neconyd | 3f25bbbc04e6544f02ebb6309c3676e31b4eff50694557c0c9f2da7ff66048f5

General

Target

3f25bbbc04e6544f02ebb6309c3676e31b4eff50694557c0c9f2da7ff66048f5_NeikiAnalytics.exe
Size

35KB
MD5

cf1dc2a0a6d8d200df3832f9faa1edc0
SHA1

1f95960e7c9f912177abb57520a3d7b80ba62d95
SHA256

3f25bbbc04e6544f02ebb6309c3676e31b4eff50694557c0c9f2da7ff66048f5
SHA512

e7eece16f48e4083178311cc0110d8eefe05838f85ad7a2f95a04a771bd21fbafd0b0845fb2b34548160ae756e584f87f7e699aa0b7e7e56dd2055ed0c2dc8c6
SSDEEP

768:h6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:s8Z0kA7FHlO2OwOTUtKjpB

Score

10^/10

neconyd trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 3 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exe

pid process

2060 omsecor.exe
1524 omsecor.exe
1300 omsecor.exe

pid	process
2060	omsecor.exe
1524	omsecor.exe
1300	omsecor.exe

Loads dropped DLL 6 IoCs

Processes:

3f25bbbc04e6544f02ebb6309c3676e31b4eff50694557c0c9f2da7ff66048f5_NeikiAnalytics.exeomsecor.exeomsecor.exe

pid	process
2364	3f25bbbc04e6544f02ebb6309c3676e31b4eff50694557c0c9f2da7ff66048f5_NeikiAnalytics.exe
2364	3f25bbbc04e6544f02ebb6309c3676e31b4eff50694557c0c9f2da7ff66048f5_NeikiAnalytics.exe
2060	omsecor.exe
2060	omsecor.exe
1524	omsecor.exe
1524	omsecor.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2364-0-0x0000000000400000-0x000000000042D000-memory.dmp	upx
\Users\Admin\AppData\Roaming\omsecor.exe	upx
behavioral1/memory/2060-12-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2364-9-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2060-13-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2060-16-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2060-19-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2060-22-0x0000000000400000-0x000000000042D000-memory.dmp	upx
\Windows\SysWOW64\omsecor.exe	upx
behavioral1/memory/1524-33-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2060-31-0x0000000000400000-0x000000000042D000-memory.dmp	upx
\Users\Admin\AppData\Roaming\omsecor.exe	upx
behavioral1/memory/1300-46-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/1524-43-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/1300-50-0x0000000000400000-0x000000000042D000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

3f25bbbc04e6544f02ebb6309c3676e31b4eff50694557c0c9f2da7ff66048f5_NeikiAnalytics.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 2364 wrote to memory of 2060	2364	3f25bbbc04e6544f02ebb6309c3676e31b4eff50694557c0c9f2da7ff66048f5_NeikiAnalytics.exe	omsecor.exe
PID 2364 wrote to memory of 2060	2364	3f25bbbc04e6544f02ebb6309c3676e31b4eff50694557c0c9f2da7ff66048f5_NeikiAnalytics.exe	omsecor.exe
PID 2364 wrote to memory of 2060	2364	3f25bbbc04e6544f02ebb6309c3676e31b4eff50694557c0c9f2da7ff66048f5_NeikiAnalytics.exe	omsecor.exe
PID 2364 wrote to memory of 2060	2364	3f25bbbc04e6544f02ebb6309c3676e31b4eff50694557c0c9f2da7ff66048f5_NeikiAnalytics.exe	omsecor.exe
PID 2060 wrote to memory of 1524	2060	omsecor.exe	omsecor.exe
PID 2060 wrote to memory of 1524	2060	omsecor.exe	omsecor.exe
PID 2060 wrote to memory of 1524	2060	omsecor.exe	omsecor.exe
PID 2060 wrote to memory of 1524	2060	omsecor.exe	omsecor.exe
PID 1524 wrote to memory of 1300	1524	omsecor.exe	omsecor.exe
PID 1524 wrote to memory of 1300	1524	omsecor.exe	omsecor.exe
PID 1524 wrote to memory of 1300	1524	omsecor.exe	omsecor.exe
PID 1524 wrote to memory of 1300	1524	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\3f25bbbc04e6544f02ebb6309c3676e31b4eff50694557c0c9f2da7ff66048f5_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3f25bbbc04e6544f02ebb6309c3676e31b4eff50694557c0c9f2da7ff66048f5_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2364

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2060

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1524

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
PID:1300

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
35KB

MD5
3decbb6825c24f43118026774963d5e8

SHA1
7661a83b49fa8d2ff3910e3b617b6b5d6191c620

SHA256
46808193d3962572e628f0fd6975afee52711729fe2af72cc9ccdf93aab4a959

SHA512
9cbcca3928d590e44dab40291094078703a1031fe3f09fc8c8aa9283375f48d4a030a7808dfe966569cfda0d1e5dfdaf64e4f7c5625afbd4953289db8e3fbede

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
35KB

MD5
11702284621676bceab289fe44e6337e

SHA1
97d8a9ed543fa89d9bc9fc5c1b26055031146794

SHA256
8d0026c3611e2f32ff86ea554933888118898d385409f2790e5bb085e97f76a4

SHA512
50d426fe7c2dc3be0b817b72707b8c061ef71558a6d804e18a06d592cb40d803d5f41f6bcbd863ca8bd87afc8b45a66c7f78c28798bbb3bfae6d1e2d0eedb4fc

Download Submit
\Windows\SysWOW64\omsecor.exe
Filesize
35KB

MD5
896ef2e3388056c165f92a0a80ff2897

SHA1
6b9c3494b0ce1a310290cb5c0fcf0f9879f138a0

SHA256
a2013b952dc02bff187bea7750413a6e3733e7d6c5c71d08c22ab3f0870df370

SHA512
23f057ade78fb104333f95b691ec0ecdef4f227fc3223c0306d9dcb195cb7f11ee1967c4f392ae0b3f71453a23f72c293569e9198f74e6626619440fc025a0ed

Download Submit
memory/1300-50-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1300-46-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1524-43-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1524-33-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2060-19-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2060-22-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2060-31-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2060-16-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2060-13-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2060-12-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2364-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2364-9-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads