neconyd | d3892ab51867b39296f5e3dbf80326ac26af2f694951bbc359142989e1e00968

General

Target

175042bbe00a4a4a19ff0a5350a75220_NeikiAnalytics.exe
Size

35KB
MD5

175042bbe00a4a4a19ff0a5350a75220
SHA1

3417d6ca602ed86e42277504cc9ee324559d8a15
SHA256

d3892ab51867b39296f5e3dbf80326ac26af2f694951bbc359142989e1e00968
SHA512

5f5902d697c3cb563b9c512fececb2897742846aea52fb2a004acec49e8b6845c38a795270ae70c8f80e8dea90bbed8b6f32619eb18b5ca812ce94bec6d3ff9c
SSDEEP

768:C6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:x8Z0kA7FHlO2OwOTUtKjpB

Score

10^/10

neconyd trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 3 IoCs

pid	Process
1792	omsecor.exe
1804	omsecor.exe
1752	omsecor.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2836-0-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/files/0x000a0000000232ae-3.dat	upx
behavioral2/memory/2836-6-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/1792-7-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/1792-8-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/1792-11-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/1792-14-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/1792-15-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/files/0x000a0000000232ae-28.dat	upx
behavioral2/memory/1752-27-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/1804-26-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/1804-21-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/files/0x000c000000021793-20.dat	upx
behavioral2/memory/1792-19-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/1752-29-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/1752-32-0x0000000000400000-0x000000000042D000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2836 wrote to memory of 1792	2836	175042bbe00a4a4a19ff0a5350a75220_NeikiAnalytics.exe	83
PID 2836 wrote to memory of 1792	2836	175042bbe00a4a4a19ff0a5350a75220_NeikiAnalytics.exe	83
PID 2836 wrote to memory of 1792	2836	175042bbe00a4a4a19ff0a5350a75220_NeikiAnalytics.exe	83
PID 1792 wrote to memory of 1804	1792	omsecor.exe	95
PID 1792 wrote to memory of 1804	1792	omsecor.exe	95
PID 1792 wrote to memory of 1804	1792	omsecor.exe	95
PID 1804 wrote to memory of 1752	1804	omsecor.exe	96
PID 1804 wrote to memory of 1752	1804	omsecor.exe	96
PID 1804 wrote to memory of 1752	1804	omsecor.exe	96

C:\Users\Admin\AppData\Local\Temp\175042bbe00a4a4a19ff0a5350a75220_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\175042bbe00a4a4a19ff0a5350a75220_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2836
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1792
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1804
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      PID:1752

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
35KB

MD5
a547a57f5e55bd9c921fb644715efcf0

SHA1
f19c6d51523c662ee3efd9cfa384445a51f6400e

SHA256
e20103bd3142d568e408b762a3fdce2663948cd4d8c0d00f44f6a87756e045ba

SHA512
1f383ea46872b97b7eff6035db8a6caebaea642db9d6e43156fb701477bdd0b3643487b1069180d81f1d3fe7455167743196250ce8f4109eb61f7a49374634ab

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
35KB

MD5
6915932c28c0b1e6603592398e25b5d4

SHA1
e403b1b7b58e57af03ac6bc803d0d2c6f7a30879

SHA256
b56a8f0a56ff26cbd2617b77293d8bd067a915d6996a8aab6bc9a24297094f57

SHA512
fd1ee9f8f6f9c83791219d589176ad7a93c69ede542df1ec4ff8b91aa75b8773d16cfef8e4be65179b026bc56661f2ba9ffd7f1e4808feb24dcc8528cf8b3a86

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
35KB

MD5
83c8ac7f85c968f71382571518e6f1d8

SHA1
ee371b6ef8ed69f02c8476b0b4587591341b415d

SHA256
2eea9920c86c7999b8d4e440991b8e62cde1bc9885f25bef24c000da4c1b4372

SHA512
127fb87d275a6df1306bc3638dc5b28decca201ba6e00b548d53580547459770fe2b89a524db1b1a3547f7582244df14e1e134a698d4c55055e010b5ce7a84f2

Download Submit
memory/1752-27-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1752-32-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1752-29-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1792-14-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1792-15-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1792-7-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1792-19-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1792-11-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1792-8-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1804-26-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1804-21-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2836-6-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2836-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing