neconyd | 6cb4cf95755434b530b0b45ba0ebd0842a3c381cbdb80750c9e4f3c6e3fcf4a6

General

Target

6cb4cf95755434b530b0b45ba0ebd0842a3c381cbdb80750c9e4f3c6e3fcf4a6_NeikiAnalytics.exe
Size

92KB
MD5

7d50d23aaae2a0c930c46d06d1dc39f0
SHA1

54726201b79b712384fba1c267971091450fdb9a
SHA256

6cb4cf95755434b530b0b45ba0ebd0842a3c381cbdb80750c9e4f3c6e3fcf4a6
SHA512

b2144379373d3bec5624bc60130686f28644a58cd3393776383c6016dfbfb01d7fddfc37bce181f71541d181c5f6eafb176558a75fc5f8460752d3609a2038a7
SSDEEP

768:VMEIYFGvoErlLFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:VbIYYvoE1FKF6N4yS+AQmZTl/5

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 3 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exe

pid process

804 omsecor.exe
2556 omsecor.exe
1940 omsecor.exe

pid	process
804	omsecor.exe
2556	omsecor.exe
1940	omsecor.exe

Loads dropped DLL 6 IoCs

Processes:

6cb4cf95755434b530b0b45ba0ebd0842a3c381cbdb80750c9e4f3c6e3fcf4a6_NeikiAnalytics.exeomsecor.exeomsecor.exe

pid	process
2264	6cb4cf95755434b530b0b45ba0ebd0842a3c381cbdb80750c9e4f3c6e3fcf4a6_NeikiAnalytics.exe
2264	6cb4cf95755434b530b0b45ba0ebd0842a3c381cbdb80750c9e4f3c6e3fcf4a6_NeikiAnalytics.exe
804	omsecor.exe
804	omsecor.exe
2556	omsecor.exe
2556	omsecor.exe

Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

6cb4cf95755434b530b0b45ba0ebd0842a3c381cbdb80750c9e4f3c6e3fcf4a6_NeikiAnalytics.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 2264 wrote to memory of 804	2264	6cb4cf95755434b530b0b45ba0ebd0842a3c381cbdb80750c9e4f3c6e3fcf4a6_NeikiAnalytics.exe	omsecor.exe
PID 2264 wrote to memory of 804	2264	6cb4cf95755434b530b0b45ba0ebd0842a3c381cbdb80750c9e4f3c6e3fcf4a6_NeikiAnalytics.exe	omsecor.exe
PID 2264 wrote to memory of 804	2264	6cb4cf95755434b530b0b45ba0ebd0842a3c381cbdb80750c9e4f3c6e3fcf4a6_NeikiAnalytics.exe	omsecor.exe
PID 2264 wrote to memory of 804	2264	6cb4cf95755434b530b0b45ba0ebd0842a3c381cbdb80750c9e4f3c6e3fcf4a6_NeikiAnalytics.exe	omsecor.exe
PID 804 wrote to memory of 2556	804	omsecor.exe	omsecor.exe
PID 804 wrote to memory of 2556	804	omsecor.exe	omsecor.exe
PID 804 wrote to memory of 2556	804	omsecor.exe	omsecor.exe
PID 804 wrote to memory of 2556	804	omsecor.exe	omsecor.exe
PID 2556 wrote to memory of 1940	2556	omsecor.exe	omsecor.exe
PID 2556 wrote to memory of 1940	2556	omsecor.exe	omsecor.exe
PID 2556 wrote to memory of 1940	2556	omsecor.exe	omsecor.exe
PID 2556 wrote to memory of 1940	2556	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\6cb4cf95755434b530b0b45ba0ebd0842a3c381cbdb80750c9e4f3c6e3fcf4a6_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6cb4cf95755434b530b0b45ba0ebd0842a3c381cbdb80750c9e4f3c6e3fcf4a6_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2264

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:804

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2556

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
PID:1940

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
92KB

MD5
41f9fd8198142d79df0e234628aa2fab

SHA1
4f9f321a0f247f0a9ddf416865392b0bb68a4d01

SHA256
a57a26af3eea1f03eb7f5fb338e15defb1a54f1449febff9916413ae2f9d43c9

SHA512
fae52000d1e407d17edb889ff80c4e6f10dcd66b11456dbcd97abae587882161fd69fb42e7841edfe16b09cb72f9f3a6aafd0d3abec29a472b6ae4329713754e

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
92KB

MD5
e0b8cf155fa7b36155ed15cec0ab2c9d

SHA1
8019ecf3a5a1e109d3c08d40af57da66928980c9

SHA256
fbc6ac2db862e5b96186d89f9a8cfd69e0c5c473626c18743a37dc1327baddbf

SHA512
cf5e0670ec2d65fc7f5b5b429ef296b8d2b1f69738c63b2ee4c99a0080bac1fedf1a2b5d3c6e37d80797d99c08a9933cbb1c44c596bb259cfb47c226ae18a87b

Download Submit
\Windows\SysWOW64\omsecor.exe
Filesize
92KB

MD5
4d98e31f7e20b761292e92407c52dcfb

SHA1
d4aedddc499236112fb165f53cab5e634f2632ba

SHA256
321d42c13e77a827f5695bde2ef680e7ce1e94d26fe98ca32888f33916845f89

SHA512
c1737326a2c6dbaedc40d5660958ecc3064b38d2e9bebde21659ece42401bb998d8ede11c0e4d9499256216fc0bb3c3864527e08c370bab8bf7430aa9e67c3a2

Download Submit
memory/804-13-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/804-18-0x0000000000280000-0x00000000002AB000-memory.dmp

Filesize
172KB

Download
memory/804-25-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1940-36-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1940-38-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2264-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2264-8-0x00000000001B0000-0x00000000001DB000-memory.dmp

Filesize
172KB

Download
memory/2264-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2264-9-0x00000000001B0000-0x00000000001DB000-memory.dmp

Filesize
172KB

Download
memory/2556-34-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing