neconyd | 47ab902eec098f0bc032806dc1a398f97ce489a16fdefd9a45a3e9797b14f1e0

General

Target

afbb7bec4957278a457404553dd653c0_NeikiAnalytics.exe
Size

35KB
MD5

afbb7bec4957278a457404553dd653c0
SHA1

a5a833b252e36a9abfaaab1fe69de162fb46218a
SHA256

47ab902eec098f0bc032806dc1a398f97ce489a16fdefd9a45a3e9797b14f1e0
SHA512

59489ed4e084134b0567964ee97dd43ff6b201832c06636b25267f84e9a3d087fb92c45906cd9bb56f1b9debcc621c94aadbd3f0e053aaef23e0e3ab59e20d1d
SSDEEP

768:i6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:R8Z0kA7FHlO2OwOTUtKjpB

Score

10^/10

neconyd trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 3 IoCs

pid	Process
900	omsecor.exe
1048	omsecor.exe
2612	omsecor.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3968-0-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/3968-5-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/files/0x000a0000000233d8-3.dat	upx
behavioral2/memory/900-7-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/900-8-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/900-11-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/900-14-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/900-15-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/files/0x0008000000023409-18.dat	upx
behavioral2/memory/900-20-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/files/0x000a0000000233d8-25.dat	upx
behavioral2/memory/1048-23-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/2612-27-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/2612-29-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/2612-32-0x0000000000400000-0x000000000042D000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3968 wrote to memory of 900	3968	afbb7bec4957278a457404553dd653c0_NeikiAnalytics.exe	82
PID 3968 wrote to memory of 900	3968	afbb7bec4957278a457404553dd653c0_NeikiAnalytics.exe	82
PID 3968 wrote to memory of 900	3968	afbb7bec4957278a457404553dd653c0_NeikiAnalytics.exe	82
PID 900 wrote to memory of 1048	900	omsecor.exe	95
PID 900 wrote to memory of 1048	900	omsecor.exe	95
PID 900 wrote to memory of 1048	900	omsecor.exe	95
PID 1048 wrote to memory of 2612	1048	omsecor.exe	96
PID 1048 wrote to memory of 2612	1048	omsecor.exe	96
PID 1048 wrote to memory of 2612	1048	omsecor.exe	96

C:\Users\Admin\AppData\Local\Temp\afbb7bec4957278a457404553dd653c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\afbb7bec4957278a457404553dd653c0_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3968
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:900
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1048
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      PID:2612

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
35KB

MD5
dfc8310be30664404dc4e58d4d70bed4

SHA1
93786a3baeb6aa438b641b53b6ccec9a9659a27a

SHA256
c595d6bfdbdf6609eff054369cfeae26c9d33c4bf131849dda6711c3070e066b

SHA512
bbf0820b3f8401f4e9156db98718a8004611fae69cb1c3f575a5849694f89726b05e86d63545edad4197b723ec003f709ca0323deaea9775433426e5ce27cbef

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
35KB

MD5
3b656d2e78fc5933bee0e2a7ba8e7d68

SHA1
f840ed74e47e4f4c72767a07eafd94c4c09b1858

SHA256
49e11a9bcc4bff373a6d1ba94792bbeb8fbcc08cb8e3e9c829462f67ddae3044

SHA512
c5a5d85dafbf0c5273555678ea8017884ada5a96f05cc13beebf8718fdcd50b851a3737bca2a6ab031fc59c32c8fa0934f471a075626e469e691c48cb5213ba5

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
35KB

MD5
63c9f699d013bcbb11101971969ec462

SHA1
422c9c4e6fbde81b7efd387d863b1cb39af0e290

SHA256
bb6935ec95515e4148d09d90f17e360c974741d8ea9ce88facbec084282996e8

SHA512
d668ea5a588afd14cce7548ca58fb9f44ed6ab884497c43efa110dbf88377e2d33e8f8bc14917898f6c42b4585e1f0b114d14c298295240c9977643ce43edbd0

Download Submit
memory/900-14-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/900-8-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/900-11-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/900-15-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/900-7-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/900-20-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1048-23-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2612-27-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2612-29-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2612-32-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3968-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3968-5-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing