neconyd | 5126898d4ff5aa51ed59ab8967bf8721cdceb7b9181f898ed5f4074d4aba17d8

General

Target

5126898d4ff5aa51ed59ab8967bf8721cdceb7b9181f898ed5f4074d4aba17d8_NeikiAnalytics.exe
Size

96KB
MD5

78eab8d89955ec425cbca080ec3e18f0
SHA1

ed554a3a4643a811cded84dfef251d7ce82917e3
SHA256

5126898d4ff5aa51ed59ab8967bf8721cdceb7b9181f898ed5f4074d4aba17d8
SHA512

f8f69e580a079deb72d64edb13af9f29c0a360066ed06719222788373095cba5d757706f58d7cfaf3ccf2ca3b6ce4c411c937311557650a8c063881a709e03d2
SSDEEP

1536:jnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:jGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 6 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exe

pid process

1744 omsecor.exe
2676 omsecor.exe
1032 omsecor.exe
2412 omsecor.exe
1304 omsecor.exe
3036 omsecor.exe

pid	process
1744	omsecor.exe
2676	omsecor.exe
1032	omsecor.exe
2412	omsecor.exe
1304	omsecor.exe
3036	omsecor.exe

Loads dropped DLL 7 IoCs

Processes:

5126898d4ff5aa51ed59ab8967bf8721cdceb7b9181f898ed5f4074d4aba17d8_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exe

pid	process
2212	5126898d4ff5aa51ed59ab8967bf8721cdceb7b9181f898ed5f4074d4aba17d8_NeikiAnalytics.exe
2212	5126898d4ff5aa51ed59ab8967bf8721cdceb7b9181f898ed5f4074d4aba17d8_NeikiAnalytics.exe
1744	omsecor.exe
2676	omsecor.exe
2676	omsecor.exe
2412	omsecor.exe
2412	omsecor.exe

Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

5126898d4ff5aa51ed59ab8967bf8721cdceb7b9181f898ed5f4074d4aba17d8_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 1916 set thread context of 2212	1916	5126898d4ff5aa51ed59ab8967bf8721cdceb7b9181f898ed5f4074d4aba17d8_NeikiAnalytics.exe	5126898d4ff5aa51ed59ab8967bf8721cdceb7b9181f898ed5f4074d4aba17d8_NeikiAnalytics.exe
PID 1744 set thread context of 2676	1744	omsecor.exe	omsecor.exe
PID 1032 set thread context of 2412	1032	omsecor.exe	omsecor.exe
PID 1304 set thread context of 3036	1304	omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

5126898d4ff5aa51ed59ab8967bf8721cdceb7b9181f898ed5f4074d4aba17d8_NeikiAnalytics.exe5126898d4ff5aa51ed59ab8967bf8721cdceb7b9181f898ed5f4074d4aba17d8_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 1916 wrote to memory of 2212	1916	5126898d4ff5aa51ed59ab8967bf8721cdceb7b9181f898ed5f4074d4aba17d8_NeikiAnalytics.exe	5126898d4ff5aa51ed59ab8967bf8721cdceb7b9181f898ed5f4074d4aba17d8_NeikiAnalytics.exe
PID 1916 wrote to memory of 2212	1916	5126898d4ff5aa51ed59ab8967bf8721cdceb7b9181f898ed5f4074d4aba17d8_NeikiAnalytics.exe	5126898d4ff5aa51ed59ab8967bf8721cdceb7b9181f898ed5f4074d4aba17d8_NeikiAnalytics.exe
PID 1916 wrote to memory of 2212	1916	5126898d4ff5aa51ed59ab8967bf8721cdceb7b9181f898ed5f4074d4aba17d8_NeikiAnalytics.exe	5126898d4ff5aa51ed59ab8967bf8721cdceb7b9181f898ed5f4074d4aba17d8_NeikiAnalytics.exe
PID 1916 wrote to memory of 2212	1916	5126898d4ff5aa51ed59ab8967bf8721cdceb7b9181f898ed5f4074d4aba17d8_NeikiAnalytics.exe	5126898d4ff5aa51ed59ab8967bf8721cdceb7b9181f898ed5f4074d4aba17d8_NeikiAnalytics.exe
PID 1916 wrote to memory of 2212	1916	5126898d4ff5aa51ed59ab8967bf8721cdceb7b9181f898ed5f4074d4aba17d8_NeikiAnalytics.exe	5126898d4ff5aa51ed59ab8967bf8721cdceb7b9181f898ed5f4074d4aba17d8_NeikiAnalytics.exe
PID 1916 wrote to memory of 2212	1916	5126898d4ff5aa51ed59ab8967bf8721cdceb7b9181f898ed5f4074d4aba17d8_NeikiAnalytics.exe	5126898d4ff5aa51ed59ab8967bf8721cdceb7b9181f898ed5f4074d4aba17d8_NeikiAnalytics.exe
PID 2212 wrote to memory of 1744	2212	5126898d4ff5aa51ed59ab8967bf8721cdceb7b9181f898ed5f4074d4aba17d8_NeikiAnalytics.exe	omsecor.exe
PID 2212 wrote to memory of 1744	2212	5126898d4ff5aa51ed59ab8967bf8721cdceb7b9181f898ed5f4074d4aba17d8_NeikiAnalytics.exe	omsecor.exe
PID 2212 wrote to memory of 1744	2212	5126898d4ff5aa51ed59ab8967bf8721cdceb7b9181f898ed5f4074d4aba17d8_NeikiAnalytics.exe	omsecor.exe
PID 2212 wrote to memory of 1744	2212	5126898d4ff5aa51ed59ab8967bf8721cdceb7b9181f898ed5f4074d4aba17d8_NeikiAnalytics.exe	omsecor.exe
PID 1744 wrote to memory of 2676	1744	omsecor.exe	omsecor.exe
PID 1744 wrote to memory of 2676	1744	omsecor.exe	omsecor.exe
PID 1744 wrote to memory of 2676	1744	omsecor.exe	omsecor.exe
PID 1744 wrote to memory of 2676	1744	omsecor.exe	omsecor.exe
PID 1744 wrote to memory of 2676	1744	omsecor.exe	omsecor.exe
PID 1744 wrote to memory of 2676	1744	omsecor.exe	omsecor.exe
PID 2676 wrote to memory of 1032	2676	omsecor.exe	omsecor.exe
PID 2676 wrote to memory of 1032	2676	omsecor.exe	omsecor.exe
PID 2676 wrote to memory of 1032	2676	omsecor.exe	omsecor.exe
PID 2676 wrote to memory of 1032	2676	omsecor.exe	omsecor.exe
PID 1032 wrote to memory of 2412	1032	omsecor.exe	omsecor.exe
PID 1032 wrote to memory of 2412	1032	omsecor.exe	omsecor.exe
PID 1032 wrote to memory of 2412	1032	omsecor.exe	omsecor.exe
PID 1032 wrote to memory of 2412	1032	omsecor.exe	omsecor.exe
PID 1032 wrote to memory of 2412	1032	omsecor.exe	omsecor.exe
PID 1032 wrote to memory of 2412	1032	omsecor.exe	omsecor.exe
PID 2412 wrote to memory of 1304	2412	omsecor.exe	omsecor.exe
PID 2412 wrote to memory of 1304	2412	omsecor.exe	omsecor.exe
PID 2412 wrote to memory of 1304	2412	omsecor.exe	omsecor.exe
PID 2412 wrote to memory of 1304	2412	omsecor.exe	omsecor.exe
PID 1304 wrote to memory of 3036	1304	omsecor.exe	omsecor.exe
PID 1304 wrote to memory of 3036	1304	omsecor.exe	omsecor.exe
PID 1304 wrote to memory of 3036	1304	omsecor.exe	omsecor.exe
PID 1304 wrote to memory of 3036	1304	omsecor.exe	omsecor.exe
PID 1304 wrote to memory of 3036	1304	omsecor.exe	omsecor.exe
PID 1304 wrote to memory of 3036	1304	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\5126898d4ff5aa51ed59ab8967bf8721cdceb7b9181f898ed5f4074d4aba17d8_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5126898d4ff5aa51ed59ab8967bf8721cdceb7b9181f898ed5f4074d4aba17d8_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1916

C:\Users\Admin\AppData\Local\Temp\5126898d4ff5aa51ed59ab8967bf8721cdceb7b9181f898ed5f4074d4aba17d8_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\5126898d4ff5aa51ed59ab8967bf8721cdceb7b9181f898ed5f4074d4aba17d8_NeikiAnalytics.exe
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2212

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1744

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2676

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1032

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2412

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1304

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
8⤵
- Executes dropped EXE
PID:3036

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
96KB

MD5
865a5f68f5e929dfe6046520f7a8db08

SHA1
9864ef874ba2585527bc4ac228202d2b935d9689

SHA256
33d0a998305b27406f0eaa610f19845d888bc9a6dbfb3939bd88a500f2a50657

SHA512
ab671a92bd043bff913d6dbf139c64c304023dd1088787287585a97c17152ddd8c7ee63c0824360763b5513a0cdd5e8dc8d16478d36ecb3e43e11ae57147bf69

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
96KB

MD5
9d722c4b650463dd31ff304ed153f50f

SHA1
9b1ad9d682a35b7c742072b4e5bde57a3003d86d

SHA256
72b772ca68b0264deb329891a78458da3babfd82b9d3372053f76620085565e8

SHA512
d6f092be8696e9429f8b36aab363ac9fcd841d8438d92c273d88db5659cd84ddb60ab72420b8ae9a47cf4b45683ed224a5614edce2cbc39f663d6d051714e121

Download Submit
\Windows\SysWOW64\omsecor.exe
Filesize
96KB

MD5
ad34fb79ab2f7c7109cd5f41d62c5d30

SHA1
960cb4348240ad2d87f10c3e3619ff942ab3ef90

SHA256
b7a672752b37258f85af36dc21efcf7e676adbf168c9bf9649dee4b5cc3891eb

SHA512
12f0d17b617114dab9e0d0d1c0970c0adc4317b0d9a30beb05839a58c98fc574ebe1ca179682058c77ab32c66fd112f9d94bd7f067bacdb36a678fd6544730b4

Download Submit
memory/1032-66-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1032-57-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1304-87-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1304-79-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1744-22-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1744-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1916-1-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/1916-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1916-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2212-6-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2212-4-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2212-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2212-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2212-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2676-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2676-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2676-47-0x00000000004E0000-0x0000000000503000-memory.dmp

Filesize
140KB

Download
memory/2676-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2676-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3036-89-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3036-92-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads