neconyd | 74a4d03bfd6d7d32d047d9c96d2a15b46b201a575dc1818606895ab5c96cee67

General

Target

74a4d03bfd6d7d32d047d9c96d2a15b46b201a575dc1818606895ab5c96cee67_NeikiAnalytics.exe
Size

76KB
MD5

7f12fea9662ad20304339ce253efec40
SHA1

ce39320091985adf77329b7490df35cb988cfa5e
SHA256

74a4d03bfd6d7d32d047d9c96d2a15b46b201a575dc1818606895ab5c96cee67
SHA512

a521d513045e382fb642c4ed6066af8e6dc8f8e3c9b13cb2d71a5eb1347d150a54737457bd4f7942b219ad8bb110e1ae0cd80f5035b958e68a558c8d1ac93342
SSDEEP

1536:Vd9dseIOcE93bIvYvZEyF4EEOF6N4XS+AQmZTl/5w11:ddseIOMEZEyFjEOFqaiQm5l/5w11

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 3 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exe

pid process

2012 omsecor.exe
2240 omsecor.exe
1664 omsecor.exe

pid	process
2012	omsecor.exe
2240	omsecor.exe
1664	omsecor.exe

Loads dropped DLL 6 IoCs

Processes:

74a4d03bfd6d7d32d047d9c96d2a15b46b201a575dc1818606895ab5c96cee67_NeikiAnalytics.exeomsecor.exeomsecor.exe

pid	process
1640	74a4d03bfd6d7d32d047d9c96d2a15b46b201a575dc1818606895ab5c96cee67_NeikiAnalytics.exe
1640	74a4d03bfd6d7d32d047d9c96d2a15b46b201a575dc1818606895ab5c96cee67_NeikiAnalytics.exe
2012	omsecor.exe
2012	omsecor.exe
2240	omsecor.exe
2240	omsecor.exe

Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

74a4d03bfd6d7d32d047d9c96d2a15b46b201a575dc1818606895ab5c96cee67_NeikiAnalytics.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 1640 wrote to memory of 2012	1640	74a4d03bfd6d7d32d047d9c96d2a15b46b201a575dc1818606895ab5c96cee67_NeikiAnalytics.exe	omsecor.exe
PID 1640 wrote to memory of 2012	1640	74a4d03bfd6d7d32d047d9c96d2a15b46b201a575dc1818606895ab5c96cee67_NeikiAnalytics.exe	omsecor.exe
PID 1640 wrote to memory of 2012	1640	74a4d03bfd6d7d32d047d9c96d2a15b46b201a575dc1818606895ab5c96cee67_NeikiAnalytics.exe	omsecor.exe
PID 1640 wrote to memory of 2012	1640	74a4d03bfd6d7d32d047d9c96d2a15b46b201a575dc1818606895ab5c96cee67_NeikiAnalytics.exe	omsecor.exe
PID 2012 wrote to memory of 2240	2012	omsecor.exe	omsecor.exe
PID 2012 wrote to memory of 2240	2012	omsecor.exe	omsecor.exe
PID 2012 wrote to memory of 2240	2012	omsecor.exe	omsecor.exe
PID 2012 wrote to memory of 2240	2012	omsecor.exe	omsecor.exe
PID 2240 wrote to memory of 1664	2240	omsecor.exe	omsecor.exe
PID 2240 wrote to memory of 1664	2240	omsecor.exe	omsecor.exe
PID 2240 wrote to memory of 1664	2240	omsecor.exe	omsecor.exe
PID 2240 wrote to memory of 1664	2240	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\74a4d03bfd6d7d32d047d9c96d2a15b46b201a575dc1818606895ab5c96cee67_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\74a4d03bfd6d7d32d047d9c96d2a15b46b201a575dc1818606895ab5c96cee67_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1640

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2240

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
PID:1664

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
76KB

MD5
3f84b447c72eebee80ee09969bb920a3

SHA1
08b19d4c2d121f0da2d560a2fff24e6ff3b3737d

SHA256
c6c05d2d1d61cc86b03c693bb8f1e880bd10db0e83bee36f2a4d858910940d79

SHA512
37405ee2c70accbf15421e02dbeae32cc622843613bedd36dd10b6d6034cadc0492158f8623cdeb37636941e5b2f3511b53923710b9d2a594507621d86d8192d

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
76KB

MD5
c5769621744a78a9cc118718f1776adb

SHA1
822b9c815f8a6161e86ffca4e1b98c023cd59332

SHA256
b739919a2886cb4e89e7cb109a67b7e2a56a71f70bd5e7678bbafd19a4be5b8f

SHA512
258543be6fd458e1b386d56aa2e889f958f6c24b576ebef5c3683d2d5058bb16f96f44fd0f55bbc327d689df4a1749f6f9b9ebe637cd82b5a70c77317f4f66f4

Download Submit
\Windows\SysWOW64\omsecor.exe
Filesize
76KB

MD5
5f3354c6d226e05a51db414987ef7b12

SHA1
622f0fef7c3e4995e7d01e3dc939f6a9672e9cb8

SHA256
c84dd384fc687701af11f3b874d4bcd3c5f91f10c56f45faebd2f2c352c4c172

SHA512
39d5ceff2eb42c28a8794d4b9b649db576c12119e2f84241080142156d2589ceb04cd2bbf896462bea2995ee54b31c2186f49a4a3729c277c2e56f5753a8519f

Download Submit
memory/1640-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1640-8-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1664-33-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1664-35-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2012-10-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2012-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2012-15-0x00000000003A0000-0x00000000003CA000-memory.dmp

Filesize
168KB

Download
memory/2012-21-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2240-25-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing