neconyd | d3892ab51867b39296f5e3dbf80326ac26af2f694951bbc359142989e1e00968

General

Target

175042bbe00a4a4a19ff0a5350a75220_NeikiAnalytics.exe
Size

35KB
MD5

175042bbe00a4a4a19ff0a5350a75220
SHA1

3417d6ca602ed86e42277504cc9ee324559d8a15
SHA256

d3892ab51867b39296f5e3dbf80326ac26af2f694951bbc359142989e1e00968
SHA512

5f5902d697c3cb563b9c512fececb2897742846aea52fb2a004acec49e8b6845c38a795270ae70c8f80e8dea90bbed8b6f32619eb18b5ca812ce94bec6d3ff9c
SSDEEP

768:C6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:x8Z0kA7FHlO2OwOTUtKjpB

Score

10^/10

neconyd trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 3 IoCs

pid	Process
2228	omsecor.exe
2200	omsecor.exe
1632	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
3028	175042bbe00a4a4a19ff0a5350a75220_NeikiAnalytics.exe
3028	175042bbe00a4a4a19ff0a5350a75220_NeikiAnalytics.exe
2228	omsecor.exe
2228	omsecor.exe
2200	omsecor.exe
2200	omsecor.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2228-12-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/files/0x000b00000001431b-11.dat	upx
behavioral1/memory/3028-4-0x0000000000220000-0x000000000024D000-memory.dmp	upx
behavioral1/memory/3028-3-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2228-13-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2228-16-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2228-19-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2228-22-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/files/0x0005000000004ed7-24.dat	upx
behavioral1/files/0x000b00000001431b-46.dat	upx
behavioral1/memory/1632-47-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2200-44-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2200-34-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2228-32-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2228-25-0x0000000000430000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/1632-51-0x0000000000400000-0x000000000042D000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2228	3028	175042bbe00a4a4a19ff0a5350a75220_NeikiAnalytics.exe	28
PID 3028 wrote to memory of 2228	3028	175042bbe00a4a4a19ff0a5350a75220_NeikiAnalytics.exe	28
PID 3028 wrote to memory of 2228	3028	175042bbe00a4a4a19ff0a5350a75220_NeikiAnalytics.exe	28
PID 3028 wrote to memory of 2228	3028	175042bbe00a4a4a19ff0a5350a75220_NeikiAnalytics.exe	28
PID 2228 wrote to memory of 2200	2228	omsecor.exe	32
PID 2228 wrote to memory of 2200	2228	omsecor.exe	32
PID 2228 wrote to memory of 2200	2228	omsecor.exe	32
PID 2228 wrote to memory of 2200	2228	omsecor.exe	32
PID 2200 wrote to memory of 1632	2200	omsecor.exe	33
PID 2200 wrote to memory of 1632	2200	omsecor.exe	33
PID 2200 wrote to memory of 1632	2200	omsecor.exe	33
PID 2200 wrote to memory of 1632	2200	omsecor.exe	33

C:\Users\Admin\AppData\Local\Temp\175042bbe00a4a4a19ff0a5350a75220_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\175042bbe00a4a4a19ff0a5350a75220_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2200
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      PID:1632

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
35KB

MD5
6915932c28c0b1e6603592398e25b5d4

SHA1
e403b1b7b58e57af03ac6bc803d0d2c6f7a30879

SHA256
b56a8f0a56ff26cbd2617b77293d8bd067a915d6996a8aab6bc9a24297094f57

SHA512
fd1ee9f8f6f9c83791219d589176ad7a93c69ede542df1ec4ff8b91aa75b8773d16cfef8e4be65179b026bc56661f2ba9ffd7f1e4808feb24dcc8528cf8b3a86

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
35KB

MD5
6d0018779111920b335cc8fd8d5a78e9

SHA1
2cb5e17d2e2495fbd52cb8e776673695039cfaf9

SHA256
7741d9f4c7253fcddc73525497d5b6e0ba3b5b24078efe7a72b29059086175e0

SHA512
8e2ce44af98ded6b75997318d82ec11e681676df5d9ec227cde1ed356708e9c02e1cb46a969c2869dd804f6bf2b535e66ae156571a72e603734fad9c571b6bad

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
35KB

MD5
d40f0b74a36b428b6096cc9561e038ca

SHA1
08e71ace3c62addc13d9276fbc56c212938460bb

SHA256
93797bfacea77a0e505fda3c23f4b396f42fe5f99001ba8754fafee5abea0257

SHA512
53ec26dbf9ccfd33c61d9ef09d47588b680d5bcc0df2517242fb32a89f5b5129ae03797d8cd67b364c3581901a10faa7bbe026a364b1885a97ad11e509ada04b

Download Submit
memory/1632-51-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1632-47-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2200-34-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2200-44-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2228-19-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2228-22-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2228-16-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2228-13-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2228-12-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2228-32-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2228-25-0x0000000000430000-0x000000000045D000-memory.dmp

Filesize
180KB

Download
memory/3028-3-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3028-4-0x0000000000220000-0x000000000024D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing