neconyd | 6a90326eaac24fe7a12d29e3bf5e8140130788716eb6cbd754c35a29c9bb8db6

General

Target

6a90326eaac24fe7a12d29e3bf5e8140130788716eb6cbd754c35a29c9bb8db6_NeikiAnalytics.exe
Size

96KB
MD5

228077d934b806baaff8fe8eaf03b130
SHA1

e36c0e1572a0ffd0509a5d42889d501582c12a7f
SHA256

6a90326eaac24fe7a12d29e3bf5e8140130788716eb6cbd754c35a29c9bb8db6
SHA512

80977a4afd1ad57ff72fda02c5b2af6f3dcfe3d223a88ae210e7fbf2b0953a3d2700a3ec0f6d57502583b7da4359d6675ee542db75721f8395851591b9ad66af
SSDEEP

1536:RnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:RGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 6 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exe

pid process

2892 omsecor.exe
2648 omsecor.exe
1272 omsecor.exe
2744 omsecor.exe
1528 omsecor.exe
2072 omsecor.exe

pid	process
2892	omsecor.exe
2648	omsecor.exe
1272	omsecor.exe
2744	omsecor.exe
1528	omsecor.exe
2072	omsecor.exe

Loads dropped DLL 7 IoCs

Processes:

6a90326eaac24fe7a12d29e3bf5e8140130788716eb6cbd754c35a29c9bb8db6_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exe

pid	process
3016	6a90326eaac24fe7a12d29e3bf5e8140130788716eb6cbd754c35a29c9bb8db6_NeikiAnalytics.exe
3016	6a90326eaac24fe7a12d29e3bf5e8140130788716eb6cbd754c35a29c9bb8db6_NeikiAnalytics.exe
2892	omsecor.exe
2648	omsecor.exe
2648	omsecor.exe
2744	omsecor.exe
2744	omsecor.exe

Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

6a90326eaac24fe7a12d29e3bf5e8140130788716eb6cbd754c35a29c9bb8db6_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 2952 set thread context of 3016	2952	6a90326eaac24fe7a12d29e3bf5e8140130788716eb6cbd754c35a29c9bb8db6_NeikiAnalytics.exe	6a90326eaac24fe7a12d29e3bf5e8140130788716eb6cbd754c35a29c9bb8db6_NeikiAnalytics.exe
PID 2892 set thread context of 2648	2892	omsecor.exe	omsecor.exe
PID 1272 set thread context of 2744	1272	omsecor.exe	omsecor.exe
PID 1528 set thread context of 2072	1528	omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

6a90326eaac24fe7a12d29e3bf5e8140130788716eb6cbd754c35a29c9bb8db6_NeikiAnalytics.exe6a90326eaac24fe7a12d29e3bf5e8140130788716eb6cbd754c35a29c9bb8db6_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 2952 wrote to memory of 3016	2952	6a90326eaac24fe7a12d29e3bf5e8140130788716eb6cbd754c35a29c9bb8db6_NeikiAnalytics.exe	6a90326eaac24fe7a12d29e3bf5e8140130788716eb6cbd754c35a29c9bb8db6_NeikiAnalytics.exe
PID 2952 wrote to memory of 3016	2952	6a90326eaac24fe7a12d29e3bf5e8140130788716eb6cbd754c35a29c9bb8db6_NeikiAnalytics.exe	6a90326eaac24fe7a12d29e3bf5e8140130788716eb6cbd754c35a29c9bb8db6_NeikiAnalytics.exe
PID 2952 wrote to memory of 3016	2952	6a90326eaac24fe7a12d29e3bf5e8140130788716eb6cbd754c35a29c9bb8db6_NeikiAnalytics.exe	6a90326eaac24fe7a12d29e3bf5e8140130788716eb6cbd754c35a29c9bb8db6_NeikiAnalytics.exe
PID 2952 wrote to memory of 3016	2952	6a90326eaac24fe7a12d29e3bf5e8140130788716eb6cbd754c35a29c9bb8db6_NeikiAnalytics.exe	6a90326eaac24fe7a12d29e3bf5e8140130788716eb6cbd754c35a29c9bb8db6_NeikiAnalytics.exe
PID 2952 wrote to memory of 3016	2952	6a90326eaac24fe7a12d29e3bf5e8140130788716eb6cbd754c35a29c9bb8db6_NeikiAnalytics.exe	6a90326eaac24fe7a12d29e3bf5e8140130788716eb6cbd754c35a29c9bb8db6_NeikiAnalytics.exe
PID 2952 wrote to memory of 3016	2952	6a90326eaac24fe7a12d29e3bf5e8140130788716eb6cbd754c35a29c9bb8db6_NeikiAnalytics.exe	6a90326eaac24fe7a12d29e3bf5e8140130788716eb6cbd754c35a29c9bb8db6_NeikiAnalytics.exe
PID 3016 wrote to memory of 2892	3016	6a90326eaac24fe7a12d29e3bf5e8140130788716eb6cbd754c35a29c9bb8db6_NeikiAnalytics.exe	omsecor.exe
PID 3016 wrote to memory of 2892	3016	6a90326eaac24fe7a12d29e3bf5e8140130788716eb6cbd754c35a29c9bb8db6_NeikiAnalytics.exe	omsecor.exe
PID 3016 wrote to memory of 2892	3016	6a90326eaac24fe7a12d29e3bf5e8140130788716eb6cbd754c35a29c9bb8db6_NeikiAnalytics.exe	omsecor.exe
PID 3016 wrote to memory of 2892	3016	6a90326eaac24fe7a12d29e3bf5e8140130788716eb6cbd754c35a29c9bb8db6_NeikiAnalytics.exe	omsecor.exe
PID 2892 wrote to memory of 2648	2892	omsecor.exe	omsecor.exe
PID 2892 wrote to memory of 2648	2892	omsecor.exe	omsecor.exe
PID 2892 wrote to memory of 2648	2892	omsecor.exe	omsecor.exe
PID 2892 wrote to memory of 2648	2892	omsecor.exe	omsecor.exe
PID 2892 wrote to memory of 2648	2892	omsecor.exe	omsecor.exe
PID 2892 wrote to memory of 2648	2892	omsecor.exe	omsecor.exe
PID 2648 wrote to memory of 1272	2648	omsecor.exe	omsecor.exe
PID 2648 wrote to memory of 1272	2648	omsecor.exe	omsecor.exe
PID 2648 wrote to memory of 1272	2648	omsecor.exe	omsecor.exe
PID 2648 wrote to memory of 1272	2648	omsecor.exe	omsecor.exe
PID 1272 wrote to memory of 2744	1272	omsecor.exe	omsecor.exe
PID 1272 wrote to memory of 2744	1272	omsecor.exe	omsecor.exe
PID 1272 wrote to memory of 2744	1272	omsecor.exe	omsecor.exe
PID 1272 wrote to memory of 2744	1272	omsecor.exe	omsecor.exe
PID 1272 wrote to memory of 2744	1272	omsecor.exe	omsecor.exe
PID 1272 wrote to memory of 2744	1272	omsecor.exe	omsecor.exe
PID 2744 wrote to memory of 1528	2744	omsecor.exe	omsecor.exe
PID 2744 wrote to memory of 1528	2744	omsecor.exe	omsecor.exe
PID 2744 wrote to memory of 1528	2744	omsecor.exe	omsecor.exe
PID 2744 wrote to memory of 1528	2744	omsecor.exe	omsecor.exe
PID 1528 wrote to memory of 2072	1528	omsecor.exe	omsecor.exe
PID 1528 wrote to memory of 2072	1528	omsecor.exe	omsecor.exe
PID 1528 wrote to memory of 2072	1528	omsecor.exe	omsecor.exe
PID 1528 wrote to memory of 2072	1528	omsecor.exe	omsecor.exe
PID 1528 wrote to memory of 2072	1528	omsecor.exe	omsecor.exe
PID 1528 wrote to memory of 2072	1528	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\6a90326eaac24fe7a12d29e3bf5e8140130788716eb6cbd754c35a29c9bb8db6_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6a90326eaac24fe7a12d29e3bf5e8140130788716eb6cbd754c35a29c9bb8db6_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2952

C:\Users\Admin\AppData\Local\Temp\6a90326eaac24fe7a12d29e3bf5e8140130788716eb6cbd754c35a29c9bb8db6_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\6a90326eaac24fe7a12d29e3bf5e8140130788716eb6cbd754c35a29c9bb8db6_NeikiAnalytics.exe
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3016

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2892

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2648

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1272

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2744

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1528

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
8⤵
- Executes dropped EXE
PID:2072

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
96KB

MD5
0b5fee4909cb90d48d71a5c6670417d9

SHA1
00a9058e9d952e07e09c19f45cd37368c22185ad

SHA256
0b74ecbc1fc23ca4830dfd05c4f8fa5bdf452fa4455998d7c387f2657cc60902

SHA512
751b6c7f59993d3647149571bd5aaa7d2bb6a594e567e613643457c8c6add7821e58ab1756bf95a1b89e7a02c467a4fbea47d1dedfe3687a7c181e191cf61f35

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
96KB

MD5
c5b7406345b683aac0518b373cbdd84f

SHA1
0deb562e86650e10b65beee9ba28a992c4a4888f

SHA256
6ee25416e01a90525d076d17facf705c7074660850cb079b47a45e65f8b0649e

SHA512
19ab5be9c66b86a9d4b6fcd5d0182045560ce2fde9dadaf1f1692cfed64a2fc3ae82a3c6a3bab36e44682bc2d6fba04319ed50a1b8a8fc5b738fa9402991c1c6

Download Submit
\Windows\SysWOW64\omsecor.exe
Filesize
96KB

MD5
9d08ee470c3b3891b79ecc6f44b83157

SHA1
d53b817bf5185c9b2d41a0f086be835b629099ab

SHA256
f80ebb2ee7861f194b329babab3f8714fddfc45dd79ad4f23a6ec7ee07c2d4eb

SHA512
6c4aa86568628227681a4fea6b17409544812863e234798f7e48688d3034a28c028442b4406f8c3a84e09ed4c53b34aa8995adf80b9908118cd265295e91041a

Download Submit
memory/1272-62-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1272-54-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1528-84-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1528-77-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2072-90-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2072-87-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2648-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2648-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2648-44-0x0000000000310000-0x0000000000333000-memory.dmp

Filesize
140KB

Download
memory/2648-52-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2648-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2744-69-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2892-31-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2892-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2952-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2952-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3016-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3016-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3016-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3016-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3016-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads