neconyd | 61d34a63868a3855222b79dab01a8b938950c5cac64d6ab1279aa3062426bed3

General

Target

61d34a63868a3855222b79dab01a8b938950c5cac64d6ab1279aa3062426bed3_NeikiAnalytics.exe
Size

96KB
MD5

6f94ce0ecf4a3983647c51a59dc02430
SHA1

332e14581eec49a6dea1f23d4af4a39a4c44e730
SHA256

61d34a63868a3855222b79dab01a8b938950c5cac64d6ab1279aa3062426bed3
SHA512

2d0981351d0bac5c339fc1cd49a06744a24c7afab241d6c66d961dfc29841af43016428678066a820bc43acbd7c9a670c4a3296904762925cc3a507b7766e705
SSDEEP

1536:jnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:jGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 6 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exe

pid process

2832 omsecor.exe
1560 omsecor.exe
5032 omsecor.exe
1008 omsecor.exe
4144 omsecor.exe
2132 omsecor.exe
Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

pid	process
2832	omsecor.exe
1560	omsecor.exe
5032	omsecor.exe
1008	omsecor.exe
4144	omsecor.exe
2132	omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

61d34a63868a3855222b79dab01a8b938950c5cac64d6ab1279aa3062426bed3_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 1008 set thread context of 2628	1008	61d34a63868a3855222b79dab01a8b938950c5cac64d6ab1279aa3062426bed3_NeikiAnalytics.exe	61d34a63868a3855222b79dab01a8b938950c5cac64d6ab1279aa3062426bed3_NeikiAnalytics.exe
PID 2832 set thread context of 1560	2832	omsecor.exe	omsecor.exe
PID 5032 set thread context of 1008	5032	omsecor.exe	omsecor.exe
PID 4144 set thread context of 2132	4144	omsecor.exe	omsecor.exe

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2656	1008	WerFault.exe	61d34a63868a3855222b79dab01a8b938950c5cac64d6ab1279aa3062426bed3_NeikiAnalytics.exe
4576	2832	WerFault.exe	omsecor.exe
3540	5032	WerFault.exe	omsecor.exe
4028	4144	WerFault.exe	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

61d34a63868a3855222b79dab01a8b938950c5cac64d6ab1279aa3062426bed3_NeikiAnalytics.exe61d34a63868a3855222b79dab01a8b938950c5cac64d6ab1279aa3062426bed3_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 1008 wrote to memory of 2628	1008	61d34a63868a3855222b79dab01a8b938950c5cac64d6ab1279aa3062426bed3_NeikiAnalytics.exe	61d34a63868a3855222b79dab01a8b938950c5cac64d6ab1279aa3062426bed3_NeikiAnalytics.exe
PID 1008 wrote to memory of 2628	1008	61d34a63868a3855222b79dab01a8b938950c5cac64d6ab1279aa3062426bed3_NeikiAnalytics.exe	61d34a63868a3855222b79dab01a8b938950c5cac64d6ab1279aa3062426bed3_NeikiAnalytics.exe
PID 1008 wrote to memory of 2628	1008	61d34a63868a3855222b79dab01a8b938950c5cac64d6ab1279aa3062426bed3_NeikiAnalytics.exe	61d34a63868a3855222b79dab01a8b938950c5cac64d6ab1279aa3062426bed3_NeikiAnalytics.exe
PID 1008 wrote to memory of 2628	1008	61d34a63868a3855222b79dab01a8b938950c5cac64d6ab1279aa3062426bed3_NeikiAnalytics.exe	61d34a63868a3855222b79dab01a8b938950c5cac64d6ab1279aa3062426bed3_NeikiAnalytics.exe
PID 1008 wrote to memory of 2628	1008	61d34a63868a3855222b79dab01a8b938950c5cac64d6ab1279aa3062426bed3_NeikiAnalytics.exe	61d34a63868a3855222b79dab01a8b938950c5cac64d6ab1279aa3062426bed3_NeikiAnalytics.exe
PID 2628 wrote to memory of 2832	2628	61d34a63868a3855222b79dab01a8b938950c5cac64d6ab1279aa3062426bed3_NeikiAnalytics.exe	omsecor.exe
PID 2628 wrote to memory of 2832	2628	61d34a63868a3855222b79dab01a8b938950c5cac64d6ab1279aa3062426bed3_NeikiAnalytics.exe	omsecor.exe
PID 2628 wrote to memory of 2832	2628	61d34a63868a3855222b79dab01a8b938950c5cac64d6ab1279aa3062426bed3_NeikiAnalytics.exe	omsecor.exe
PID 2832 wrote to memory of 1560	2832	omsecor.exe	omsecor.exe
PID 2832 wrote to memory of 1560	2832	omsecor.exe	omsecor.exe
PID 2832 wrote to memory of 1560	2832	omsecor.exe	omsecor.exe
PID 2832 wrote to memory of 1560	2832	omsecor.exe	omsecor.exe
PID 2832 wrote to memory of 1560	2832	omsecor.exe	omsecor.exe
PID 1560 wrote to memory of 5032	1560	omsecor.exe	omsecor.exe
PID 1560 wrote to memory of 5032	1560	omsecor.exe	omsecor.exe
PID 1560 wrote to memory of 5032	1560	omsecor.exe	omsecor.exe
PID 5032 wrote to memory of 1008	5032	omsecor.exe	omsecor.exe
PID 5032 wrote to memory of 1008	5032	omsecor.exe	omsecor.exe
PID 5032 wrote to memory of 1008	5032	omsecor.exe	omsecor.exe
PID 5032 wrote to memory of 1008	5032	omsecor.exe	omsecor.exe
PID 5032 wrote to memory of 1008	5032	omsecor.exe	omsecor.exe
PID 1008 wrote to memory of 4144	1008	omsecor.exe	omsecor.exe
PID 1008 wrote to memory of 4144	1008	omsecor.exe	omsecor.exe
PID 1008 wrote to memory of 4144	1008	omsecor.exe	omsecor.exe
PID 4144 wrote to memory of 2132	4144	omsecor.exe	omsecor.exe
PID 4144 wrote to memory of 2132	4144	omsecor.exe	omsecor.exe
PID 4144 wrote to memory of 2132	4144	omsecor.exe	omsecor.exe
PID 4144 wrote to memory of 2132	4144	omsecor.exe	omsecor.exe
PID 4144 wrote to memory of 2132	4144	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\61d34a63868a3855222b79dab01a8b938950c5cac64d6ab1279aa3062426bed3_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\61d34a63868a3855222b79dab01a8b938950c5cac64d6ab1279aa3062426bed3_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1008

C:\Users\Admin\AppData\Local\Temp\61d34a63868a3855222b79dab01a8b938950c5cac64d6ab1279aa3062426bed3_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\61d34a63868a3855222b79dab01a8b938950c5cac64d6ab1279aa3062426bed3_NeikiAnalytics.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2628

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2832

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1560

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5032

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1008

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4144

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
8⤵
- Executes dropped EXE
PID:2132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4144 -s 244
8⤵
- Program crash
PID:4028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 292
6⤵
- Program crash
PID:3540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 288
4⤵
- Program crash
PID:4576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1008 -s 288
2⤵
- Program crash
PID:2656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1008 -ip 1008
1⤵
PID:4988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2832 -ip 2832
1⤵
PID:2332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 5032 -ip 5032
1⤵
PID:2808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4144 -ip 4144
1⤵
PID:3464

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
96KB

MD5
2de7898273669abaf3d8e5ac1dcee03b

SHA1
279c55ffe08f8c81cb0d667dfc3ca86bcc4e71b6

SHA256
40f833a83aaa5c9524c2f92176d2e47200040fefc99d78c10e64e66a59dd3d85

SHA512
be9cafbbd56950013a035f904d85a006f9e9c6e75f2080a1be5cb0b7817ee43b1eacf489b814b5f12ca5075e346f23e527259ffe69b432fc0447c7879467d852

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
96KB

MD5
b149d293a0ed8334945013506df70f8b

SHA1
66ac12845a9efaf9d4bceba08e074bccc32d5123

SHA256
dd1090d5b6ee1dae44355f82ea9a02b910c1129d009457a514f60c28ccce1581

SHA512
c213cf67686315d8c375faf788d6aac42f2763a65f470db6449d95dcb6d2341046ef6af44fbdbce0851b993cc5047016bca8bc8e1b5fc5fdcb7629c10571f377

Download Submit
C:\Windows\SysWOW64\omsecor.exe
Filesize
96KB

MD5
58dd4558995f2d621284d7b27239b20e

SHA1
932720096ad94368bf6d34454853bac330dd8988

SHA256
61a0c535af34ad5db12f456d09d4d54f32abc8f2521b6498b14a6468a8a5508f

SHA512
4c72ee11b36b870ba093a3d50b55afa2ba4323906a6e9d72e62158ede7fe628a8d90092017a38e5fb8e26e0b818838054a759cb07ef5c5404f7c4b8f854b8dde

Download Submit
memory/1008-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1008-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1008-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1008-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1560-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1560-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1560-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1560-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1560-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1560-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1560-29-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2132-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2132-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2132-52-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2132-47-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2628-7-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2628-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2628-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2628-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2832-11-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4144-51-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4144-43-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5032-50-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5032-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads