neconyd | 94396da6be5a0ac1e3f30e9991ca1e52d630da7d106c4085a6369f205a5e7625

General

Target

38e5049cc2c3ee6a9d292e116a521c20_NeikiAnalytics.exe
Size

35KB
MD5

38e5049cc2c3ee6a9d292e116a521c20
SHA1

862a019ea52f61c7be6611ec09be190d9e5a551f
SHA256

94396da6be5a0ac1e3f30e9991ca1e52d630da7d106c4085a6369f205a5e7625
SHA512

f184b288b0f560f2ece919a5096c1840b18a8c21107e90bc9505784568e9aca55508f3db8a3c87db2136a91bd8397e9410e02be4e721fd23890a485469e8e3e3
SSDEEP

768:g6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:38Z0kA7FHlO2OwOTUtKjpB

Score

10^/10

neconyd trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 3 IoCs

pid	Process
2272	omsecor.exe
2624	omsecor.exe
1956	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2776	38e5049cc2c3ee6a9d292e116a521c20_NeikiAnalytics.exe
2776	38e5049cc2c3ee6a9d292e116a521c20_NeikiAnalytics.exe
2272	omsecor.exe
2272	omsecor.exe
2624	omsecor.exe
2624	omsecor.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0009000000015c23-4.dat	upx
behavioral1/memory/2272-12-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2776-9-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2776-0-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2272-13-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2272-16-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2272-19-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2272-22-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/files/0x001000000000f680-24.dat	upx
behavioral1/memory/2272-25-0x0000000001F60000-0x0000000001F8D000-memory.dmp	upx
behavioral1/memory/2272-32-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/files/0x0009000000015c23-36.dat	upx
behavioral1/memory/2624-38-0x0000000000220000-0x000000000024D000-memory.dmp	upx
behavioral1/memory/1956-47-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2624-44-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/1956-48-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/1956-51-0x0000000000400000-0x000000000042D000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 2272	2776	38e5049cc2c3ee6a9d292e116a521c20_NeikiAnalytics.exe	28
PID 2776 wrote to memory of 2272	2776	38e5049cc2c3ee6a9d292e116a521c20_NeikiAnalytics.exe	28
PID 2776 wrote to memory of 2272	2776	38e5049cc2c3ee6a9d292e116a521c20_NeikiAnalytics.exe	28
PID 2776 wrote to memory of 2272	2776	38e5049cc2c3ee6a9d292e116a521c20_NeikiAnalytics.exe	28
PID 2272 wrote to memory of 2624	2272	omsecor.exe	32
PID 2272 wrote to memory of 2624	2272	omsecor.exe	32
PID 2272 wrote to memory of 2624	2272	omsecor.exe	32
PID 2272 wrote to memory of 2624	2272	omsecor.exe	32
PID 2624 wrote to memory of 1956	2624	omsecor.exe	33
PID 2624 wrote to memory of 1956	2624	omsecor.exe	33
PID 2624 wrote to memory of 1956	2624	omsecor.exe	33
PID 2624 wrote to memory of 1956	2624	omsecor.exe	33

C:\Users\Admin\AppData\Local\Temp\38e5049cc2c3ee6a9d292e116a521c20_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\38e5049cc2c3ee6a9d292e116a521c20_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2776
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2272
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      PID:1956

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
35KB

MD5
e89a1749a57d2ac253ed806ffb4e4342

SHA1
ac845fde0a4ef574615b512af14eadbb0cc0e1ae

SHA256
d0e1c85724bedf277041480f1448e32ede639d1d70382e98be0660ea30fc9629

SHA512
d0a662503f98f91b617b3aba1131a8bf1e4d7da156ec066ed9e6e42ed69dabcd0636fa3ded5ba92c3ba2b266773661034c30ae4c055203f4716a61cfb2b123ba

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
35KB

MD5
0bf1602012868bf181c80b7190cdc2c5

SHA1
4474cb0f23dfba1739f2562dcd2e4037db103281

SHA256
c86a8225e5b16b6d67bb794a07260b9a53f47332fee023b9d813443d8adc5671

SHA512
872dbcefbc59ab8db3b7122059c0645de0b6c5b5c059809af718d374db665cc822e3053a994204919473bfc31c572b9c53ee764f1d62727ab582ec460b928a5a

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
35KB

MD5
6db5360d3d6741b9cb64c99e9e2ce6ce

SHA1
d7da64c5bc5044418c33a9ee455d105a628b373d

SHA256
8240325b077439f16b5e523f358b4d2d6fd4a215751e7ee3cdde217553401afa

SHA512
f96b39169d8d3dca4061fefa3bb89a45f3e636ce2a7c829afef5cf7fd287c2d96764448261bb8fe74f5d65eab493d0ddbc946fb2a4453d8354bf950d0a20b1f8

Download Submit
memory/1956-51-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1956-48-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1956-47-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2272-13-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2272-22-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2272-19-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2272-25-0x0000000001F60000-0x0000000001F8D000-memory.dmp

Filesize
180KB

Download
memory/2272-32-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2272-16-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2272-12-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2624-38-0x0000000000220000-0x000000000024D000-memory.dmp

Filesize
180KB

Download
memory/2624-44-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2776-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2776-9-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing