neconyd | 2f06a70d3a7e5e3e402af794bf2503b6ee8b265df20425e3271852ecb76e5376

General

Target

2f06a70d3a7e5e3e402af794bf2503b6ee8b265df20425e3271852ecb76e5376_NeikiAnalytics.exe
Size

35KB
MD5

ce1a5df399fdad538c12fa7b9a9080e0
SHA1

ce1e51f731043577f3f05da70c6bb638bcf0caa0
SHA256

2f06a70d3a7e5e3e402af794bf2503b6ee8b265df20425e3271852ecb76e5376
SHA512

6779671a202b986ed6a96436c7d1662e694a4410174cbe74f17f5d5f79febd04cbadd5166bfbf56f22cb3953e27c6afa6c4ca5c7db9d8ec5e62e3bdcd5ba82b5
SSDEEP

768:P6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:S8Z0kA7FHlO2OwOTUtKjpB

Score

10^/10

neconyd trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 3 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exe

pid process

2368 omsecor.exe
2672 omsecor.exe
5076 omsecor.exe

pid	process
2368	omsecor.exe
2672	omsecor.exe
5076	omsecor.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2240-0-0x0000000000400000-0x000000000042D000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\omsecor.exe	upx
behavioral2/memory/2240-6-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/2368-7-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/2368-8-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/2368-10-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/2368-12-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/2368-13-0x0000000000400000-0x000000000042D000-memory.dmp	upx
C:\Windows\SysWOW64\omsecor.exe	upx
behavioral2/memory/2368-19-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/2672-20-0x0000000000400000-0x000000000042D000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\omsecor.exe	upx
behavioral2/memory/2672-25-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/5076-26-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/5076-28-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/5076-30-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/5076-32-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/5076-34-0x0000000000400000-0x000000000042D000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

2f06a70d3a7e5e3e402af794bf2503b6ee8b265df20425e3271852ecb76e5376_NeikiAnalytics.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 2240 wrote to memory of 2368	2240	2f06a70d3a7e5e3e402af794bf2503b6ee8b265df20425e3271852ecb76e5376_NeikiAnalytics.exe	omsecor.exe
PID 2240 wrote to memory of 2368	2240	2f06a70d3a7e5e3e402af794bf2503b6ee8b265df20425e3271852ecb76e5376_NeikiAnalytics.exe	omsecor.exe
PID 2240 wrote to memory of 2368	2240	2f06a70d3a7e5e3e402af794bf2503b6ee8b265df20425e3271852ecb76e5376_NeikiAnalytics.exe	omsecor.exe
PID 2368 wrote to memory of 2672	2368	omsecor.exe	omsecor.exe
PID 2368 wrote to memory of 2672	2368	omsecor.exe	omsecor.exe
PID 2368 wrote to memory of 2672	2368	omsecor.exe	omsecor.exe
PID 2672 wrote to memory of 5076	2672	omsecor.exe	omsecor.exe
PID 2672 wrote to memory of 5076	2672	omsecor.exe	omsecor.exe
PID 2672 wrote to memory of 5076	2672	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\2f06a70d3a7e5e3e402af794bf2503b6ee8b265df20425e3271852ecb76e5376_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2f06a70d3a7e5e3e402af794bf2503b6ee8b265df20425e3271852ecb76e5376_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2240

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2368

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
PID:5076

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
35KB

MD5
d0c310926bf9ff9062ee307a369b9fdb

SHA1
7b7c3a20b7ceab1de8c550184b49de0cf153f0e6

SHA256
5f08457269ab0c541e799f4fb55c755b02271fab7281a3adae08b4c10d361bdb

SHA512
7d5ad0755b059b097cd1db52d169270ec631cb138ccdbf851312127a27fb08bd2f4eb058ec37af64793af60541ebb5f3a2da9efa013895faad2d27d5b9d9d258

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
35KB

MD5
75bc9160042b511b004b490713524645

SHA1
8e51df9ac392a0bdc3e0da4b286dee513a3c0f12

SHA256
eea64077184eb0b4f7d7662575b05ab9704345c4c9dc5b169bb95a48c210fb59

SHA512
ed698a0939966d4cf26ae7af179f136c2f4194ff014c6600b7fcd8f7d7fbb825e0c0d821c553f67170906153691a617e62ae9d1c45bfe9d8114f5048bb86624b

Download Submit
C:\Windows\SysWOW64\omsecor.exe
Filesize
35KB

MD5
1178b654d237ef47b6c6861f5dd4f01a

SHA1
51b3bee03f16c3cd655229f8b4f013da0aca1cbf

SHA256
f8c4823150b2c4fd455b446fc3058689911c7be3f95c4ae45fb552ca8474ebe4

SHA512
e52c1965861d4d2e91524503ed10193b1ac4260620af032da9d52ea56429c065552a534aa33bb3a349518e3cbf56e1e336e4dcf77b71d4557aafa31ff39d4210

Download Submit
memory/2240-6-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2240-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2368-8-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2368-12-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2368-13-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2368-10-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2368-19-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2368-7-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2672-20-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2672-25-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/5076-26-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/5076-28-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/5076-30-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/5076-32-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/5076-34-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing