_NeikiAnalytics.exe	omsecor.exe
PID 2820 wrote to memory of 2104	2820	3ecdad85d0a304a0bca9a0c2b9c23b03bd5c57453192dfb0fcc4453e2433163e_NeikiAnalytics.exe	omsecor.exe
PID 2104 wrote to memory of 2788	2104	omsecor.exe	omsecor.exe
PID 2104 wrote to memory of 2788	2104	omsecor.exe	omsecor.exe
PID 2104 wrote to memory of 2788	2104	omsecor.exe	omsecor.exe
PID 2104 wrote to memory of 2788	2104	omsecor.exe	omsecor.exe
PID 2788 wrote to memory of 1972	2788	omsecor.exe	omsecor.exe
PID 2788 wrote to memory of 1972	2788	omsecor.exe	omsecor.exe
PID 2788 wrote to memory of 1972	2788	omsecor.exe	omsecor.exe
PID 2788 wrote to memory of 1972	2788	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\3ecdad85d0a304a0bca9a0c2b9c23b03bd5c57453192dfb0fcc4453e2433163e_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3ecdad85d0a304a0bca9a0c2b9c23b03bd5c57453192dfb0fcc4453e2433163e_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2820

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2104

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2788

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
PID:1972

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
76KB

MD5
c93022fe5d684b1906971da077f25c52

SHA1
0394cafcd4e88700294fef430de5b50a2fa8e893

SHA256
a172bd2386f966626df6a16a60b6948dc2a8c2985b18474d53a309915d5a1088

SHA512
6d96b712dd0d23412ca28399ae6ad83dd1299d440c4430330a79e93c7eaf79f87f45af6c19bce38dca5b88433772590938e189795e115020dbf85a1be9c55ca1

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
76KB

MD5
ce6a67cf9ac3f906adbbc5ae5b9e6ec0

SHA1
6a23d1b9acaafa9b19bc65ebbe39a2999aa2f011

SHA256
7cb9c840797327a8d4b619cef8f9a89ced353ea48f7fc21d9a2ac318d5187522

SHA512
f57dbf87f345d15f6f838c8c1054f2624d56721b0f2a45cced1e05a878a9567136f1c436b14b284fbe2e503b6040cc16769496fa40ce65dac1c9aada123ae18d

Download Submit
\Windows\SysWOW64\omsecor.exe
Filesize
76KB

MD5
316dc1dc960a505a7c1ebaf70fd812da

SHA1
ee8dfa1bb11afe9e95722d325e80ff43b9bd7480

SHA256
80a4da49d31368a6b0d63a8ab9bccfc9eb7c3a85b78e05ab6cba013d5a9a03e0

SHA512
35453b2e6e99b64fa8d17640e4a372ab573d9ab22f64de97fb3a96295ae597c9edb3a78251e65149043ec9d1a48786ec12f07306146df7dc96748a163ec4d20b

Download Submit
memory/1972-36-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1972-38-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2104-10-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2104-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2104-17-0x0000000000790000-0x00000000007BA000-memory.dmp

Filesize
168KB

Download
memory/2104-23-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2788-29-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/2788-34-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2820-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2820-8-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing