neconyd | 5f2ebdf032b724df743389eb7b451e85da798b819bc08ba5a10b729231136707

General

Target

5f2ebdf032b724df743389eb7b451e85da798b819bc08ba5a10b729231136707_NeikiAnalytics.exe
Size

35KB
MD5

814a4a111a0e55061265b28077614ad0
SHA1

9d4f529344e9886dc3a565c27b26c9c3b64dd6dd
SHA256

5f2ebdf032b724df743389eb7b451e85da798b819bc08ba5a10b729231136707
SHA512

da6f354b51a9ecb5387b66a7d4c4f774608050af40a1cab182a46836dc29795f1a45ffad5e2ea6f47f371f486398926a786dc934c24f4febe8b94fd98c7541e3
SSDEEP

768:I6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:P8Z0kA7FHlO2OwOTUtKjpB

Score

10^/10

neconyd trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 3 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exe

pid process

1856 omsecor.exe
2144 omsecor.exe
1792 omsecor.exe

pid	process
1856	omsecor.exe
2144	omsecor.exe
1792	omsecor.exe

Loads dropped DLL 6 IoCs

Processes:

5f2ebdf032b724df743389eb7b451e85da798b819bc08ba5a10b729231136707_NeikiAnalytics.exeomsecor.exeomsecor.exe

pid	process
1040	5f2ebdf032b724df743389eb7b451e85da798b819bc08ba5a10b729231136707_NeikiAnalytics.exe
1040	5f2ebdf032b724df743389eb7b451e85da798b819bc08ba5a10b729231136707_NeikiAnalytics.exe
1856	omsecor.exe
1856	omsecor.exe
2144	omsecor.exe
2144	omsecor.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\omsecor.exe	upx
behavioral1/memory/1040-4-0x00000000002B0000-0x00000000002DD000-memory.dmp	upx
behavioral1/memory/1040-3-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/1856-12-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/1856-15-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/1856-18-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/1856-21-0x0000000000400000-0x000000000042D000-memory.dmp	upx
\Windows\SysWOW64\omsecor.exe	upx
behavioral1/memory/1856-24-0x0000000000390000-0x00000000003BD000-memory.dmp	upx
behavioral1/memory/1856-32-0x0000000000400000-0x000000000042D000-memory.dmp	upx
\Users\Admin\AppData\Roaming\omsecor.exe	upx
behavioral1/memory/2144-37-0x0000000000220000-0x000000000024D000-memory.dmp	upx
behavioral1/memory/2144-43-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/1792-46-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/1792-47-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/1792-50-0x0000000000400000-0x000000000042D000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

5f2ebdf032b724df743389eb7b451e85da798b819bc08ba5a10b729231136707_NeikiAnalytics.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 1040 wrote to memory of 1856	1040	5f2ebdf032b724df743389eb7b451e85da798b819bc08ba5a10b729231136707_NeikiAnalytics.exe	omsecor.exe
PID 1040 wrote to memory of 1856	1040	5f2ebdf032b724df743389eb7b451e85da798b819bc08ba5a10b729231136707_NeikiAnalytics.exe	omsecor.exe
PID 1040 wrote to memory of 1856	1040	5f2ebdf032b724df743389eb7b451e85da798b819bc08ba5a10b729231136707_NeikiAnalytics.exe	omsecor.exe
PID 1040 wrote to memory of 1856	1040	5f2ebdf032b724df743389eb7b451e85da798b819bc08ba5a10b729231136707_NeikiAnalytics.exe	omsecor.exe
PID 1856 wrote to memory of 2144	1856	omsecor.exe	omsecor.exe
PID 1856 wrote to memory of 2144	1856	omsecor.exe	omsecor.exe
PID 1856 wrote to memory of 2144	1856	omsecor.exe	omsecor.exe
PID 1856 wrote to memory of 2144	1856	omsecor.exe	omsecor.exe
PID 2144 wrote to memory of 1792	2144	omsecor.exe	omsecor.exe
PID 2144 wrote to memory of 1792	2144	omsecor.exe	omsecor.exe
PID 2144 wrote to memory of 1792	2144	omsecor.exe	omsecor.exe
PID 2144 wrote to memory of 1792	2144	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\5f2ebdf032b724df743389eb7b451e85da798b819bc08ba5a10b729231136707_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5f2ebdf032b724df743389eb7b451e85da798b819bc08ba5a10b729231136707_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1040

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1856

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2144

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
PID:1792

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
35KB

MD5
bfac6f122ca83c690082b8bd34c61a02

SHA1
a298447ec9e048b9991b7ba814ae9198d35ba44f

SHA256
b100894275869de46287565eb0105bce6f1ef67a9e9fa5d17cc2ecebd9df89a0

SHA512
1a496ca640f2274f860029b2934239d36fdb81ee55630551e5c67fbc3e63674450fbbd319b4c236db5ae635b50040c0aa9269fa57423d1eba1334e1e9e068edf

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
35KB

MD5
58ae46295b96b370448d71d2407ff489

SHA1
9fa562dfe6039253de5ee24d35bff02987999486

SHA256
9c3c314ec50afa8bc7eb234ef024ea2a2fb6b859296584dc46fd2de4257643af

SHA512
d6c2018b7f20414dbc3e6fa813acc509f6138dc86743d21988ce0a8a84d1a412365d95860fea2ad7ec0aaaebb8113beae189a5f77d76d0c27f6644e5bba9d9a0

Download Submit
\Windows\SysWOW64\omsecor.exe
Filesize
35KB

MD5
2009d15c4191802eb997e11115dbbf2f

SHA1
939ab819284b7a07a8c77e1bf4fa2c9160f5cc43

SHA256
1cb467329a58454f27cbcbd7f1f71e793b7339f26e973ef2e89db9f828fd2482

SHA512
25422f975d2fc2e1b0a21f6351089cb724880d7a1fda874c01978988e9f4d7357350fb2e528308f3af99f7c711e3530e03efe5425c9623ef8ffa9cdd5b399bf4

Download Submit
memory/1040-4-0x00000000002B0000-0x00000000002DD000-memory.dmp

Filesize
180KB

Download
memory/1040-3-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1792-50-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1792-47-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1792-46-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1856-24-0x0000000000390000-0x00000000003BD000-memory.dmp

Filesize
180KB

Download
memory/1856-32-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1856-21-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1856-18-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1856-15-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1856-12-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2144-37-0x0000000000220000-0x000000000024D000-memory.dmp

Filesize
180KB

Download
memory/2144-43-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads