neconyd | 68b03f81eef7e2c8f39670ad8fa7c126383c502c653ded556b45d59eaee856a2

General

Target

68b03f81eef7e2c8f39670ad8fa7c126383c502c653ded556b45d59eaee856a2_NeikiAnalytics.exe
Size

76KB
MD5

c6928f88335e8de599699531bfb05da0
SHA1

05bab1e52ed3986f3b9e03458ad38dac9e51769c
SHA256

68b03f81eef7e2c8f39670ad8fa7c126383c502c653ded556b45d59eaee856a2
SHA512

a6288be35b8b02e547244a5f8b07cc865d4fa6df837a16a6c321a9823280816cd368331dc96c55c0c7d084c10909b64d36c6ea1f1b954eeff6a44c1d20ac56ac
SSDEEP

1536:ad9dseIOcE93dIvYvZEyF4EEOF6N4yS+AQmZTl/5R11:6dseIOKEZEyFjEOFqTiQm5l/5R11

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 3 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exe

pid process

1952 omsecor.exe
1028 omsecor.exe
2392 omsecor.exe

pid	process
1952	omsecor.exe
1028	omsecor.exe
2392	omsecor.exe

Loads dropped DLL 6 IoCs

Processes:

68b03f81eef7e2c8f39670ad8fa7c126383c502c653ded556b45d59eaee856a2_NeikiAnalytics.exeomsecor.exeomsecor.exe

pid	process
2388	68b03f81eef7e2c8f39670ad8fa7c126383c502c653ded556b45d59eaee856a2_NeikiAnalytics.exe
2388	68b03f81eef7e2c8f39670ad8fa7c126383c502c653ded556b45d59eaee856a2_NeikiAnalytics.exe
1952	omsecor.exe
1952	omsecor.exe
1028	omsecor.exe
1028	omsecor.exe

Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

68b03f81eef7e2c8f39670ad8fa7c126383c502c653ded556b45d59eaee856a2_NeikiAnalytics.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 2388 wrote to memory of 1952	2388	68b03f81eef7e2c8f39670ad8fa7c126383c502c653ded556b45d59eaee856a2_NeikiAnalytics.exe	omsecor.exe
PID 2388 wrote to memory of 1952	2388	68b03f81eef7e2c8f39670ad8fa7c126383c502c653ded556b45d59eaee856a2_NeikiAnalytics.exe	omsecor.exe
PID 2388 wrote to memory of 1952	2388	68b03f81eef7e2c8f39670ad8fa7c126383c502c653ded556b45d59eaee856a2_NeikiAnalytics.exe	omsecor.exe
PID 2388 wrote to memory of 1952	2388	68b03f81eef7e2c8f39670ad8fa7c126383c502c653ded556b45d59eaee856a2_NeikiAnalytics.exe	omsecor.exe
PID 1952 wrote to memory of 1028	1952	omsecor.exe	omsecor.exe
PID 1952 wrote to memory of 1028	1952	omsecor.exe	omsecor.exe
PID 1952 wrote to memory of 1028	1952	omsecor.exe	omsecor.exe
PID 1952 wrote to memory of 1028	1952	omsecor.exe	omsecor.exe
PID 1028 wrote to memory of 2392	1028	omsecor.exe	omsecor.exe
PID 1028 wrote to memory of 2392	1028	omsecor.exe	omsecor.exe
PID 1028 wrote to memory of 2392	1028	omsecor.exe	omsecor.exe
PID 1028 wrote to memory of 2392	1028	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\68b03f81eef7e2c8f39670ad8fa7c126383c502c653ded556b45d59eaee856a2_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\68b03f81eef7e2c8f39670ad8fa7c126383c502c653ded556b45d59eaee856a2_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2388

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1952

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1028

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
PID:2392

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
76KB

MD5
0124a2e4bd1ee0be8d80e4ffefc6b657

SHA1
369ab923c5a7b6d287de7a00c7249079e7fb57e9

SHA256
499f65096926d950034873788910438d0b61a22be4216c15e1075ab6b17268e1

SHA512
c0c538466a6c14a767063c2385508f5e4127c6b353167046b35efbbfcb92a54d0bc83293189c1e73448a7b2cc6fe6a3f36eb42de72d55ed300cb3f404020c6f8

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
76KB

MD5
5ed2b3da5601676f7dcab676d04c19d7

SHA1
44ced867ecd6435f0283c46544bf6c574d09ddb8

SHA256
3261f5a6b0bea00bfbc1a1a53a7489fe4b56f3402525845ccd0e38735574e4c0

SHA512
76c5e8dccd146799d45ad554ede8e231551188e1a997bbf8019f9144eb8c9e011a471fae18ecfc7ebcdcfbbbef05e5c66b53d4d590e17348cb0eae99f49d0197

Download Submit
\Windows\SysWOW64\omsecor.exe
Filesize
76KB

MD5
196932566ea950b882a052d995e81357

SHA1
6fb40d163fdc7a0cadfd5058dfab22d1eedb6377

SHA256
9f7cc18c31bfaac5d35b5f934881f12afcf3ab1c1d25e2a8516e99f9d520835d

SHA512
16ef78d321949a9b22f3a0cbe092500e1483801ba5280e46b08243b22ce850331373b675d5070daa4b7d7b46a6be841ef6dfacaaf057a37fa1f916eb2a230005

Download Submit
memory/1028-28-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1952-13-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1952-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1952-19-0x0000000000280000-0x00000000002AA000-memory.dmp

Filesize
168KB

Download
memory/1952-24-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2388-4-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/2388-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2388-9-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2392-36-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2392-38-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing