neconyd | ac75dc3384c2b996654bbf0ecfa447cb67720d90b91792ff7dddc4f339d78024

General

Target

5c178d6373b618988c16d29a802d2b90_NeikiAnalytics.exe
Size

35KB
MD5

5c178d6373b618988c16d29a802d2b90
SHA1

30a97a3cfe581653f153b0d711dd8afff1280791
SHA256

ac75dc3384c2b996654bbf0ecfa447cb67720d90b91792ff7dddc4f339d78024
SHA512

e1e2c1992fd7b9c21d6e10d6a3e101528d72ce06f418861122a75a984ab3b029f78d3f657719914fc6f6b719a805f63b44c6b06223b3d726d4c93292f87a3ef8
SSDEEP

768:n6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:68Z0kA7FHlO2OwOTUtKjpB

Score

10^/10

neconyd trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 3 IoCs

pid	Process
2220	omsecor.exe
1940	omsecor.exe
1620	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2360	5c178d6373b618988c16d29a802d2b90_NeikiAnalytics.exe
2360	5c178d6373b618988c16d29a802d2b90_NeikiAnalytics.exe
2220	omsecor.exe
2220	omsecor.exe
1940	omsecor.exe
1940	omsecor.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2360-0-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/files/0x000b0000000144ac-2.dat	upx
behavioral1/memory/2360-9-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2220-12-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2220-13-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2220-16-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2220-19-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2220-20-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/files/0x0006000000005a59-25.dat	upx
behavioral1/memory/2220-26-0x0000000002550000-0x000000000257D000-memory.dmp	upx
behavioral1/memory/1940-37-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2220-33-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/files/0x000b0000000144ac-38.dat	upx
behavioral1/memory/1620-46-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/1620-48-0x0000000000400000-0x000000000042D000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 2220	2360	5c178d6373b618988c16d29a802d2b90_NeikiAnalytics.exe	28
PID 2360 wrote to memory of 2220	2360	5c178d6373b618988c16d29a802d2b90_NeikiAnalytics.exe	28
PID 2360 wrote to memory of 2220	2360	5c178d6373b618988c16d29a802d2b90_NeikiAnalytics.exe	28
PID 2360 wrote to memory of 2220	2360	5c178d6373b618988c16d29a802d2b90_NeikiAnalytics.exe	28
PID 2220 wrote to memory of 1940	2220	omsecor.exe	32
PID 2220 wrote to memory of 1940	2220	omsecor.exe	32
PID 2220 wrote to memory of 1940	2220	omsecor.exe	32
PID 2220 wrote to memory of 1940	2220	omsecor.exe	32
PID 1940 wrote to memory of 1620	1940	omsecor.exe	33
PID 1940 wrote to memory of 1620	1940	omsecor.exe	33
PID 1940 wrote to memory of 1620	1940	omsecor.exe	33
PID 1940 wrote to memory of 1620	1940	omsecor.exe	33

C:\Users\Admin\AppData\Local\Temp\5c178d6373b618988c16d29a802d2b90_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5c178d6373b618988c16d29a802d2b90_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1940
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      PID:1620

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
35KB

MD5
8b00b6b8b7fec5cb834677e5f2eae88c

SHA1
20f54a2ddf388b6efce55e3c1fe97570fc1a52f1

SHA256
1077c9218aff5e6286520d87768ac81fd7a6bb81130dd7374aa562df5d8c2908

SHA512
f599c4ef0f99081d19dc9c9f4511929a91f66da408ad02df9d1d4414063ff285ec0915b37c15746d9bf9b665e284b2abffd6b70dc0f3ff4a3060a7d776cf38a8

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
35KB

MD5
6a6149b6044127655fd2d68d48c750d7

SHA1
44f5e54a350410ef241a2322264ca6a42a8fa65d

SHA256
a6b4147969c1ed47518aea0d09e9d4de369bc3c574ef821a03c2a4bc19d23684

SHA512
6363cc3ebbc2d27fcfc88dc8e8da456bf65ed91d3350d75e483b3ce7f86026017cc244cbab59428c0cddb39b6af2e6a35ede045c6f318bf8c47af83605b46964

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
35KB

MD5
71119213504c68b211bcb298c6f2a8e9

SHA1
766d4c5ec83126033dcd1677243d6608dd1f8076

SHA256
a6c9663f5712189ac9e229670450fb32462734ce98b3217ea10c2448ec3f6b9c

SHA512
359fc7ccd25b57c9102f533ec42928b7b2c0edb4c30d6ea30a1d82a1403fdcdc128a77411481f47b275b12a66fbaf985897d4e4da19c071ac260619772c1815c

Download Submit
memory/1620-48-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1620-46-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1940-37-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2220-19-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2220-20-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2220-26-0x0000000002550000-0x000000000257D000-memory.dmp

Filesize
180KB

Download
memory/2220-16-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2220-33-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2220-13-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2220-12-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2360-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2360-9-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing