neconyd | 6b12138f1a5a98c2f5df07cbea7ab12edb866b50eed10b3f265d8cb9659b27bb

General

Target

523baf1ffa97672ef38b2189bd62b5a0_NeikiAnalytics.exe
Size

35KB
MD5

523baf1ffa97672ef38b2189bd62b5a0
SHA1

d78fb5d9d60f39c5bbe792c2eaf9b79a89c59572
SHA256

6b12138f1a5a98c2f5df07cbea7ab12edb866b50eed10b3f265d8cb9659b27bb
SHA512

ca57d5afb40dceb9c70c4a3340454246c0791a91f3889a91f89e2aca9c1c4ff37ad36133089231028f583bb8f4478d6f3b1bd8c3d7fd4e9f11826e40b5ace6a6
SSDEEP

768:V6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:Y8Z0kA7FHlO2OwOTUtKjpB

Score

10^/10

neconyd trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 2 IoCs

pid	Process
2228	omsecor.exe
2216	omsecor.exe

Loads dropped DLL 4 IoCs

pid	Process
1868	523baf1ffa97672ef38b2189bd62b5a0_NeikiAnalytics.exe
1868	523baf1ffa97672ef38b2189bd62b5a0_NeikiAnalytics.exe
2228	omsecor.exe
2228	omsecor.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1868-0-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/files/0x000c00000001226d-2.dat	upx
behavioral1/memory/2228-13-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/1868-11-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2228-14-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2228-17-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2228-20-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2228-23-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/files/0x0005000000004ed7-25.dat	upx
behavioral1/memory/2228-26-0x0000000000290000-0x00000000002BD000-memory.dmp	upx
behavioral1/memory/2228-32-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2216-35-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2216-38-0x0000000000400000-0x000000000042D000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1868 wrote to memory of 2228	1868	523baf1ffa97672ef38b2189bd62b5a0_NeikiAnalytics.exe	28
PID 1868 wrote to memory of 2228	1868	523baf1ffa97672ef38b2189bd62b5a0_NeikiAnalytics.exe	28
PID 1868 wrote to memory of 2228	1868	523baf1ffa97672ef38b2189bd62b5a0_NeikiAnalytics.exe	28
PID 1868 wrote to memory of 2228	1868	523baf1ffa97672ef38b2189bd62b5a0_NeikiAnalytics.exe	28
PID 2228 wrote to memory of 2216	2228	omsecor.exe	32
PID 2228 wrote to memory of 2216	2228	omsecor.exe	32
PID 2228 wrote to memory of 2216	2228	omsecor.exe	32
PID 2228 wrote to memory of 2216	2228	omsecor.exe	32

C:\Users\Admin\AppData\Local\Temp\523baf1ffa97672ef38b2189bd62b5a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\523baf1ffa97672ef38b2189bd62b5a0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1868
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:2216

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
35KB

MD5
20e1c8111c6ad863a03bb2ca4030c9f3

SHA1
c84625bbb7a61ac50386901a0be4aad851a0136b

SHA256
8dd4b803197645c0b7366d2083bd833b4f881c18c49373fdfa8d28c9f2e09e3d

SHA512
2584e875d59a584cf701cab8b9f0576f944a5a62dad5d72520d4ce50c17c4be23b8f9c272bce2ad932bc6f958e6c962f3c079b3a2a20a06b96bf2e6dc2227878

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
35KB

MD5
b9930c47ea3f541108345cda66d5fa1c

SHA1
51646de1192615985103c4bd9c103d7fb560b8d8

SHA256
559ea5a254f26c2590a497f3b8ccf9bc87a820a3a17194a4dd8e686507f9fd4e

SHA512
f1610fb6e53d3fc57142dc9d7f922d036e1915449086ecdfacbe7e1634dd8559ba40c36b817c3f2644097072306c60c1cd631f6b1ab8c83666feeea3a44775d2

Download Submit
memory/1868-8-0x0000000000220000-0x000000000024D000-memory.dmp

Filesize
180KB

Download
memory/1868-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1868-11-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2216-38-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2216-35-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2228-13-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2228-23-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2228-20-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2228-26-0x0000000000290000-0x00000000002BD000-memory.dmp

Filesize
180KB

Download
memory/2228-32-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2228-17-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2228-14-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing