neconyd | 2f06a70d3a7e5e3e402af794bf2503b6ee8b265df20425e3271852ecb76e5376

General

Target

2f06a70d3a7e5e3e402af794bf2503b6ee8b265df20425e3271852ecb76e5376_NeikiAnalytics.exe
Size

35KB
MD5

ce1a5df399fdad538c12fa7b9a9080e0
SHA1

ce1e51f731043577f3f05da70c6bb638bcf0caa0
SHA256

2f06a70d3a7e5e3e402af794bf2503b6ee8b265df20425e3271852ecb76e5376
SHA512

6779671a202b986ed6a96436c7d1662e694a4410174cbe74f17f5d5f79febd04cbadd5166bfbf56f22cb3953e27c6afa6c4ca5c7db9d8ec5e62e3bdcd5ba82b5
SSDEEP

768:P6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:S8Z0kA7FHlO2OwOTUtKjpB

Score

10^/10

neconyd trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 3 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exe

pid process

2212 omsecor.exe
2164 omsecor.exe
1700 omsecor.exe

pid	process
2212	omsecor.exe
2164	omsecor.exe
1700	omsecor.exe

Loads dropped DLL 6 IoCs

Processes:

2f06a70d3a7e5e3e402af794bf2503b6ee8b265df20425e3271852ecb76e5376_NeikiAnalytics.exeomsecor.exeomsecor.exe

pid	process
2028	2f06a70d3a7e5e3e402af794bf2503b6ee8b265df20425e3271852ecb76e5376_NeikiAnalytics.exe
2028	2f06a70d3a7e5e3e402af794bf2503b6ee8b265df20425e3271852ecb76e5376_NeikiAnalytics.exe
2212	omsecor.exe
2212	omsecor.exe
2164	omsecor.exe
2164	omsecor.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2028-0-0x0000000000400000-0x000000000042D000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\omsecor.exe	upx
behavioral1/memory/2212-11-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2028-9-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2212-13-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2212-16-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2212-19-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2212-22-0x0000000000400000-0x000000000042D000-memory.dmp	upx
\Windows\SysWOW64\omsecor.exe	upx
behavioral1/memory/2212-27-0x0000000000300000-0x000000000032D000-memory.dmp	upx
behavioral1/memory/2212-33-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2212-31-0x0000000000300000-0x000000000032D000-memory.dmp	upx
\Users\Admin\AppData\Roaming\omsecor.exe	upx
behavioral1/memory/2164-44-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/1700-46-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/1700-48-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/1700-51-0x0000000000400000-0x000000000042D000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

2f06a70d3a7e5e3e402af794bf2503b6ee8b265df20425e3271852ecb76e5376_NeikiAnalytics.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 2028 wrote to memory of 2212	2028	2f06a70d3a7e5e3e402af794bf2503b6ee8b265df20425e3271852ecb76e5376_NeikiAnalytics.exe	omsecor.exe
PID 2028 wrote to memory of 2212	2028	2f06a70d3a7e5e3e402af794bf2503b6ee8b265df20425e3271852ecb76e5376_NeikiAnalytics.exe	omsecor.exe
PID 2028 wrote to memory of 2212	2028	2f06a70d3a7e5e3e402af794bf2503b6ee8b265df20425e3271852ecb76e5376_NeikiAnalytics.exe	omsecor.exe
PID 2028 wrote to memory of 2212	2028	2f06a70d3a7e5e3e402af794bf2503b6ee8b265df20425e3271852ecb76e5376_NeikiAnalytics.exe	omsecor.exe
PID 2212 wrote to memory of 2164	2212	omsecor.exe	omsecor.exe
PID 2212 wrote to memory of 2164	2212	omsecor.exe	omsecor.exe
PID 2212 wrote to memory of 2164	2212	omsecor.exe	omsecor.exe
PID 2212 wrote to memory of 2164	2212	omsecor.exe	omsecor.exe
PID 2164 wrote to memory of 1700	2164	omsecor.exe	omsecor.exe
PID 2164 wrote to memory of 1700	2164	omsecor.exe	omsecor.exe
PID 2164 wrote to memory of 1700	2164	omsecor.exe	omsecor.exe
PID 2164 wrote to memory of 1700	2164	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\2f06a70d3a7e5e3e402af794bf2503b6ee8b265df20425e3271852ecb76e5376_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2f06a70d3a7e5e3e402af794bf2503b6ee8b265df20425e3271852ecb76e5376_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2212

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2164

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
PID:1700

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
35KB

MD5
75bc9160042b511b004b490713524645

SHA1
8e51df9ac392a0bdc3e0da4b286dee513a3c0f12

SHA256
eea64077184eb0b4f7d7662575b05ab9704345c4c9dc5b169bb95a48c210fb59

SHA512
ed698a0939966d4cf26ae7af179f136c2f4194ff014c6600b7fcd8f7d7fbb825e0c0d821c553f67170906153691a617e62ae9d1c45bfe9d8114f5048bb86624b

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
35KB

MD5
25741f649b20028d843f68bceaec9ec0

SHA1
f3f4402b414dbafaf54379a5ee91267d0e9e7b07

SHA256
e053d7d04507090e84b97938ebc2c39f8c06997d4363582024383e6e0bf3a162

SHA512
b34eb2816da928e7048e7896779e98f3e88964f5b7bc868fb608ccc8a8cf5b45e675eb0fef5809d82ef0a51fb306f80a93c0a2492a3b99f169b668fb1fac224b

Download Submit
\Windows\SysWOW64\omsecor.exe
Filesize
35KB

MD5
90ae1b1e7590405224cc1640c799bc87

SHA1
c8bb9e82f64386ee2e4f00f3faa8ee282b38d1d5

SHA256
107d0d8556039b13e3b56d0e3a2c8dc27e1259a0c027ca9ca3b464cf365fe0be

SHA512
c5b6b2ce8021ef9396a4d6d488cf055bc6ce4b2d732506d246b3696afe959d43953cbbd0471a361ba35ac3af6f5e2a06ad18b62800e63cb10a5b7454f21f6501

Download Submit
memory/1700-51-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1700-48-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1700-46-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2028-9-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2028-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2164-44-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2212-27-0x0000000000300000-0x000000000032D000-memory.dmp

Filesize
180KB

Download
memory/2212-33-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2212-31-0x0000000000300000-0x000000000032D000-memory.dmp

Filesize
180KB

Download
memory/2212-11-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2212-22-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2212-19-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2212-16-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2212-13-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads