neconyd | 79e58e42ba64ec7c1f787f6b63948d48d47d6a580c8dc68727e84a76fa32919c

General

Target

79e58e42ba64ec7c1f787f6b63948d48d47d6a580c8dc68727e84a76fa32919c_NeikiAnalytics.exe
Size

134KB
MD5

4dd45c7f9a20cd1f51efbb4f936fd110
SHA1

282133cdfadd8e38b81303b9566828ee0f9f8c54
SHA256

79e58e42ba64ec7c1f787f6b63948d48d47d6a580c8dc68727e84a76fa32919c
SHA512

9bc2cc9cbf11a80fc612ad44ff9162c3b119c180c9855414a9ee9ef44adb4a7c7e74409b90f74704ec61cdff54780ecbdc602e5ed797bc2b98997d3af342c7ce
SSDEEP

1536:gDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCia:WiRTeH0iqAW6J6f1tqF6dngNmaZCia

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 6 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exe

pid process

4268 omsecor.exe
3400 omsecor.exe
5064 omsecor.exe
4992 omsecor.exe
3792 omsecor.exe
3412 omsecor.exe
Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

pid	process
4268	omsecor.exe
3400	omsecor.exe
5064	omsecor.exe
4992	omsecor.exe
3792	omsecor.exe
3412	omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

79e58e42ba64ec7c1f787f6b63948d48d47d6a580c8dc68727e84a76fa32919c_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 1836 set thread context of 1272	1836	79e58e42ba64ec7c1f787f6b63948d48d47d6a580c8dc68727e84a76fa32919c_NeikiAnalytics.exe	79e58e42ba64ec7c1f787f6b63948d48d47d6a580c8dc68727e84a76fa32919c_NeikiAnalytics.exe
PID 4268 set thread context of 3400	4268	omsecor.exe	omsecor.exe
PID 5064 set thread context of 4992	5064	omsecor.exe	omsecor.exe
PID 3792 set thread context of 3412	3792	omsecor.exe	omsecor.exe

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4540	4268	WerFault.exe	omsecor.exe
4736	1836	WerFault.exe	79e58e42ba64ec7c1f787f6b63948d48d47d6a580c8dc68727e84a76fa32919c_NeikiAnalytics.exe
4984	5064	WerFault.exe	omsecor.exe
2968	3792	WerFault.exe	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

79e58e42ba64ec7c1f787f6b63948d48d47d6a580c8dc68727e84a76fa32919c_NeikiAnalytics.exe79e58e42ba64ec7c1f787f6b63948d48d47d6a580c8dc68727e84a76fa32919c_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 1836 wrote to memory of 1272	1836	79e58e42ba64ec7c1f787f6b63948d48d47d6a580c8dc68727e84a76fa32919c_NeikiAnalytics.exe	79e58e42ba64ec7c1f787f6b63948d48d47d6a580c8dc68727e84a76fa32919c_NeikiAnalytics.exe
PID 1836 wrote to memory of 1272	1836	79e58e42ba64ec7c1f787f6b63948d48d47d6a580c8dc68727e84a76fa32919c_NeikiAnalytics.exe	79e58e42ba64ec7c1f787f6b63948d48d47d6a580c8dc68727e84a76fa32919c_NeikiAnalytics.exe
PID 1836 wrote to memory of 1272	1836	79e58e42ba64ec7c1f787f6b63948d48d47d6a580c8dc68727e84a76fa32919c_NeikiAnalytics.exe	79e58e42ba64ec7c1f787f6b63948d48d47d6a580c8dc68727e84a76fa32919c_NeikiAnalytics.exe
PID 1836 wrote to memory of 1272	1836	79e58e42ba64ec7c1f787f6b63948d48d47d6a580c8dc68727e84a76fa32919c_NeikiAnalytics.exe	79e58e42ba64ec7c1f787f6b63948d48d47d6a580c8dc68727e84a76fa32919c_NeikiAnalytics.exe
PID 1836 wrote to memory of 1272	1836	79e58e42ba64ec7c1f787f6b63948d48d47d6a580c8dc68727e84a76fa32919c_NeikiAnalytics.exe	79e58e42ba64ec7c1f787f6b63948d48d47d6a580c8dc68727e84a76fa32919c_NeikiAnalytics.exe
PID 1272 wrote to memory of 4268	1272	79e58e42ba64ec7c1f787f6b63948d48d47d6a580c8dc68727e84a76fa32919c_NeikiAnalytics.exe	omsecor.exe
PID 1272 wrote to memory of 4268	1272	79e58e42ba64ec7c1f787f6b63948d48d47d6a580c8dc68727e84a76fa32919c_NeikiAnalytics.exe	omsecor.exe
PID 1272 wrote to memory of 4268	1272	79e58e42ba64ec7c1f787f6b63948d48d47d6a580c8dc68727e84a76fa32919c_NeikiAnalytics.exe	omsecor.exe
PID 4268 wrote to memory of 3400	4268	omsecor.exe	omsecor.exe
PID 4268 wrote to memory of 3400	4268	omsecor.exe	omsecor.exe
PID 4268 wrote to memory of 3400	4268	omsecor.exe	omsecor.exe
PID 4268 wrote to memory of 3400	4268	omsecor.exe	omsecor.exe
PID 4268 wrote to memory of 3400	4268	omsecor.exe	omsecor.exe
PID 3400 wrote to memory of 5064	3400	omsecor.exe	omsecor.exe
PID 3400 wrote to memory of 5064	3400	omsecor.exe	omsecor.exe
PID 3400 wrote to memory of 5064	3400	omsecor.exe	omsecor.exe
PID 5064 wrote to memory of 4992	5064	omsecor.exe	omsecor.exe
PID 5064 wrote to memory of 4992	5064	omsecor.exe	omsecor.exe
PID 5064 wrote to memory of 4992	5064	omsecor.exe	omsecor.exe
PID 5064 wrote to memory of 4992	5064	omsecor.exe	omsecor.exe
PID 5064 wrote to memory of 4992	5064	omsecor.exe	omsecor.exe
PID 4992 wrote to memory of 3792	4992	omsecor.exe	omsecor.exe
PID 4992 wrote to memory of 3792	4992	omsecor.exe	omsecor.exe
PID 4992 wrote to memory of 3792	4992	omsecor.exe	omsecor.exe
PID 3792 wrote to memory of 3412	3792	omsecor.exe	omsecor.exe
PID 3792 wrote to memory of 3412	3792	omsecor.exe	omsecor.exe
PID 3792 wrote to memory of 3412	3792	omsecor.exe	omsecor.exe
PID 3792 wrote to memory of 3412	3792	omsecor.exe	omsecor.exe
PID 3792 wrote to memory of 3412	3792	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\79e58e42ba64ec7c1f787f6b63948d48d47d6a580c8dc68727e84a76fa32919c_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\79e58e42ba64ec7c1f787f6b63948d48d47d6a580c8dc68727e84a76fa32919c_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1836

C:\Users\Admin\AppData\Local\Temp\79e58e42ba64ec7c1f787f6b63948d48d47d6a580c8dc68727e84a76fa32919c_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\79e58e42ba64ec7c1f787f6b63948d48d47d6a580c8dc68727e84a76fa32919c_NeikiAnalytics.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1272

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4268

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3400

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5064

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4992

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3792

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
8⤵
- Executes dropped EXE
PID:3412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3792 -s 256
8⤵
- Program crash
PID:2968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 292
6⤵
- Program crash
PID:4984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 296
4⤵
- Program crash
PID:4540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 288
2⤵
- Program crash
PID:4736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1836 -ip 1836
1⤵
PID:5068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4268 -ip 4268
1⤵
PID:4336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5064 -ip 5064
1⤵
PID:3392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3792 -ip 3792
1⤵
PID:2028

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
134KB

MD5
13c18f62c4c7b35704cdb50d16890f91

SHA1
1f559c60869c3ffbc8dacc34522b8ca32900abe7

SHA256
c58d597a1059a9d9187ac29f562dd1ac941e113abc5e343e6a2ed2f7e5392816

SHA512
7dcacb8ef130bd51d0f1aabf0d59b4ee44160d5c614ba27d2f0216bd509c213191399a40e1ac0b46e65c056173f06e0cfc249f9b28432a1e95fb63a2e20c8368

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
134KB

MD5
120b13ff0d8b53d791a48b23079a475b

SHA1
4779d30d10b2f8aacdf96fe1eb33c7b009af81c7

SHA256
786dadbde3caf3c9c2208cad7c6ecf521660768e332bc4baf5a75bae4fc047b5

SHA512
0e64268c6356f715022548a034877335737dc4a3719cb18ed78493e781608feafa99840799bb49aa9f3f07d88da7ecd378a1c37a7fa87f4242da27fd18b6244b

Download Submit
C:\Windows\SysWOW64\omsecor.exe
Filesize
134KB

MD5
66a052867a9e00d9e3d685cd7d70820e

SHA1
e99c3adee5d9a9abc25962c6d35110dc68d352ef

SHA256
00e0e888fd6880f33657fabf75bdfee30e5a6171789996836735e9c498d89999

SHA512
231e1b1ea3b0d27a4467e47c911fe17433fc8ec403ba6be9ea42524278182fc3aabb3c10119bc12be2fcdf0f1edf266de8228ca4e186f371c11beb0be8ad76c7

Download Submit
memory/1272-7-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1272-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1272-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1272-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1836-17-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1836-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3400-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3400-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3400-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3400-27-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3400-16-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3400-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3400-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3412-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3412-52-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3412-51-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3412-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3792-45-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4268-11-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4992-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4992-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4992-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5064-35-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads