neconyd | c8de44bd4f05c57a39cfca02d4a74bc36c4e5de07a9d1738ab59f2262c2775ea

General

Target

b8b1400368236bd038f6be72c19fc090_NeikiAnalytics.exe
Size

35KB
MD5

b8b1400368236bd038f6be72c19fc090
SHA1

8ffce9e76e5d0c46bd32db36ef12d9d063e630cd
SHA256

c8de44bd4f05c57a39cfca02d4a74bc36c4e5de07a9d1738ab59f2262c2775ea
SHA512

2cba453b9b2a9ec1b574e438795a90fd0ba674710994b271de3a69ac926519b005f3557c7ef33c066a74062c88c0d3ee27c2dae472ecbfbfd837544a8b07007f
SSDEEP

768:c6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:b8Z0kA7FHlO2OwOTUtKjpB

Score

10^/10

neconyd trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 3 IoCs

pid	Process
2284	omsecor.exe
4080	omsecor.exe
3360	omsecor.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1384-0-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/1384-3-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/files/0x0008000000022f51-4.dat	upx
behavioral2/memory/2284-5-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/2284-7-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/2284-10-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/2284-13-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/2284-14-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/files/0x000d000000023399-17.dat	upx
behavioral2/memory/2284-19-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/4080-21-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/4080-25-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/3360-26-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/files/0x0008000000022f51-24.dat	upx
behavioral2/memory/3360-28-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/3360-31-0x0000000000400000-0x000000000042D000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1384 wrote to memory of 2284	1384	b8b1400368236bd038f6be72c19fc090_NeikiAnalytics.exe	81
PID 1384 wrote to memory of 2284	1384	b8b1400368236bd038f6be72c19fc090_NeikiAnalytics.exe	81
PID 1384 wrote to memory of 2284	1384	b8b1400368236bd038f6be72c19fc090_NeikiAnalytics.exe	81
PID 2284 wrote to memory of 4080	2284	omsecor.exe	91
PID 2284 wrote to memory of 4080	2284	omsecor.exe	91
PID 2284 wrote to memory of 4080	2284	omsecor.exe	91
PID 4080 wrote to memory of 3360	4080	omsecor.exe	92
PID 4080 wrote to memory of 3360	4080	omsecor.exe	92
PID 4080 wrote to memory of 3360	4080	omsecor.exe	92

C:\Users\Admin\AppData\Local\Temp\b8b1400368236bd038f6be72c19fc090_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b8b1400368236bd038f6be72c19fc090_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1384
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2284
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4080
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      PID:3360

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
35KB

MD5
466b84159e76269bb81be0091e98bdbd

SHA1
af73dee8941fe9565843524af610c2a834052a75

SHA256
6274ec1abfab996ea9785516c05eb13eca8f48caa12317e1eaaa0d2a1b7e37b9

SHA512
aafc1224097b1b9d6ca05f1366a8f0b3288f184ce6b010808853eaf7e098a4b031fa7a44443740dd465a348a31fe7fa59396fa23fb22499378b3be7f13086e76

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
35KB

MD5
06b7c27a266b61551386b06fbb5bced5

SHA1
dbf8b5d9758dca68224127ce4aeda6d430d903bd

SHA256
d292e0225dce957c2d4ec5a9320b8fbc22b6c64ebcb38be875adbbdc464ed706

SHA512
9893107a5ed513bef3f6b0aca10f8dffe80f765d4aea12f1de0a75c01c5fa87bd8daa10eaa47db3f516691011289341ce19458efcc178449ce83cbc695ea1f62

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
35KB

MD5
fc47e3ce155664a8281d7fdf3eabdb29

SHA1
2678e3743396d8c5cc3031fcf995dfff81e22a33

SHA256
36ab22cea8157311eeb5e76236f0f7b9d45b29b01ae13281140ce7316625358c

SHA512
80aa09669dda50909e815a2b0420e65030276756d77f3bc83338887ebdc2128cad14e1cf39955f1ab51b4c48e9a53036e0df7ee0ff1c6db060d99ea94ba73000

Download Submit
memory/1384-3-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1384-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2284-7-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2284-13-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2284-14-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2284-10-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2284-19-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2284-5-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3360-26-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3360-28-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3360-31-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4080-21-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4080-25-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing