neconyd | 3f25bbbc04e6544f02ebb6309c3676e31b4eff50694557c0c9f2da7ff66048f5

General

Target

3f25bbbc04e6544f02ebb6309c3676e31b4eff50694557c0c9f2da7ff66048f5_NeikiAnalytics.exe
Size

35KB
MD5

cf1dc2a0a6d8d200df3832f9faa1edc0
SHA1

1f95960e7c9f912177abb57520a3d7b80ba62d95
SHA256

3f25bbbc04e6544f02ebb6309c3676e31b4eff50694557c0c9f2da7ff66048f5
SHA512

e7eece16f48e4083178311cc0110d8eefe05838f85ad7a2f95a04a771bd21fbafd0b0845fb2b34548160ae756e584f87f7e699aa0b7e7e56dd2055ed0c2dc8c6
SSDEEP

768:h6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:s8Z0kA7FHlO2OwOTUtKjpB

Score

10^/10

neconyd trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 3 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exe

pid process

4788 omsecor.exe
3916 omsecor.exe
1904 omsecor.exe

pid	process
4788	omsecor.exe
3916	omsecor.exe
1904	omsecor.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2140-0-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/2140-5-0x0000000000400000-0x000000000042D000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\omsecor.exe	upx
behavioral2/memory/4788-6-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/4788-8-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/4788-10-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/4788-12-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/4788-13-0x0000000000400000-0x000000000042D000-memory.dmp	upx
C:\Windows\SysWOW64\omsecor.exe	upx
behavioral2/memory/4788-19-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/3916-21-0x0000000000400000-0x000000000042D000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\omsecor.exe	upx
behavioral2/memory/3916-24-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/1904-26-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/1904-28-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/1904-30-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/1904-32-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/1904-34-0x0000000000400000-0x000000000042D000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

3f25bbbc04e6544f02ebb6309c3676e31b4eff50694557c0c9f2da7ff66048f5_NeikiAnalytics.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 2140 wrote to memory of 4788	2140	3f25bbbc04e6544f02ebb6309c3676e31b4eff50694557c0c9f2da7ff66048f5_NeikiAnalytics.exe	omsecor.exe
PID 2140 wrote to memory of 4788	2140	3f25bbbc04e6544f02ebb6309c3676e31b4eff50694557c0c9f2da7ff66048f5_NeikiAnalytics.exe	omsecor.exe
PID 2140 wrote to memory of 4788	2140	3f25bbbc04e6544f02ebb6309c3676e31b4eff50694557c0c9f2da7ff66048f5_NeikiAnalytics.exe	omsecor.exe
PID 4788 wrote to memory of 3916	4788	omsecor.exe	omsecor.exe
PID 4788 wrote to memory of 3916	4788	omsecor.exe	omsecor.exe
PID 4788 wrote to memory of 3916	4788	omsecor.exe	omsecor.exe
PID 3916 wrote to memory of 1904	3916	omsecor.exe	omsecor.exe
PID 3916 wrote to memory of 1904	3916	omsecor.exe	omsecor.exe
PID 3916 wrote to memory of 1904	3916	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\3f25bbbc04e6544f02ebb6309c3676e31b4eff50694557c0c9f2da7ff66048f5_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3f25bbbc04e6544f02ebb6309c3676e31b4eff50694557c0c9f2da7ff66048f5_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2140

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4788

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3916

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
PID:1904

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
35KB

MD5
777704d5a32b01fd53fc10092c5194b6

SHA1
fc0f87180a7e8943fca19e3c96cf8d64d8885044

SHA256
7ea39828b80e786fa92f59f5203c6a1840d8a7d40a396429fd3fffd66b3b4c15

SHA512
9ae1d70333d787b95d4fce772a79a81a3f34b6b957837b78ca6b5de495d4d53d7b058f92fb3f7ed55a8725c2b7deb2792daa9aea246f32f0aaff434b558c34a8

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
35KB

MD5
3decbb6825c24f43118026774963d5e8

SHA1
7661a83b49fa8d2ff3910e3b617b6b5d6191c620

SHA256
46808193d3962572e628f0fd6975afee52711729fe2af72cc9ccdf93aab4a959

SHA512
9cbcca3928d590e44dab40291094078703a1031fe3f09fc8c8aa9283375f48d4a030a7808dfe966569cfda0d1e5dfdaf64e4f7c5625afbd4953289db8e3fbede

Download Submit
C:\Windows\SysWOW64\omsecor.exe
Filesize
35KB

MD5
5bf8a21b20344ae4586408869cff238f

SHA1
acde753dcdddcf7f3ffcd3faf0e0ce87a105541b

SHA256
4921eb004c5789a8f373c0b06cdb6dc27e99d9060d2f3456365f6c7d09ed24c8

SHA512
70a1557542792033f2ed5d0470ba2a413016af7a6fd996951dd61f9ad9b23be8e0b2641fa2ab7efc5b3aef70d2f51fe37511127d539f3cd84c1026b2c3f04eb4

Download Submit
memory/1904-34-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1904-32-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1904-30-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1904-28-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1904-26-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2140-5-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2140-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3916-24-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3916-21-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4788-19-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4788-13-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4788-12-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4788-10-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4788-8-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4788-6-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing