neconyd | 94396da6be5a0ac1e3f30e9991ca1e52d630da7d106c4085a6369f205a5e7625

General

Target

38e5049cc2c3ee6a9d292e116a521c20_NeikiAnalytics.exe
Size

35KB
MD5

38e5049cc2c3ee6a9d292e116a521c20
SHA1

862a019ea52f61c7be6611ec09be190d9e5a551f
SHA256

94396da6be5a0ac1e3f30e9991ca1e52d630da7d106c4085a6369f205a5e7625
SHA512

f184b288b0f560f2ece919a5096c1840b18a8c21107e90bc9505784568e9aca55508f3db8a3c87db2136a91bd8397e9410e02be4e721fd23890a485469e8e3e3
SSDEEP

768:g6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:38Z0kA7FHlO2OwOTUtKjpB

Score

10^/10

neconyd trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 3 IoCs

pid	Process
2892	omsecor.exe
3460	omsecor.exe
5076	omsecor.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1928-5-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/2892-7-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/files/0x0008000000023297-6.dat	upx
behavioral2/memory/1928-0-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/2892-8-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/2892-11-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/2892-14-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/2892-15-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/files/0x000f0000000233d3-18.dat	upx
behavioral2/memory/3460-22-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/2892-20-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/files/0x0008000000023297-25.dat	upx
behavioral2/memory/3460-27-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/5076-29-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/5076-30-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/5076-33-0x0000000000400000-0x000000000042D000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 2892	1928	38e5049cc2c3ee6a9d292e116a521c20_NeikiAnalytics.exe	83
PID 1928 wrote to memory of 2892	1928	38e5049cc2c3ee6a9d292e116a521c20_NeikiAnalytics.exe	83
PID 1928 wrote to memory of 2892	1928	38e5049cc2c3ee6a9d292e116a521c20_NeikiAnalytics.exe	83
PID 2892 wrote to memory of 3460	2892	omsecor.exe	101
PID 2892 wrote to memory of 3460	2892	omsecor.exe	101
PID 2892 wrote to memory of 3460	2892	omsecor.exe	101
PID 3460 wrote to memory of 5076	3460	omsecor.exe	102
PID 3460 wrote to memory of 5076	3460	omsecor.exe	102
PID 3460 wrote to memory of 5076	3460	omsecor.exe	102

C:\Users\Admin\AppData\Local\Temp\38e5049cc2c3ee6a9d292e116a521c20_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\38e5049cc2c3ee6a9d292e116a521c20_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3460
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      PID:5076

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
35KB

MD5
8399fdd3eb6691922312e5fe209f98e0

SHA1
a6c521877a2db0b05937d9b02ad27074cd6c1ed6

SHA256
300e8871824d3ba671ea254d824c2a3356b9775b0f6e9ae73fe6773d6ba7fd23

SHA512
3ac4ca78047b9e2758985c63f1d135058f13bb136db7589ed5086a0bf2c59ff44237ae0db2fc1b56c6a1a864232d6a8a5fca6b12e5ea5abcc97a257f9cfa7e2d

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
35KB

MD5
0bf1602012868bf181c80b7190cdc2c5

SHA1
4474cb0f23dfba1739f2562dcd2e4037db103281

SHA256
c86a8225e5b16b6d67bb794a07260b9a53f47332fee023b9d813443d8adc5671

SHA512
872dbcefbc59ab8db3b7122059c0645de0b6c5b5c059809af718d374db665cc822e3053a994204919473bfc31c572b9c53ee764f1d62727ab582ec460b928a5a

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
35KB

MD5
5451cf9ac423b64ef64f02b2cfe169a4

SHA1
a03b6ec6c00bc5746ff9f4bc2410cccd3b94c5b9

SHA256
1e78f0149047bcd864a43245941731b559883f832326f6e169849c2425634430

SHA512
55cdbb82e407f2c750421108aa9e0e19fc116db43a093032c76818fb7340c217df3afa7d7dd2b81ddf69f2f4e6940018763a9f76076a2f12fa1f7e4829c76e58

Download Submit
memory/1928-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1928-5-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2892-8-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2892-14-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2892-15-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2892-11-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2892-20-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2892-7-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3460-22-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3460-27-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/5076-29-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/5076-30-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/5076-33-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing