neconyd | 5126898d4ff5aa51ed59ab8967bf8721cdceb7b9181f898ed5f4074d4aba17d8

General

Target

5126898d4ff5aa51ed59ab8967bf8721cdceb7b9181f898ed5f4074d4aba17d8_NeikiAnalytics.exe
Size

96KB
MD5

78eab8d89955ec425cbca080ec3e18f0
SHA1

ed554a3a4643a811cded84dfef251d7ce82917e3
SHA256

5126898d4ff5aa51ed59ab8967bf8721cdceb7b9181f898ed5f4074d4aba17d8
SHA512

f8f69e580a079deb72d64edb13af9f29c0a360066ed06719222788373095cba5d757706f58d7cfaf3ccf2ca3b6ce4c411c937311557650a8c063881a709e03d2
SSDEEP

1536:jnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:jGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 6 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exe

pid process

3856 omsecor.exe
4560 omsecor.exe
3204 omsecor.exe
2052 omsecor.exe
4656 omsecor.exe
800 omsecor.exe
Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

pid	process
3856	omsecor.exe
4560	omsecor.exe
3204	omsecor.exe
2052	omsecor.exe
4656	omsecor.exe
800	omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

5126898d4ff5aa51ed59ab8967bf8721cdceb7b9181f898ed5f4074d4aba17d8_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 2156 set thread context of 460	2156	5126898d4ff5aa51ed59ab8967bf8721cdceb7b9181f898ed5f4074d4aba17d8_NeikiAnalytics.exe	5126898d4ff5aa51ed59ab8967bf8721cdceb7b9181f898ed5f4074d4aba17d8_NeikiAnalytics.exe
PID 3856 set thread context of 4560	3856	omsecor.exe	omsecor.exe
PID 3204 set thread context of 2052	3204	omsecor.exe	omsecor.exe
PID 4656 set thread context of 800	4656	omsecor.exe	omsecor.exe

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
5076	2156	WerFault.exe	5126898d4ff5aa51ed59ab8967bf8721cdceb7b9181f898ed5f4074d4aba17d8_NeikiAnalytics.exe
3492	3856	WerFault.exe	omsecor.exe
1564	3204	WerFault.exe	omsecor.exe
548	4656	WerFault.exe	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

5126898d4ff5aa51ed59ab8967bf8721cdceb7b9181f898ed5f4074d4aba17d8_NeikiAnalytics.exe5126898d4ff5aa51ed59ab8967bf8721cdceb7b9181f898ed5f4074d4aba17d8_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 2156 wrote to memory of 460	2156	5126898d4ff5aa51ed59ab8967bf8721cdceb7b9181f898ed5f4074d4aba17d8_NeikiAnalytics.exe	5126898d4ff5aa51ed59ab8967bf8721cdceb7b9181f898ed5f4074d4aba17d8_NeikiAnalytics.exe
PID 2156 wrote to memory of 460	2156	5126898d4ff5aa51ed59ab8967bf8721cdceb7b9181f898ed5f4074d4aba17d8_NeikiAnalytics.exe	5126898d4ff5aa51ed59ab8967bf8721cdceb7b9181f898ed5f4074d4aba17d8_NeikiAnalytics.exe
PID 2156 wrote to memory of 460	2156	5126898d4ff5aa51ed59ab8967bf8721cdceb7b9181f898ed5f4074d4aba17d8_NeikiAnalytics.exe	5126898d4ff5aa51ed59ab8967bf8721cdceb7b9181f898ed5f4074d4aba17d8_NeikiAnalytics.exe
PID 2156 wrote to memory of 460	2156	5126898d4ff5aa51ed59ab8967bf8721cdceb7b9181f898ed5f4074d4aba17d8_NeikiAnalytics.exe	5126898d4ff5aa51ed59ab8967bf8721cdceb7b9181f898ed5f4074d4aba17d8_NeikiAnalytics.exe
PID 2156 wrote to memory of 460	2156	5126898d4ff5aa51ed59ab8967bf8721cdceb7b9181f898ed5f4074d4aba17d8_NeikiAnalytics.exe	5126898d4ff5aa51ed59ab8967bf8721cdceb7b9181f898ed5f4074d4aba17d8_NeikiAnalytics.exe
PID 460 wrote to memory of 3856	460	5126898d4ff5aa51ed59ab8967bf8721cdceb7b9181f898ed5f4074d4aba17d8_NeikiAnalytics.exe	omsecor.exe
PID 460 wrote to memory of 3856	460	5126898d4ff5aa51ed59ab8967bf8721cdceb7b9181f898ed5f4074d4aba17d8_NeikiAnalytics.exe	omsecor.exe
PID 460 wrote to memory of 3856	460	5126898d4ff5aa51ed59ab8967bf8721cdceb7b9181f898ed5f4074d4aba17d8_NeikiAnalytics.exe	omsecor.exe
PID 3856 wrote to memory of 4560	3856	omsecor.exe	omsecor.exe
PID 3856 wrote to memory of 4560	3856	omsecor.exe	omsecor.exe
PID 3856 wrote to memory of 4560	3856	omsecor.exe	omsecor.exe
PID 3856 wrote to memory of 4560	3856	omsecor.exe	omsecor.exe
PID 3856 wrote to memory of 4560	3856	omsecor.exe	omsecor.exe
PID 4560 wrote to memory of 3204	4560	omsecor.exe	omsecor.exe
PID 4560 wrote to memory of 3204	4560	omsecor.exe	omsecor.exe
PID 4560 wrote to memory of 3204	4560	omsecor.exe	omsecor.exe
PID 3204 wrote to memory of 2052	3204	omsecor.exe	omsecor.exe
PID 3204 wrote to memory of 2052	3204	omsecor.exe	omsecor.exe
PID 3204 wrote to memory of 2052	3204	omsecor.exe	omsecor.exe
PID 3204 wrote to memory of 2052	3204	omsecor.exe	omsecor.exe
PID 3204 wrote to memory of 2052	3204	omsecor.exe	omsecor.exe
PID 2052 wrote to memory of 4656	2052	omsecor.exe	omsecor.exe
PID 2052 wrote to memory of 4656	2052	omsecor.exe	omsecor.exe
PID 2052 wrote to memory of 4656	2052	omsecor.exe	omsecor.exe
PID 4656 wrote to memory of 800	4656	omsecor.exe	omsecor.exe
PID 4656 wrote to memory of 800	4656	omsecor.exe	omsecor.exe
PID 4656 wrote to memory of 800	4656	omsecor.exe	omsecor.exe
PID 4656 wrote to memory of 800	4656	omsecor.exe	omsecor.exe
PID 4656 wrote to memory of 800	4656	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\5126898d4ff5aa51ed59ab8967bf8721cdceb7b9181f898ed5f4074d4aba17d8_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5126898d4ff5aa51ed59ab8967bf8721cdceb7b9181f898ed5f4074d4aba17d8_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2156

C:\Users\Admin\AppData\Local\Temp\5126898d4ff5aa51ed59ab8967bf8721cdceb7b9181f898ed5f4074d4aba17d8_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\5126898d4ff5aa51ed59ab8967bf8721cdceb7b9181f898ed5f4074d4aba17d8_NeikiAnalytics.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:460

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3856

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4560

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3204

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2052

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4656

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
8⤵
- Executes dropped EXE
PID:800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 264
8⤵
- Program crash
PID:548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 296
6⤵
- Program crash
PID:1564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 300
4⤵
- Program crash
PID:3492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 288
2⤵
- Program crash
PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2156 -ip 2156
1⤵
PID:2988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3856 -ip 3856
1⤵
PID:4600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3204 -ip 3204
1⤵
PID:4108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4656 -ip 4656
1⤵
PID:2200

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
96KB

MD5
8a88c629cbe5290cc572740ebe3562ac

SHA1
97c14b7d0203171e3f1122f59e2cc644ed1c246a

SHA256
3593e4bf16a37e9b0ee7f95262df3aa2e95853a31448e91e19ddb5a0152b8c31

SHA512
c5eca87450fcba2d0521b6bdb7041d03a539563235db5ce138821def6417ccb73d6d72402b7050efdbae56d01ea6b567657fd2450b5da7e6293eed085522091a

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
96KB

MD5
9d722c4b650463dd31ff304ed153f50f

SHA1
9b1ad9d682a35b7c742072b4e5bde57a3003d86d

SHA256
72b772ca68b0264deb329891a78458da3babfd82b9d3372053f76620085565e8

SHA512
d6f092be8696e9429f8b36aab363ac9fcd841d8438d92c273d88db5659cd84ddb60ab72420b8ae9a47cf4b45683ed224a5614edce2cbc39f663d6d051714e121

Download Submit
C:\Windows\SysWOW64\omsecor.exe
Filesize
96KB

MD5
59dc08a52ab1278934e5e00ab9d7e824

SHA1
ee14a274c9f9b7c2a20bc573a5f1ce736879905a

SHA256
98dd9742c035d8ae138f0af05a76e24743e0dbaf3699aa01c9c0abf3d190b271

SHA512
2175b62f87225a8f8cc574ec03da2100239f2ae32eb5b88f339e604aa0bfda4597b2567c7e7bd96a1603df277c48090bf09416ca0b3573e6a1ed98037c3fdb69

Download Submit
memory/460-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/460-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/460-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/460-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/800-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/800-47-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/800-45-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/800-58-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/800-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/800-52-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2052-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2052-33-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2052-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2156-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2156-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3204-49-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3204-30-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3856-11-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4560-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4560-27-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4560-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4560-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4560-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4560-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4560-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4656-40-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4656-51-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads