neconyd | 393101034ff161f0c2f53114a64bab995f92d522095faef29ba281c920c88521

General

Target

6c6d3dd62bef9a84fc4f9ca040d8cd50_NeikiAnalytics.exe
Size

35KB
MD5

6c6d3dd62bef9a84fc4f9ca040d8cd50
SHA1

265162a5d5215cd72a286f7075d4e16300ed5a4d
SHA256

393101034ff161f0c2f53114a64bab995f92d522095faef29ba281c920c88521
SHA512

b41c53a428f10cd024ec69743d7fe37ee4fff28262f6397eeaa8cdca95cc3a38ed33fba03eb97938164b8a56c87991b27a8332f2707535bfa126ba3902813df4
SSDEEP

768:E6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:T8Z0kA7FHlO2OwOTUtKjpB

Score

10^/10

neconyd trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 3 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exe

pid process

1176 omsecor.exe
2152 omsecor.exe
1668 omsecor.exe

pid	process
1176	omsecor.exe
2152	omsecor.exe
1668	omsecor.exe

Loads dropped DLL 6 IoCs

Processes:

6c6d3dd62bef9a84fc4f9ca040d8cd50_NeikiAnalytics.exeomsecor.exeomsecor.exe

pid	process
1276	6c6d3dd62bef9a84fc4f9ca040d8cd50_NeikiAnalytics.exe
1276	6c6d3dd62bef9a84fc4f9ca040d8cd50_NeikiAnalytics.exe
1176	omsecor.exe
1176	omsecor.exe
2152	omsecor.exe
2152	omsecor.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1276-0-0x0000000000400000-0x000000000042D000-memory.dmp	upx
\Users\Admin\AppData\Roaming\omsecor.exe	upx
behavioral1/memory/1276-12-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/1176-13-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/1276-8-0x0000000000220000-0x000000000024D000-memory.dmp	upx
behavioral1/memory/1176-15-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/1176-18-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/1176-21-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/1176-24-0x0000000000400000-0x000000000042D000-memory.dmp	upx
\Windows\SysWOW64\omsecor.exe	upx
behavioral1/memory/1176-28-0x0000000000290000-0x00000000002BD000-memory.dmp	upx
behavioral1/memory/1176-35-0x0000000000400000-0x000000000042D000-memory.dmp	upx
\Users\Admin\AppData\Roaming\omsecor.exe	upx
behavioral1/memory/2152-45-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/1668-47-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/1668-49-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/1668-52-0x0000000000400000-0x000000000042D000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

6c6d3dd62bef9a84fc4f9ca040d8cd50_NeikiAnalytics.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 1276 wrote to memory of 1176	1276	6c6d3dd62bef9a84fc4f9ca040d8cd50_NeikiAnalytics.exe	omsecor.exe
PID 1276 wrote to memory of 1176	1276	6c6d3dd62bef9a84fc4f9ca040d8cd50_NeikiAnalytics.exe	omsecor.exe
PID 1276 wrote to memory of 1176	1276	6c6d3dd62bef9a84fc4f9ca040d8cd50_NeikiAnalytics.exe	omsecor.exe
PID 1276 wrote to memory of 1176	1276	6c6d3dd62bef9a84fc4f9ca040d8cd50_NeikiAnalytics.exe	omsecor.exe
PID 1176 wrote to memory of 2152	1176	omsecor.exe	omsecor.exe
PID 1176 wrote to memory of 2152	1176	omsecor.exe	omsecor.exe
PID 1176 wrote to memory of 2152	1176	omsecor.exe	omsecor.exe
PID 1176 wrote to memory of 2152	1176	omsecor.exe	omsecor.exe
PID 2152 wrote to memory of 1668	2152	omsecor.exe	omsecor.exe
PID 2152 wrote to memory of 1668	2152	omsecor.exe	omsecor.exe
PID 2152 wrote to memory of 1668	2152	omsecor.exe	omsecor.exe
PID 2152 wrote to memory of 1668	2152	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\6c6d3dd62bef9a84fc4f9ca040d8cd50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6c6d3dd62bef9a84fc4f9ca040d8cd50_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1276

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1176

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2152

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
PID:1668

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
35KB

MD5
88be7cfa67f782d40bf19595240e2d2c

SHA1
d5dfb84cf19f2c37884418227a5c1362de505f2c

SHA256
7f963ff14affd2eb0ea5cc3f245949bbdf1ee0d8fc1b8702232b9a3f2cacf1df

SHA512
f48fcef3d44bbd58cbcc6b2345c51b5f4e038d99f4f15091693ac53c72c058d41f446882ca953ebdde4fa8afa8b5380ed135e7024bf841dabf0bd55b51c04465

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
35KB

MD5
e4d71c5f43daaad2590aafc7d64118e4

SHA1
33e1ccc4afc73d1d09495da774e08da2e3c7a1d5

SHA256
758e25c540967656e9e5e63b646dec3fde118b8cb599bf859caac0ab087fc87f

SHA512
7b3599cb39c68987f5a690dce71a158f5f08408bfa25a0893374ba0a46c1cc914ad3595732fd8321ce54f2a9943397ea534a484a788fa5934a404e66ba8972a9

Download Submit
\Windows\SysWOW64\omsecor.exe
Filesize
35KB

MD5
9f8942221136125247d675f919f4ab3b

SHA1
017a65b8066afee82b0b88025d8b25b1d531fc95

SHA256
97295ebc32d9a4a5c640fb322ba8c0a914456e0a2fff91da42d3ce69c2ffa46b

SHA512
682a7f54cf4c3383ae6f39865f03c7eb0d1e9327b1414bcdb6a83f6036f3cbdbf744d788c88342ce33daa489c3d175945fdff5ce162ef979f16f3d94746c6152

Download Submit
memory/1176-35-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1176-13-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1176-28-0x0000000000290000-0x00000000002BD000-memory.dmp

Filesize
180KB

Download
memory/1176-15-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1176-18-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1176-21-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1176-24-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1276-10-0x0000000000220000-0x000000000024D000-memory.dmp

Filesize
180KB

Download
memory/1276-8-0x0000000000220000-0x000000000024D000-memory.dmp

Filesize
180KB

Download
memory/1276-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1276-12-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1668-47-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1668-49-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1668-52-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2152-45-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads