neconyd | 3fa1481374fc22fb1a2d3e9fedb6d3c38788a8660abab0e8febfa7fb6f78a82e

General

Target

3fa1481374fc22fb1a2d3e9fedb6d3c38788a8660abab0e8febfa7fb6f78a82e_NeikiAnalytics.exe
Size

35KB
MD5

fa4163fb79806ce8f078fdfb5c5022c0
SHA1

c5cd75489b7aae973ea471f9fdaef12b73e901a0
SHA256

3fa1481374fc22fb1a2d3e9fedb6d3c38788a8660abab0e8febfa7fb6f78a82e
SHA512

5e9a91dd398e3abd57bc0e28ba20ccc042950fd84848184307ec11bc5c1a72e3122d4739ac7a91368c4f0b3752fd83ddb42790072494cbf4f7fb0ee3ec2abccd
SSDEEP

768:z6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:u8Z0kA7FHlO2OwOTUtKjpB

Score

10^/10

neconyd trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 3 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exe

pid process

3064 omsecor.exe
288 omsecor.exe
1804 omsecor.exe

pid	process
3064	omsecor.exe
288	omsecor.exe
1804	omsecor.exe

Loads dropped DLL 6 IoCs

Processes:

3fa1481374fc22fb1a2d3e9fedb6d3c38788a8660abab0e8febfa7fb6f78a82e_NeikiAnalytics.exeomsecor.exeomsecor.exe

pid	process
3024	3fa1481374fc22fb1a2d3e9fedb6d3c38788a8660abab0e8febfa7fb6f78a82e_NeikiAnalytics.exe
3024	3fa1481374fc22fb1a2d3e9fedb6d3c38788a8660abab0e8febfa7fb6f78a82e_NeikiAnalytics.exe
3064	omsecor.exe
3064	omsecor.exe
288	omsecor.exe
288	omsecor.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/3024-0-0x0000000000400000-0x000000000042D000-memory.dmp	upx
\Users\Admin\AppData\Roaming\omsecor.exe	upx
behavioral1/memory/3064-12-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/3024-9-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/3064-13-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/3064-16-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/3064-19-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/3064-22-0x0000000000400000-0x000000000042D000-memory.dmp	upx
\Windows\SysWOW64\omsecor.exe	upx
behavioral1/memory/3064-25-0x0000000000290000-0x00000000002BD000-memory.dmp	upx
\Users\Admin\AppData\Roaming\omsecor.exe	upx
behavioral1/memory/288-45-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/288-34-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/3064-32-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/1804-46-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/1804-48-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/1804-51-0x0000000000400000-0x000000000042D000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

3fa1481374fc22fb1a2d3e9fedb6d3c38788a8660abab0e8febfa7fb6f78a82e_NeikiAnalytics.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 3024 wrote to memory of 3064	3024	3fa1481374fc22fb1a2d3e9fedb6d3c38788a8660abab0e8febfa7fb6f78a82e_NeikiAnalytics.exe	omsecor.exe
PID 3024 wrote to memory of 3064	3024	3fa1481374fc22fb1a2d3e9fedb6d3c38788a8660abab0e8febfa7fb6f78a82e_NeikiAnalytics.exe	omsecor.exe
PID 3024 wrote to memory of 3064	3024	3fa1481374fc22fb1a2d3e9fedb6d3c38788a8660abab0e8febfa7fb6f78a82e_NeikiAnalytics.exe	omsecor.exe
PID 3024 wrote to memory of 3064	3024	3fa1481374fc22fb1a2d3e9fedb6d3c38788a8660abab0e8febfa7fb6f78a82e_NeikiAnalytics.exe	omsecor.exe
PID 3064 wrote to memory of 288	3064	omsecor.exe	omsecor.exe
PID 3064 wrote to memory of 288	3064	omsecor.exe	omsecor.exe
PID 3064 wrote to memory of 288	3064	omsecor.exe	omsecor.exe
PID 3064 wrote to memory of 288	3064	omsecor.exe	omsecor.exe
PID 288 wrote to memory of 1804	288	omsecor.exe	omsecor.exe
PID 288 wrote to memory of 1804	288	omsecor.exe	omsecor.exe
PID 288 wrote to memory of 1804	288	omsecor.exe	omsecor.exe
PID 288 wrote to memory of 1804	288	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\3fa1481374fc22fb1a2d3e9fedb6d3c38788a8660abab0e8febfa7fb6f78a82e_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3fa1481374fc22fb1a2d3e9fedb6d3c38788a8660abab0e8febfa7fb6f78a82e_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3024

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3064

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:288

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
PID:1804

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
35KB

MD5
ef9a09776315c7a5b1eefdc69f51d39e

SHA1
162578d8dd1c38a42bc41124873c4358a70047a2

SHA256
e3870a605f4f393d0fba006d080c562474b5dc625374d81f6b3e1ca924440a3f

SHA512
264e3a524bf764c1157aae9d9bd224dd469a5971f8926744da7e57ce82fcd50144c08815e4a78e9fa9af0b5c7196fdc8e586b8db4dccd2b8a14afd535f5b2623

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
35KB

MD5
febd5d5799341d9e4956e8d71cb77674

SHA1
2520c761dbf5b54284d27635f9a3b0fb4c1aa8e3

SHA256
63320d1371424e639c5959b89c27a8c03f17bd62dbc3d4f6419eb0120fb3a627

SHA512
c56328745785aa354bd88d25172d41b1f1a5d3fee1f45b83dc8bd6dc6cc8c113bf8d4dcc837dfe5b2bcab0a4a5c85cebfa384fb15be8bf1b61dcb5f7b9da0fd4

Download Submit
\Windows\SysWOW64\omsecor.exe
Filesize
35KB

MD5
3f831cc885732a2da910418f23e065e3

SHA1
a66300257f1a6061afb4b2b1a4d829d1d1610303

SHA256
2f5acb6648a4a12e62411ba6ad441691046d83f1d198ea8ecd8a65db7ec5c598

SHA512
bbceeedb0e3e234f8e464e3f51dabf7cd940db04b6c586bd500132a2afd1cc00157e0a802354942b90ab91ab242aaca24110afd6fadfb8d2b2ee3849b29083a9

Download Submit
memory/288-34-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/288-45-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1804-51-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1804-48-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1804-46-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3024-9-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3024-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3064-12-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3064-13-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3064-25-0x0000000000290000-0x00000000002BD000-memory.dmp

Filesize
180KB

Download
memory/3064-32-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3064-22-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3064-19-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3064-16-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads