neconyd | 7ea7ba6d073cfcb17bc7ca98018e4255c788a22f753b1af92dec3bffbc789ae4

General

Target

3ce20d41cd5cea750036cb82870c3070_NeikiAnalytics.exe
Size

35KB
MD5

3ce20d41cd5cea750036cb82870c3070
SHA1

dfa9ee1fee264a8fbcb370d52008f69944a8f284
SHA256

7ea7ba6d073cfcb17bc7ca98018e4255c788a22f753b1af92dec3bffbc789ae4
SHA512

100c62af8798d172f082ba785ae06c59ec08f9ad7056d472c72969be97a1057ee38ce0deba777fe16216e80c68e62db07cc99845fa0cf572ebafa72c1c440703
SSDEEP

768:96vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:w8Z0kA7FHlO2OwOTUtKjpB

Score

10^/10

neconyd trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 2 IoCs

pid	Process
2096	omsecor.exe
2724	omsecor.exe

Loads dropped DLL 4 IoCs

pid	Process
2896	3ce20d41cd5cea750036cb82870c3070_NeikiAnalytics.exe
2896	3ce20d41cd5cea750036cb82870c3070_NeikiAnalytics.exe
2096	omsecor.exe
2096	omsecor.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2896-0-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2896-4-0x0000000000220000-0x000000000024D000-memory.dmp	upx
behavioral1/files/0x000d000000014698-8.dat	upx
behavioral1/memory/2096-13-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2896-11-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2096-14-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2096-17-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2096-20-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2096-21-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/files/0x000f00000000f680-23.dat	upx
behavioral1/memory/2096-24-0x00000000003A0000-0x00000000003CD000-memory.dmp	upx
behavioral1/memory/2096-32-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2724-33-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2724-35-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2724-38-0x0000000000400000-0x000000000042D000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 2096	2896	3ce20d41cd5cea750036cb82870c3070_NeikiAnalytics.exe	28
PID 2896 wrote to memory of 2096	2896	3ce20d41cd5cea750036cb82870c3070_NeikiAnalytics.exe	28
PID 2896 wrote to memory of 2096	2896	3ce20d41cd5cea750036cb82870c3070_NeikiAnalytics.exe	28
PID 2896 wrote to memory of 2096	2896	3ce20d41cd5cea750036cb82870c3070_NeikiAnalytics.exe	28
PID 2096 wrote to memory of 2724	2096	omsecor.exe	32
PID 2096 wrote to memory of 2724	2096	omsecor.exe	32
PID 2096 wrote to memory of 2724	2096	omsecor.exe	32
PID 2096 wrote to memory of 2724	2096	omsecor.exe	32

C:\Users\Admin\AppData\Local\Temp\3ce20d41cd5cea750036cb82870c3070_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3ce20d41cd5cea750036cb82870c3070_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2096
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:2724

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
35KB

MD5
e37e5db91dc8c91e94623fbf6729a350

SHA1
f91f850bbe124add4ff978d8ace4b56ad50d5456

SHA256
4c4d975316f720d53dfeb6b4008a836df5b1caf98999f2b52a9bce0a63498448

SHA512
e97ea71a7bbb37bcf5f135f9f6f24647829518b601cddc6c516c38c466b63469f70575ac502839151bdd6f6cc2b31f2d69621e00081c8d886a6022b6c3de34eb

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
35KB

MD5
ed84aa675693ce1d398997380b28cec6

SHA1
73390a8b0af460c25c5ab84090437c29ff0bd23c

SHA256
ba0813e664755258f8cc0d645294e1b68a092a307904659bcbc1c21d6dbcc887

SHA512
84ab6f7e867234682c19359c7da5dee641e400860a42db891c55938b4d85e2cec06e6c139b78dad174943d501350012235db1cd406c4edc9c85ed642bd63847e

Download Submit
memory/2096-13-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2096-14-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2096-17-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2096-20-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2096-21-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2096-24-0x00000000003A0000-0x00000000003CD000-memory.dmp

Filesize
180KB

Download
memory/2096-32-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2724-33-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2724-35-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2724-38-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2896-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2896-11-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2896-4-0x0000000000220000-0x000000000024D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing