neconyd | 5f2ebdf032b724df743389eb7b451e85da798b819bc08ba5a10b729231136707

General

Target

5f2ebdf032b724df743389eb7b451e85da798b819bc08ba5a10b729231136707_NeikiAnalytics.exe
Size

35KB
MD5

814a4a111a0e55061265b28077614ad0
SHA1

9d4f529344e9886dc3a565c27b26c9c3b64dd6dd
SHA256

5f2ebdf032b724df743389eb7b451e85da798b819bc08ba5a10b729231136707
SHA512

da6f354b51a9ecb5387b66a7d4c4f774608050af40a1cab182a46836dc29795f1a45ffad5e2ea6f47f371f486398926a786dc934c24f4febe8b94fd98c7541e3
SSDEEP

768:I6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:P8Z0kA7FHlO2OwOTUtKjpB

Score

10^/10

neconyd trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 3 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exe

pid process

1224 omsecor.exe
2804 omsecor.exe
4976 omsecor.exe

pid	process
1224	omsecor.exe
2804	omsecor.exe
4976	omsecor.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3788-0-0x0000000000400000-0x000000000042D000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\omsecor.exe	upx
behavioral2/memory/3788-5-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/1224-7-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/1224-8-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/1224-10-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/1224-12-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/1224-13-0x0000000000400000-0x000000000042D000-memory.dmp	upx
C:\Windows\SysWOW64\omsecor.exe	upx
behavioral2/memory/1224-18-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/2804-20-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/2804-25-0x0000000000400000-0x000000000042D000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\omsecor.exe	upx
behavioral2/memory/4976-26-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/4976-28-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/4976-30-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/4976-32-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/4976-34-0x0000000000400000-0x000000000042D000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

5f2ebdf032b724df743389eb7b451e85da798b819bc08ba5a10b729231136707_NeikiAnalytics.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 3788 wrote to memory of 1224	3788	5f2ebdf032b724df743389eb7b451e85da798b819bc08ba5a10b729231136707_NeikiAnalytics.exe	omsecor.exe
PID 3788 wrote to memory of 1224	3788	5f2ebdf032b724df743389eb7b451e85da798b819bc08ba5a10b729231136707_NeikiAnalytics.exe	omsecor.exe
PID 3788 wrote to memory of 1224	3788	5f2ebdf032b724df743389eb7b451e85da798b819bc08ba5a10b729231136707_NeikiAnalytics.exe	omsecor.exe
PID 1224 wrote to memory of 2804	1224	omsecor.exe	omsecor.exe
PID 1224 wrote to memory of 2804	1224	omsecor.exe	omsecor.exe
PID 1224 wrote to memory of 2804	1224	omsecor.exe	omsecor.exe
PID 2804 wrote to memory of 4976	2804	omsecor.exe	omsecor.exe
PID 2804 wrote to memory of 4976	2804	omsecor.exe	omsecor.exe
PID 2804 wrote to memory of 4976	2804	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\5f2ebdf032b724df743389eb7b451e85da798b819bc08ba5a10b729231136707_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5f2ebdf032b724df743389eb7b451e85da798b819bc08ba5a10b729231136707_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3788

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1224

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
PID:4976

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
35KB

MD5
58ae46295b96b370448d71d2407ff489

SHA1
9fa562dfe6039253de5ee24d35bff02987999486

SHA256
9c3c314ec50afa8bc7eb234ef024ea2a2fb6b859296584dc46fd2de4257643af

SHA512
d6c2018b7f20414dbc3e6fa813acc509f6138dc86743d21988ce0a8a84d1a412365d95860fea2ad7ec0aaaebb8113beae189a5f77d76d0c27f6644e5bba9d9a0

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
35KB

MD5
fbc1c9ad174bee68507ed189932275c6

SHA1
948dc1618f545d12a2a87d0b530b57e8588e2e95

SHA256
7f9f5cbbdd9e4a3034ed4b9e8364a31ae73ee61ce9ec01a9e325f19f7d8bb314

SHA512
beaa88b13baff9fdfba36ea87d3c1f684989caf66c091299df0f98321ac7f642cb7f31ac542f28a9b0e726a6c97c80302f777f8609142f6b8e5d824c0ededb59

Download Submit
C:\Windows\SysWOW64\omsecor.exe
Filesize
35KB

MD5
086da5d34fb9fdb94ae1f9444bcff894

SHA1
c0dce96e9add0379049b53e43bd4e4ba7cd5ff6f

SHA256
3c3744c9fa4b78db4d1c0c003ee737e2d40c3bf56a462e2f691a60361b98cde4

SHA512
2ca2d837517a183626f446c91307e07cee560aba8d7e40a0cc2a871a8d0c9370790da59aa9cd354a5d61c3419cf25bf6462e353393ef38d986c81fee7cf26fad

Download Submit
memory/1224-18-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1224-8-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1224-10-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1224-12-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1224-13-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1224-7-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2804-25-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2804-20-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3788-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3788-5-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4976-26-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4976-28-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4976-30-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4976-32-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4976-34-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing