neconyd | 79e58e42ba64ec7c1f787f6b63948d48d47d6a580c8dc68727e84a76fa32919c

General

Target

79e58e42ba64ec7c1f787f6b63948d48d47d6a580c8dc68727e84a76fa32919c_NeikiAnalytics.exe
Size

134KB
MD5

4dd45c7f9a20cd1f51efbb4f936fd110
SHA1

282133cdfadd8e38b81303b9566828ee0f9f8c54
SHA256

79e58e42ba64ec7c1f787f6b63948d48d47d6a580c8dc68727e84a76fa32919c
SHA512

9bc2cc9cbf11a80fc612ad44ff9162c3b119c180c9855414a9ee9ef44adb4a7c7e74409b90f74704ec61cdff54780ecbdc602e5ed797bc2b98997d3af342c7ce
SSDEEP

1536:gDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCia:WiRTeH0iqAW6J6f1tqF6dngNmaZCia

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 6 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exe

pid process

3056 omsecor.exe
2556 omsecor.exe
2016 omsecor.exe
2760 omsecor.exe
868 omsecor.exe
2272 omsecor.exe

pid	process
3056	omsecor.exe
2556	omsecor.exe
2016	omsecor.exe
2760	omsecor.exe
868	omsecor.exe
2272	omsecor.exe

Loads dropped DLL 7 IoCs

Processes:

79e58e42ba64ec7c1f787f6b63948d48d47d6a580c8dc68727e84a76fa32919c_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exe

pid	process
1996	79e58e42ba64ec7c1f787f6b63948d48d47d6a580c8dc68727e84a76fa32919c_NeikiAnalytics.exe
1996	79e58e42ba64ec7c1f787f6b63948d48d47d6a580c8dc68727e84a76fa32919c_NeikiAnalytics.exe
3056	omsecor.exe
2556	omsecor.exe
2556	omsecor.exe
2760	omsecor.exe
2760	omsecor.exe

Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

79e58e42ba64ec7c1f787f6b63948d48d47d6a580c8dc68727e84a76fa32919c_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 3020 set thread context of 1996	3020	79e58e42ba64ec7c1f787f6b63948d48d47d6a580c8dc68727e84a76fa32919c_NeikiAnalytics.exe	79e58e42ba64ec7c1f787f6b63948d48d47d6a580c8dc68727e84a76fa32919c_NeikiAnalytics.exe
PID 3056 set thread context of 2556	3056	omsecor.exe	omsecor.exe
PID 2016 set thread context of 2760	2016	omsecor.exe	omsecor.exe
PID 868 set thread context of 2272	868	omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

79e58e42ba64ec7c1f787f6b63948d48d47d6a580c8dc68727e84a76fa32919c_NeikiAnalytics.exe79e58e42ba64ec7c1f787f6b63948d48d47d6a580c8dc68727e84a76fa32919c_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 3020 wrote to memory of 1996	3020	79e58e42ba64ec7c1f787f6b63948d48d47d6a580c8dc68727e84a76fa32919c_NeikiAnalytics.exe	79e58e42ba64ec7c1f787f6b63948d48d47d6a580c8dc68727e84a76fa32919c_NeikiAnalytics.exe
PID 3020 wrote to memory of 1996	3020	79e58e42ba64ec7c1f787f6b63948d48d47d6a580c8dc68727e84a76fa32919c_NeikiAnalytics.exe	79e58e42ba64ec7c1f787f6b63948d48d47d6a580c8dc68727e84a76fa32919c_NeikiAnalytics.exe
PID 3020 wrote to memory of 1996	3020	79e58e42ba64ec7c1f787f6b63948d48d47d6a580c8dc68727e84a76fa32919c_NeikiAnalytics.exe	79e58e42ba64ec7c1f787f6b63948d48d47d6a580c8dc68727e84a76fa32919c_NeikiAnalytics.exe
PID 3020 wrote to memory of 1996	3020	79e58e42ba64ec7c1f787f6b63948d48d47d6a580c8dc68727e84a76fa32919c_NeikiAnalytics.exe	79e58e42ba64ec7c1f787f6b63948d48d47d6a580c8dc68727e84a76fa32919c_NeikiAnalytics.exe
PID 3020 wrote to memory of 1996	3020	79e58e42ba64ec7c1f787f6b63948d48d47d6a580c8dc68727e84a76fa32919c_NeikiAnalytics.exe	79e58e42ba64ec7c1f787f6b63948d48d47d6a580c8dc68727e84a76fa32919c_NeikiAnalytics.exe
PID 3020 wrote to memory of 1996	3020	79e58e42ba64ec7c1f787f6b63948d48d47d6a580c8dc68727e84a76fa32919c_NeikiAnalytics.exe	79e58e42ba64ec7c1f787f6b63948d48d47d6a580c8dc68727e84a76fa32919c_NeikiAnalytics.exe
PID 1996 wrote to memory of 3056	1996	79e58e42ba64ec7c1f787f6b63948d48d47d6a580c8dc68727e84a76fa32919c_NeikiAnalytics.exe	omsecor.exe
PID 1996 wrote to memory of 3056	1996	79e58e42ba64ec7c1f787f6b63948d48d47d6a580c8dc68727e84a76fa32919c_NeikiAnalytics.exe	omsecor.exe
PID 1996 wrote to memory of 3056	1996	79e58e42ba64ec7c1f787f6b63948d48d47d6a580c8dc68727e84a76fa32919c_NeikiAnalytics.exe	omsecor.exe
PID 1996 wrote to memory of 3056	1996	79e58e42ba64ec7c1f787f6b63948d48d47d6a580c8dc68727e84a76fa32919c_NeikiAnalytics.exe	omsecor.exe
PID 3056 wrote to memory of 2556	3056	omsecor.exe	omsecor.exe
PID 3056 wrote to memory of 2556	3056	omsecor.exe	omsecor.exe
PID 3056 wrote to memory of 2556	3056	omsecor.exe	omsecor.exe
PID 3056 wrote to memory of 2556	3056	omsecor.exe	omsecor.exe
PID 3056 wrote to memory of 2556	3056	omsecor.exe	omsecor.exe
PID 3056 wrote to memory of 2556	3056	omsecor.exe	omsecor.exe
PID 2556 wrote to memory of 2016	2556	omsecor.exe	omsecor.exe
PID 2556 wrote to memory of 2016	2556	omsecor.exe	omsecor.exe
PID 2556 wrote to memory of 2016	2556	omsecor.exe	omsecor.exe
PID 2556 wrote to memory of 2016	2556	omsecor.exe	omsecor.exe
PID 2016 wrote to memory of 2760	2016	omsecor.exe	omsecor.exe
PID 2016 wrote to memory of 2760	2016	omsecor.exe	omsecor.exe
PID 2016 wrote to memory of 2760	2016	omsecor.exe	omsecor.exe
PID 2016 wrote to memory of 2760	2016	omsecor.exe	omsecor.exe
PID 2016 wrote to memory of 2760	2016	omsecor.exe	omsecor.exe
PID 2016 wrote to memory of 2760	2016	omsecor.exe	omsecor.exe
PID 2760 wrote to memory of 868	2760	omsecor.exe	omsecor.exe
PID 2760 wrote to memory of 868	2760	omsecor.exe	omsecor.exe
PID 2760 wrote to memory of 868	2760	omsecor.exe	omsecor.exe
PID 2760 wrote to memory of 868	2760	omsecor.exe	omsecor.exe
PID 868 wrote to memory of 2272	868	omsecor.exe	omsecor.exe
PID 868 wrote to memory of 2272	868	omsecor.exe	omsecor.exe
PID 868 wrote to memory of 2272	868	omsecor.exe	omsecor.exe
PID 868 wrote to memory of 2272	868	omsecor.exe	omsecor.exe
PID 868 wrote to memory of 2272	868	omsecor.exe	omsecor.exe
PID 868 wrote to memory of 2272	868	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\79e58e42ba64ec7c1f787f6b63948d48d47d6a580c8dc68727e84a76fa32919c_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\79e58e42ba64ec7c1f787f6b63948d48d47d6a580c8dc68727e84a76fa32919c_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3020

C:\Users\Admin\AppData\Local\Temp\79e58e42ba64ec7c1f787f6b63948d48d47d6a580c8dc68727e84a76fa32919c_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\79e58e42ba64ec7c1f787f6b63948d48d47d6a580c8dc68727e84a76fa32919c_NeikiAnalytics.exe
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1996

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3056

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2556

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:868

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
8⤵
- Executes dropped EXE
PID:2272

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
134KB

MD5
120b13ff0d8b53d791a48b23079a475b

SHA1
4779d30d10b2f8aacdf96fe1eb33c7b009af81c7

SHA256
786dadbde3caf3c9c2208cad7c6ecf521660768e332bc4baf5a75bae4fc047b5

SHA512
0e64268c6356f715022548a034877335737dc4a3719cb18ed78493e781608feafa99840799bb49aa9f3f07d88da7ecd378a1c37a7fa87f4242da27fd18b6244b

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
134KB

MD5
a5ba1a7a4e024a27b4ce64b42e3beb5c

SHA1
955bd007639d25460cd7a45ec4cb6cf6b2e34651

SHA256
ab218b1b0e55defbf5c245419f1ed42a98c307b16eaf5df643d923ec32a53bad

SHA512
6594a91602fec6c495f2ceabb53efbfdaa5ad468fd33bd6c2b7c52d99ab6dcd03ade34476d8857063e176505045b8220b189b413c6f265d894b40eba06e814ef

Download Submit
\Windows\SysWOW64\omsecor.exe
Filesize
134KB

MD5
b05e3f9f0132c1c50481e7f9c4b86de7

SHA1
ca500ae65ff922af4d28035a3c7daabf7a6f4c4c

SHA256
b98f2d7c136326fe818ca2fdf988dc355a2588996f52e0cb9d381ea035cb67e5

SHA512
f9efc0055b6dc70e93d5834588e74daae1e631910d2b70fbd2f9041b7e050db560b17de7f6dc0699176b41a8bdf365d9967666d5683e29a2c9a00b8cac789232

Download Submit
memory/868-85-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/868-78-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1996-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1996-6-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1996-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1996-4-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1996-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2016-56-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2016-65-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2272-90-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2272-87-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2556-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2556-46-0x00000000002A0000-0x00000000002C4000-memory.dmp

Filesize
144KB

Download
memory/2556-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2556-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2556-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2760-70-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/3020-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3020-10-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3020-1-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/3056-24-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/3056-31-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3056-21-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads