neconyd | c8de44bd4f05c57a39cfca02d4a74bc36c4e5de07a9d1738ab59f2262c2775ea

General

Target

b8b1400368236bd038f6be72c19fc090_NeikiAnalytics.exe
Size

35KB
MD5

b8b1400368236bd038f6be72c19fc090
SHA1

8ffce9e76e5d0c46bd32db36ef12d9d063e630cd
SHA256

c8de44bd4f05c57a39cfca02d4a74bc36c4e5de07a9d1738ab59f2262c2775ea
SHA512

2cba453b9b2a9ec1b574e438795a90fd0ba674710994b271de3a69ac926519b005f3557c7ef33c066a74062c88c0d3ee27c2dae472ecbfbfd837544a8b07007f
SSDEEP

768:c6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:b8Z0kA7FHlO2OwOTUtKjpB

Score

10^/10

neconyd trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 3 IoCs

pid	Process
2464	omsecor.exe
2220	omsecor.exe
1308	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2436	b8b1400368236bd038f6be72c19fc090_NeikiAnalytics.exe
2436	b8b1400368236bd038f6be72c19fc090_NeikiAnalytics.exe
2464	omsecor.exe
2464	omsecor.exe
2220	omsecor.exe
2220	omsecor.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2436-0-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/files/0x000b000000012279-2.dat	upx
behavioral1/memory/2464-12-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2436-10-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2464-13-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2464-16-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2464-19-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2464-22-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/files/0x0005000000004ed7-24.dat	upx
behavioral1/memory/2464-25-0x0000000000280000-0x00000000002AD000-memory.dmp	upx
behavioral1/memory/2464-32-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2220-36-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/files/0x000b000000012279-42.dat	upx
behavioral1/memory/2220-44-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/1308-46-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/1308-48-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/1308-51-0x0000000000400000-0x000000000042D000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 2464	2436	b8b1400368236bd038f6be72c19fc090_NeikiAnalytics.exe	28
PID 2436 wrote to memory of 2464	2436	b8b1400368236bd038f6be72c19fc090_NeikiAnalytics.exe	28
PID 2436 wrote to memory of 2464	2436	b8b1400368236bd038f6be72c19fc090_NeikiAnalytics.exe	28
PID 2436 wrote to memory of 2464	2436	b8b1400368236bd038f6be72c19fc090_NeikiAnalytics.exe	28
PID 2464 wrote to memory of 2220	2464	omsecor.exe	32
PID 2464 wrote to memory of 2220	2464	omsecor.exe	32
PID 2464 wrote to memory of 2220	2464	omsecor.exe	32
PID 2464 wrote to memory of 2220	2464	omsecor.exe	32
PID 2220 wrote to memory of 1308	2220	omsecor.exe	33
PID 2220 wrote to memory of 1308	2220	omsecor.exe	33
PID 2220 wrote to memory of 1308	2220	omsecor.exe	33
PID 2220 wrote to memory of 1308	2220	omsecor.exe	33

C:\Users\Admin\AppData\Local\Temp\b8b1400368236bd038f6be72c19fc090_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b8b1400368236bd038f6be72c19fc090_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2220
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      PID:1308

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
35KB

MD5
3ad3b1bad563d51d8639b97c3b6bb9c5

SHA1
55e52c44b111d89e39e924d98118fc8418fb4f13

SHA256
120b0ef5ed03c2d5fd3b139351338f95e18671dbb2ba442e7fe944efb710e306

SHA512
0fde0a74efa7f2a5d26512021867048aa5911faaa1e190c1936c7de9a7dcc26952326412d223229fe83839733f0ef8f27716e12ab30b7edaf3b91a95394d24cf

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
35KB

MD5
06b7c27a266b61551386b06fbb5bced5

SHA1
dbf8b5d9758dca68224127ce4aeda6d430d903bd

SHA256
d292e0225dce957c2d4ec5a9320b8fbc22b6c64ebcb38be875adbbdc464ed706

SHA512
9893107a5ed513bef3f6b0aca10f8dffe80f765d4aea12f1de0a75c01c5fa87bd8daa10eaa47db3f516691011289341ce19458efcc178449ce83cbc695ea1f62

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
35KB

MD5
7e42e5d9db3ff92e302f1c1ba2a7b255

SHA1
f5cc922d85e54f6d3a2d2efa11e287c917629c81

SHA256
7b4ae0b7564c30a1894ef1956cab9f0bdd51da44438252a0d95d691611329020

SHA512
875675d9536301062f98db5d99e25b1090acfdb05f5d007279ce2626ce8b8e7d053737020a519dc60e68830dec0670fa6f58a5116c87043aa9f6f37bc0363a10

Download Submit
memory/1308-51-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1308-48-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1308-46-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2220-36-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2220-44-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2436-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2436-10-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2464-25-0x0000000000280000-0x00000000002AD000-memory.dmp

Filesize
180KB

Download
memory/2464-32-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2464-12-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2464-22-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2464-19-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2464-16-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2464-13-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing