neconyd | 652eae81bad97f50fc372e9a7c8a7b03373976b606d1cf6640112a03031f5f18

General

Target

52ff1e431cce75c839dbbddf5a942bc0_NeikiAnalytics.exe
Size

35KB
MD5

52ff1e431cce75c839dbbddf5a942bc0
SHA1

137e6cada80654817b37a0f9ae5b8c7c3a9ff193
SHA256

652eae81bad97f50fc372e9a7c8a7b03373976b606d1cf6640112a03031f5f18
SHA512

2aab29ef488b7060b6c5746f3301fa284b572636c8cd364e024064e75c0cd44b1955f72c6e042797900d37f0ed3cdc4922e33c282b22a14a5de0196d02a76cc8
SSDEEP

768:r6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:W8Z0kA7FHlO2OwOTUtKjpB

Score

10^/10

neconyd trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 3 IoCs

pid	Process
1116	omsecor.exe
4372	omsecor.exe
3688	omsecor.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/640-0-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/640-6-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/files/0x0008000000022f51-3.dat	upx
behavioral2/memory/1116-7-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/1116-8-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/1116-11-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/1116-14-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/1116-15-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/files/0x000d00000002339e-18.dat	upx
behavioral2/memory/1116-20-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/4372-22-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/4372-26-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/files/0x0008000000022f51-27.dat	upx
behavioral2/memory/3688-28-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/3688-30-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/3688-33-0x0000000000400000-0x000000000042D000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 640 wrote to memory of 1116	640	52ff1e431cce75c839dbbddf5a942bc0_NeikiAnalytics.exe	82
PID 640 wrote to memory of 1116	640	52ff1e431cce75c839dbbddf5a942bc0_NeikiAnalytics.exe	82
PID 640 wrote to memory of 1116	640	52ff1e431cce75c839dbbddf5a942bc0_NeikiAnalytics.exe	82
PID 1116 wrote to memory of 4372	1116	omsecor.exe	92
PID 1116 wrote to memory of 4372	1116	omsecor.exe	92
PID 1116 wrote to memory of 4372	1116	omsecor.exe	92
PID 4372 wrote to memory of 3688	4372	omsecor.exe	93
PID 4372 wrote to memory of 3688	4372	omsecor.exe	93
PID 4372 wrote to memory of 3688	4372	omsecor.exe	93

C:\Users\Admin\AppData\Local\Temp\52ff1e431cce75c839dbbddf5a942bc0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\52ff1e431cce75c839dbbddf5a942bc0_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:640
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1116
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4372
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      PID:3688

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
35KB

MD5
149129c57ab7de3e6f911b2bbc423e7b

SHA1
b0e6dc2b07afa401f106b55260434f48ad9115c1

SHA256
02ecacae15b573aa52cba33baca1218f76a38c0d7ebd2e33c6654ce3cd2249cf

SHA512
3f2121f11a11a8bf5d4cccafecfd84b94adf557f485055874aaa3f9ca96dd604b8340b40687f4c68b6ee97b648b743cdd71f79712f1e1160006ecd57542dc84d

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
35KB

MD5
1538044fbf3b783db5c059b5def45939

SHA1
e157051803d3047c9880c62fb54f8716a8c6b0c4

SHA256
e571ca7bf3c2f69420e42dbcbd00686e4de3dad7d887fedd1ae90d38238cf6c9

SHA512
1912a25ac9f693ac4e15f4fd6001811798a033be38429ff008e89a20a09c01f41a29e13e9b1c8a339409752b852dd2fb838c3ab27b3f0e07334219cb7a1421b3

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
35KB

MD5
4a1a3c97b99dfd4a6828350991721f14

SHA1
5b1e0e686d3dbfde442cad48453ccedba7c831f4

SHA256
130af00fe2aac1af1f3a34b84f1aca8b0f980de1f39b519252dc18e86f8ff920

SHA512
ccb3bd413ab8ef60c99774e4e98d30405be7d4eef2493f75ee8e739a4b66501f79559ed6065af68a5c71c0f5be42b8b35070a5d1988a7d4ab2effbc5937c52f1

Download Submit
memory/640-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/640-6-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1116-14-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1116-7-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1116-15-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1116-11-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1116-20-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1116-8-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3688-28-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3688-30-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3688-33-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4372-22-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4372-26-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing