neconyd | 6a90326eaac24fe7a12d29e3bf5e8140130788716eb6cbd754c35a29c9bb8db6

General

Target

6a90326eaac24fe7a12d29e3bf5e8140130788716eb6cbd754c35a29c9bb8db6_NeikiAnalytics.exe
Size

96KB
MD5

228077d934b806baaff8fe8eaf03b130
SHA1

e36c0e1572a0ffd0509a5d42889d501582c12a7f
SHA256

6a90326eaac24fe7a12d29e3bf5e8140130788716eb6cbd754c35a29c9bb8db6
SHA512

80977a4afd1ad57ff72fda02c5b2af6f3dcfe3d223a88ae210e7fbf2b0953a3d2700a3ec0f6d57502583b7da4359d6675ee542db75721f8395851591b9ad66af
SSDEEP

1536:RnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:RGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 6 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exe

pid process

1900 omsecor.exe
1160 omsecor.exe
2300 omsecor.exe
4216 omsecor.exe
4064 omsecor.exe
1508 omsecor.exe
Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

pid	process
1900	omsecor.exe
1160	omsecor.exe
2300	omsecor.exe
4216	omsecor.exe
4064	omsecor.exe
1508	omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

6a90326eaac24fe7a12d29e3bf5e8140130788716eb6cbd754c35a29c9bb8db6_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 2684 set thread context of 1276	2684	6a90326eaac24fe7a12d29e3bf5e8140130788716eb6cbd754c35a29c9bb8db6_NeikiAnalytics.exe	6a90326eaac24fe7a12d29e3bf5e8140130788716eb6cbd754c35a29c9bb8db6_NeikiAnalytics.exe
PID 1900 set thread context of 1160	1900	omsecor.exe	omsecor.exe
PID 2300 set thread context of 4216	2300	omsecor.exe	omsecor.exe
PID 4064 set thread context of 1508	4064	omsecor.exe	omsecor.exe

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4836	2684	WerFault.exe	6a90326eaac24fe7a12d29e3bf5e8140130788716eb6cbd754c35a29c9bb8db6_NeikiAnalytics.exe
2928	1900	WerFault.exe	omsecor.exe
772	2300	WerFault.exe	omsecor.exe
2592	4064	WerFault.exe	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

6a90326eaac24fe7a12d29e3bf5e8140130788716eb6cbd754c35a29c9bb8db6_NeikiAnalytics.exe6a90326eaac24fe7a12d29e3bf5e8140130788716eb6cbd754c35a29c9bb8db6_NeikiAnalytics.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 2684 wrote to memory of 1276	2684	6a90326eaac24fe7a12d29e3bf5e8140130788716eb6cbd754c35a29c9bb8db6_NeikiAnalytics.exe	6a90326eaac24fe7a12d29e3bf5e8140130788716eb6cbd754c35a29c9bb8db6_NeikiAnalytics.exe
PID 2684 wrote to memory of 1276	2684	6a90326eaac24fe7a12d29e3bf5e8140130788716eb6cbd754c35a29c9bb8db6_NeikiAnalytics.exe	6a90326eaac24fe7a12d29e3bf5e8140130788716eb6cbd754c35a29c9bb8db6_NeikiAnalytics.exe
PID 2684 wrote to memory of 1276	2684	6a90326eaac24fe7a12d29e3bf5e8140130788716eb6cbd754c35a29c9bb8db6_NeikiAnalytics.exe	6a90326eaac24fe7a12d29e3bf5e8140130788716eb6cbd754c35a29c9bb8db6_NeikiAnalytics.exe
PID 2684 wrote to memory of 1276	2684	6a90326eaac24fe7a12d29e3bf5e8140130788716eb6cbd754c35a29c9bb8db6_NeikiAnalytics.exe	6a90326eaac24fe7a12d29e3bf5e8140130788716eb6cbd754c35a29c9bb8db6_NeikiAnalytics.exe
PID 2684 wrote to memory of 1276	2684	6a90326eaac24fe7a12d29e3bf5e8140130788716eb6cbd754c35a29c9bb8db6_NeikiAnalytics.exe	6a90326eaac24fe7a12d29e3bf5e8140130788716eb6cbd754c35a29c9bb8db6_NeikiAnalytics.exe
PID 1276 wrote to memory of 1900	1276	6a90326eaac24fe7a12d29e3bf5e8140130788716eb6cbd754c35a29c9bb8db6_NeikiAnalytics.exe	omsecor.exe
PID 1276 wrote to memory of 1900	1276	6a90326eaac24fe7a12d29e3bf5e8140130788716eb6cbd754c35a29c9bb8db6_NeikiAnalytics.exe	omsecor.exe
PID 1276 wrote to memory of 1900	1276	6a90326eaac24fe7a12d29e3bf5e8140130788716eb6cbd754c35a29c9bb8db6_NeikiAnalytics.exe	omsecor.exe
PID 1900 wrote to memory of 1160	1900	omsecor.exe	omsecor.exe
PID 1900 wrote to memory of 1160	1900	omsecor.exe	omsecor.exe
PID 1900 wrote to memory of 1160	1900	omsecor.exe	omsecor.exe
PID 1900 wrote to memory of 1160	1900	omsecor.exe	omsecor.exe
PID 1900 wrote to memory of 1160	1900	omsecor.exe	omsecor.exe
PID 1160 wrote to memory of 2300	1160	omsecor.exe	omsecor.exe
PID 1160 wrote to memory of 2300	1160	omsecor.exe	omsecor.exe
PID 1160 wrote to memory of 2300	1160	omsecor.exe	omsecor.exe
PID 2300 wrote to memory of 4216	2300	omsecor.exe	omsecor.exe
PID 2300 wrote to memory of 4216	2300	omsecor.exe	omsecor.exe
PID 2300 wrote to memory of 4216	2300	omsecor.exe	omsecor.exe
PID 2300 wrote to memory of 4216	2300	omsecor.exe	omsecor.exe
PID 2300 wrote to memory of 4216	2300	omsecor.exe	omsecor.exe
PID 4216 wrote to memory of 4064	4216	omsecor.exe	omsecor.exe
PID 4216 wrote to memory of 4064	4216	omsecor.exe	omsecor.exe
PID 4216 wrote to memory of 4064	4216	omsecor.exe	omsecor.exe
PID 4064 wrote to memory of 1508	4064	omsecor.exe	omsecor.exe
PID 4064 wrote to memory of 1508	4064	omsecor.exe	omsecor.exe
PID 4064 wrote to memory of 1508	4064	omsecor.exe	omsecor.exe
PID 4064 wrote to memory of 1508	4064	omsecor.exe	omsecor.exe
PID 4064 wrote to memory of 1508	4064	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\6a90326eaac24fe7a12d29e3bf5e8140130788716eb6cbd754c35a29c9bb8db6_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6a90326eaac24fe7a12d29e3bf5e8140130788716eb6cbd754c35a29c9bb8db6_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2684

C:\Users\Admin\AppData\Local\Temp\6a90326eaac24fe7a12d29e3bf5e8140130788716eb6cbd754c35a29c9bb8db6_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\6a90326eaac24fe7a12d29e3bf5e8140130788716eb6cbd754c35a29c9bb8db6_NeikiAnalytics.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1276

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1900

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1160

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2300

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4216

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4064

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
8⤵
- Executes dropped EXE
PID:1508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 256
8⤵
- Program crash
PID:2592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2300 -s 296
6⤵
- Program crash
PID:772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 300
4⤵
- Program crash
PID:2928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2684 -s 288
2⤵
- Program crash
PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2684 -ip 2684
1⤵
PID:1308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1900 -ip 1900
1⤵
PID:4692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3048,i,12594301322143882025,16832588342008839449,262144 --variations-seed-version --mojo-platform-channel-handle=4304 /prefetch:8
1⤵
PID:3132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2300 -ip 2300
1⤵
PID:1308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4064 -ip 4064
1⤵
PID:3104

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
96KB

MD5
0b5fee4909cb90d48d71a5c6670417d9

SHA1
00a9058e9d952e07e09c19f45cd37368c22185ad

SHA256
0b74ecbc1fc23ca4830dfd05c4f8fa5bdf452fa4455998d7c387f2657cc60902

SHA512
751b6c7f59993d3647149571bd5aaa7d2bb6a594e567e613643457c8c6add7821e58ab1756bf95a1b89e7a02c467a4fbea47d1dedfe3687a7c181e191cf61f35

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
96KB

MD5
b44e6363164784df4d99fee58a40ae09

SHA1
fd0e85548ff5a3ab53dcefe7b435ca3c27077359

SHA256
99c2bb9d8e24cb2f1ea68c126a8c1f0751a1385c4aa060e4dd1ef25df1805147

SHA512
202e6432c1b71388beb36fc0d3c8cb0af7b770c9077a692bde7ec939dde39d995a0aab4658eafc5ca0e3d186e8fdd3569d511f54c821eb7763dccb21e6168221

Download Submit
C:\Windows\SysWOW64\omsecor.exe
Filesize
96KB

MD5
8e4b9c13b289cb0a0e16ae40f5d29d9a

SHA1
5a85442bb41c6d3e58f4d68b15eda8f5f1eb53b1

SHA256
24c58133e5663b0009d2bd040d7605406811cb9b9ddaf42d9c59b2ede43f3113

SHA512
8fbb13418e1c6e5af15aa2009729295e5f7d07add072071ab3dc6268cfaa9cbc572a58cd5d57799a89b543c96a044d805bbd0e84faf55932227e2815104ecfcb

Download Submit
memory/1160-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1160-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1160-33-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1160-27-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1160-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1160-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1160-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1276-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1276-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1276-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1276-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1508-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1508-58-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1508-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1508-51-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1900-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1900-11-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2300-35-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2300-53-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2684-19-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2684-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4064-46-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4216-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4216-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4216-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads