neconyd | 61d34a63868a3855222b79dab01a8b938950c5cac64d6ab1279aa3062426bed3

General

Target

61d34a63868a3855222b79dab01a8b938950c5cac64d6ab1279aa3062426bed3_NeikiAnalytics.exe
Size

96KB
MD5

6f94ce0ecf4a3983647c51a59dc02430
SHA1

332e14581eec49a6dea1f23d4af4a39a4c44e730
SHA256

61d34a63868a3855222b79dab01a8b938950c5cac64d6ab1279aa3062426bed3
SHA512

2d0981351d0bac5c339fc1cd49a06744a24c7afab241d6c66d961dfc29841af43016428678066a820bc43acbd7c9a670c4a3296904762925cc3a507b7766e705
SSDEEP

1536:jnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:jGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 6 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exe

pid process

2364 omsecor.exe
2540 omsecor.exe
2408 omsecor.exe
2616 omsecor.exe
1444 omsecor.exe
1248 omsecor.exe

pid	process
2364	omsecor.exe
2540	omsecor.exe
2408	omsecor.exe
2616	omsecor.exe
1444	omsecor.exe
1248	omsecor.exe

Loads dropped DLL 7 IoCs

Processes:

61d34a63868a3855222b79dab01a8b938950c5cac64d6ab1279aa3062426bed3_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exe

pid	process
1592	61d34a63868a3855222b79dab01a8b938950c5cac64d6ab1279aa3062426bed3_NeikiAnalytics.exe
1592	61d34a63868a3855222b79dab01a8b938950c5cac64d6ab1279aa3062426bed3_NeikiAnalytics.exe
2364	omsecor.exe
2540	omsecor.exe
2540	omsecor.exe
2616	omsecor.exe
2616	omsecor.exe

Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

61d34a63868a3855222b79dab01a8b938950c5cac64d6ab1279aa3062426bed3_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 2176 set thread context of 1592	2176	61d34a63868a3855222b79dab01a8b938950c5cac64d6ab1279aa3062426bed3_NeikiAnalytics.exe	61d34a63868a3855222b79dab01a8b938950c5cac64d6ab1279aa3062426bed3_NeikiAnalytics.exe
PID 2364 set thread context of 2540	2364	omsecor.exe	omsecor.exe
PID 2408 set thread context of 2616	2408	omsecor.exe	omsecor.exe
PID 1444 set thread context of 1248	1444	omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

61d34a63868a3855222b79dab01a8b938950c5cac64d6ab1279aa3062426bed3_NeikiAnalytics.exe61d34a63868a3855222b79dab01a8b938950c5cac64d6ab1279aa3062426bed3_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 2176 wrote to memory of 1592	2176	61d34a63868a3855222b79dab01a8b938950c5cac64d6ab1279aa3062426bed3_NeikiAnalytics.exe	61d34a63868a3855222b79dab01a8b938950c5cac64d6ab1279aa3062426bed3_NeikiAnalytics.exe
PID 2176 wrote to memory of 1592	2176	61d34a63868a3855222b79dab01a8b938950c5cac64d6ab1279aa3062426bed3_NeikiAnalytics.exe	61d34a63868a3855222b79dab01a8b938950c5cac64d6ab1279aa3062426bed3_NeikiAnalytics.exe
PID 2176 wrote to memory of 1592	2176	61d34a63868a3855222b79dab01a8b938950c5cac64d6ab1279aa3062426bed3_NeikiAnalytics.exe	61d34a63868a3855222b79dab01a8b938950c5cac64d6ab1279aa3062426bed3_NeikiAnalytics.exe
PID 2176 wrote to memory of 1592	2176	61d34a63868a3855222b79dab01a8b938950c5cac64d6ab1279aa3062426bed3_NeikiAnalytics.exe	61d34a63868a3855222b79dab01a8b938950c5cac64d6ab1279aa3062426bed3_NeikiAnalytics.exe
PID 2176 wrote to memory of 1592	2176	61d34a63868a3855222b79dab01a8b938950c5cac64d6ab1279aa3062426bed3_NeikiAnalytics.exe	61d34a63868a3855222b79dab01a8b938950c5cac64d6ab1279aa3062426bed3_NeikiAnalytics.exe
PID 2176 wrote to memory of 1592	2176	61d34a63868a3855222b79dab01a8b938950c5cac64d6ab1279aa3062426bed3_NeikiAnalytics.exe	61d34a63868a3855222b79dab01a8b938950c5cac64d6ab1279aa3062426bed3_NeikiAnalytics.exe
PID 1592 wrote to memory of 2364	1592	61d34a63868a3855222b79dab01a8b938950c5cac64d6ab1279aa3062426bed3_NeikiAnalytics.exe	omsecor.exe
PID 1592 wrote to memory of 2364	1592	61d34a63868a3855222b79dab01a8b938950c5cac64d6ab1279aa3062426bed3_NeikiAnalytics.exe	omsecor.exe
PID 1592 wrote to memory of 2364	1592	61d34a63868a3855222b79dab01a8b938950c5cac64d6ab1279aa3062426bed3_NeikiAnalytics.exe	omsecor.exe
PID 1592 wrote to memory of 2364	1592	61d34a63868a3855222b79dab01a8b938950c5cac64d6ab1279aa3062426bed3_NeikiAnalytics.exe	omsecor.exe
PID 2364 wrote to memory of 2540	2364	omsecor.exe	omsecor.exe
PID 2364 wrote to memory of 2540	2364	omsecor.exe	omsecor.exe
PID 2364 wrote to memory of 2540	2364	omsecor.exe	omsecor.exe
PID 2364 wrote to memory of 2540	2364	omsecor.exe	omsecor.exe
PID 2364 wrote to memory of 2540	2364	omsecor.exe	omsecor.exe
PID 2364 wrote to memory of 2540	2364	omsecor.exe	omsecor.exe
PID 2540 wrote to memory of 2408	2540	omsecor.exe	omsecor.exe
PID 2540 wrote to memory of 2408	2540	omsecor.exe	omsecor.exe
PID 2540 wrote to memory of 2408	2540	omsecor.exe	omsecor.exe
PID 2540 wrote to memory of 2408	2540	omsecor.exe	omsecor.exe
PID 2408 wrote to memory of 2616	2408	omsecor.exe	omsecor.exe
PID 2408 wrote to memory of 2616	2408	omsecor.exe	omsecor.exe
PID 2408 wrote to memory of 2616	2408	omsecor.exe	omsecor.exe
PID 2408 wrote to memory of 2616	2408	omsecor.exe	omsecor.exe
PID 2408 wrote to memory of 2616	2408	omsecor.exe	omsecor.exe
PID 2408 wrote to memory of 2616	2408	omsecor.exe	omsecor.exe
PID 2616 wrote to memory of 1444	2616	omsecor.exe	omsecor.exe
PID 2616 wrote to memory of 1444	2616	omsecor.exe	omsecor.exe
PID 2616 wrote to memory of 1444	2616	omsecor.exe	omsecor.exe
PID 2616 wrote to memory of 1444	2616	omsecor.exe	omsecor.exe
PID 1444 wrote to memory of 1248	1444	omsecor.exe	omsecor.exe
PID 1444 wrote to memory of 1248	1444	omsecor.exe	omsecor.exe
PID 1444 wrote to memory of 1248	1444	omsecor.exe	omsecor.exe
PID 1444 wrote to memory of 1248	1444	omsecor.exe	omsecor.exe
PID 1444 wrote to memory of 1248	1444	omsecor.exe	omsecor.exe
PID 1444 wrote to memory of 1248	1444	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\61d34a63868a3855222b79dab01a8b938950c5cac64d6ab1279aa3062426bed3_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\61d34a63868a3855222b79dab01a8b938950c5cac64d6ab1279aa3062426bed3_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2176

C:\Users\Admin\AppData\Local\Temp\61d34a63868a3855222b79dab01a8b938950c5cac64d6ab1279aa3062426bed3_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\61d34a63868a3855222b79dab01a8b938950c5cac64d6ab1279aa3062426bed3_NeikiAnalytics.exe
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1592

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2364

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2540

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2408

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2616

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1444

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
8⤵
- Executes dropped EXE
PID:1248

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
96KB

MD5
b149d293a0ed8334945013506df70f8b

SHA1
66ac12845a9efaf9d4bceba08e074bccc32d5123

SHA256
dd1090d5b6ee1dae44355f82ea9a02b910c1129d009457a514f60c28ccce1581

SHA512
c213cf67686315d8c375faf788d6aac42f2763a65f470db6449d95dcb6d2341046ef6af44fbdbce0851b993cc5047016bca8bc8e1b5fc5fdcb7629c10571f377

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
96KB

MD5
a6ae4bb98113b33cbf6f2d3bd00ab483

SHA1
f9d5a58a6dec68439d9beac65bf3a52f26596308

SHA256
327cabf4d711a04abafb3b1402f1ae6d07757775297bdf4de8a6a8d52b5347a3

SHA512
6ef148c24a90b504f077a7c68e2f74c9d69bdd5cfc7b89698fd0b17338c5704b60b4cf69cdf84ae049e2f07531ca75653a7cd2125e847518432766bb41f5bef7

Download Submit
\Windows\SysWOW64\omsecor.exe
Filesize
96KB

MD5
ca5f75490773ad0d7714eb14341ecf89

SHA1
0fe35ff58173878663f9c8b7ba8aff890131a208

SHA256
486fae5d7efb48eaeefc26d90e4752b38500b3be9ead5266f325db15649c07af

SHA512
0a776660bf9de1ab4ece8032a8447b081b20e1c76d5c806c2ef6c778de8588a0b0b75f43535c913ce378b72c143b2bbaaf8cb75149ccf84f99ea9ba93be035b8

Download Submit
memory/1248-91-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1248-94-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1444-81-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1444-89-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1592-4-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1592-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1592-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1592-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1592-6-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2176-1-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2176-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2176-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2364-22-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2364-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2408-58-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2408-66-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2540-53-0x0000000001F90000-0x0000000001FB3000-memory.dmp

Filesize
140KB

Download
memory/2540-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2540-54-0x0000000001F90000-0x0000000001FB3000-memory.dmp

Filesize
140KB

Download
memory/2540-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2540-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2540-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2616-73-0x00000000001C0000-0x00000000001E3000-memory.dmp

Filesize
140KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads