neconyd | 69b8f322689256e22dc454a8b2b3ce99eef689a324f00209dda52e6fbd1b81ff

General

Target

d84496625d643a3526076109460d6de0_NeikiAnalytics.exe
Size

35KB
MD5

d84496625d643a3526076109460d6de0
SHA1

cced033a3910c52fcdfb1ef1698ed43c2a4ae20a
SHA256

69b8f322689256e22dc454a8b2b3ce99eef689a324f00209dda52e6fbd1b81ff
SHA512

02d39019f2f55d7ebd17232319e019a9d03455be97367b43e06992ae86d408405ca4a0d58040b35c89f0c129d869af243f8735ce17c2c7652f7f677688f3df66
SSDEEP

768:Z6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:08Z0kA7FHlO2OwOTUtKjpB

Score

10^/10

neconyd trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 3 IoCs

pid	Process
2104	omsecor.exe
3000	omsecor.exe
776	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
1716	d84496625d643a3526076109460d6de0_NeikiAnalytics.exe
1716	d84496625d643a3526076109460d6de0_NeikiAnalytics.exe
2104	omsecor.exe
2104	omsecor.exe
3000	omsecor.exe
3000	omsecor.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1716-0-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/1716-13-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2104-11-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/files/0x000a000000015f7a-9.dat	upx
behavioral1/memory/2104-15-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2104-18-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2104-21-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2104-22-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/files/0x0006000000005a59-26.dat	upx
behavioral1/memory/2104-28-0x0000000002130000-0x000000000215D000-memory.dmp	upx
behavioral1/memory/2104-35-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/3000-38-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/files/0x000a000000015f7a-39.dat	upx
behavioral1/memory/776-47-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/776-49-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/776-52-0x0000000000400000-0x000000000042D000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 2104	1716	d84496625d643a3526076109460d6de0_NeikiAnalytics.exe	28
PID 1716 wrote to memory of 2104	1716	d84496625d643a3526076109460d6de0_NeikiAnalytics.exe	28
PID 1716 wrote to memory of 2104	1716	d84496625d643a3526076109460d6de0_NeikiAnalytics.exe	28
PID 1716 wrote to memory of 2104	1716	d84496625d643a3526076109460d6de0_NeikiAnalytics.exe	28
PID 2104 wrote to memory of 3000	2104	omsecor.exe	32
PID 2104 wrote to memory of 3000	2104	omsecor.exe	32
PID 2104 wrote to memory of 3000	2104	omsecor.exe	32
PID 2104 wrote to memory of 3000	2104	omsecor.exe	32
PID 3000 wrote to memory of 776	3000	omsecor.exe	33
PID 3000 wrote to memory of 776	3000	omsecor.exe	33
PID 3000 wrote to memory of 776	3000	omsecor.exe	33
PID 3000 wrote to memory of 776	3000	omsecor.exe	33

C:\Users\Admin\AppData\Local\Temp\d84496625d643a3526076109460d6de0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\d84496625d643a3526076109460d6de0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2104
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3000
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      PID:776

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
35KB

MD5
fa8bb4c2ff6b0f4adf487131fb1dbeb8

SHA1
d736cfb51f8ebf0ab0dc9f8e0740ff958c817ae3

SHA256
cdb5edf4160b3a74219ee6fc11997baff6ac87e9f5c362859068030724060ff5

SHA512
8ea95f0ce0cf04e62fa79b7ce47a3de9a391fa4902c753158ecca7fdb994b8723182d1fb80edc2679970030d1ef90150726e71dfca0fa44e4e2e80180d49be89

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
35KB

MD5
c29ee8da7e1b8d952d26b2fc7ab6729d

SHA1
8f4f24cd24f376d3872e3935da1ddaa2d28a8dec

SHA256
17c47b350333e1666d674bd5fb71b686b657d37ab06dba0296ee144be5b57f21

SHA512
d240f09af25ffe5a31221e9f8a3db6d1ea17e9ac2d81280794cbd5cda82539b0142a9069bf9062f706099168c974a0cef6617e6a2af26dae2808ee2245e3f7f6

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
35KB

MD5
52f1200fbc8f43a2ac91c959f001f65d

SHA1
c303d1ca4f01cd222e1c3a7b08809ce122000962

SHA256
418e243750ba3a52d635ad386908da3195d25b36497d6b3509b6fc268d15d91c

SHA512
922c9dc2ac5ee9d414ffd25f34cb73183169de1b7fcbb672cd067faad102e2665a0d9b5856c1483a5cd93b837814b04558a669f16b6bd93656cbee94093a0573

Download Submit
memory/776-52-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/776-49-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/776-47-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1716-8-0x0000000000220000-0x000000000024D000-memory.dmp

Filesize
180KB

Download
memory/1716-13-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1716-12-0x0000000000220000-0x000000000024D000-memory.dmp

Filesize
180KB

Download
memory/1716-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2104-21-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2104-28-0x0000000002130000-0x000000000215D000-memory.dmp

Filesize
180KB

Download
memory/2104-35-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2104-22-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2104-18-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2104-15-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2104-11-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3000-38-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing