neconyd | 3fa1481374fc22fb1a2d3e9fedb6d3c38788a8660abab0e8febfa7fb6f78a82e

General

Target

3fa1481374fc22fb1a2d3e9fedb6d3c38788a8660abab0e8febfa7fb6f78a82e_NeikiAnalytics.exe
Size

35KB
MD5

fa4163fb79806ce8f078fdfb5c5022c0
SHA1

c5cd75489b7aae973ea471f9fdaef12b73e901a0
SHA256

3fa1481374fc22fb1a2d3e9fedb6d3c38788a8660abab0e8febfa7fb6f78a82e
SHA512

5e9a91dd398e3abd57bc0e28ba20ccc042950fd84848184307ec11bc5c1a72e3122d4739ac7a91368c4f0b3752fd83ddb42790072494cbf4f7fb0ee3ec2abccd
SSDEEP

768:z6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:u8Z0kA7FHlO2OwOTUtKjpB

Score

10^/10

neconyd trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 3 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exe

pid process

640 omsecor.exe
2420 omsecor.exe
1080 omsecor.exe

pid	process
640	omsecor.exe
2420	omsecor.exe
1080	omsecor.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1080-0-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/1080-6-0x0000000000400000-0x000000000042D000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\omsecor.exe	upx
behavioral2/memory/640-7-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/640-8-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/640-11-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/640-14-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/640-15-0x0000000000400000-0x000000000042D000-memory.dmp	upx
C:\Windows\SysWOW64\omsecor.exe	upx
behavioral2/memory/640-21-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/2420-22-0x0000000000400000-0x000000000042D000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\omsecor.exe	upx
behavioral2/memory/2420-27-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/1080-29-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/1080-30-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/1080-33-0x0000000000400000-0x000000000042D000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

3fa1481374fc22fb1a2d3e9fedb6d3c38788a8660abab0e8febfa7fb6f78a82e_NeikiAnalytics.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 1080 wrote to memory of 640	1080	3fa1481374fc22fb1a2d3e9fedb6d3c38788a8660abab0e8febfa7fb6f78a82e_NeikiAnalytics.exe	omsecor.exe
PID 1080 wrote to memory of 640	1080	3fa1481374fc22fb1a2d3e9fedb6d3c38788a8660abab0e8febfa7fb6f78a82e_NeikiAnalytics.exe	omsecor.exe
PID 1080 wrote to memory of 640	1080	3fa1481374fc22fb1a2d3e9fedb6d3c38788a8660abab0e8febfa7fb6f78a82e_NeikiAnalytics.exe	omsecor.exe
PID 640 wrote to memory of 2420	640	omsecor.exe	omsecor.exe
PID 640 wrote to memory of 2420	640	omsecor.exe	omsecor.exe
PID 640 wrote to memory of 2420	640	omsecor.exe	omsecor.exe
PID 2420 wrote to memory of 1080	2420	omsecor.exe	omsecor.exe
PID 2420 wrote to memory of 1080	2420	omsecor.exe	omsecor.exe
PID 2420 wrote to memory of 1080	2420	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\3fa1481374fc22fb1a2d3e9fedb6d3c38788a8660abab0e8febfa7fb6f78a82e_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3fa1481374fc22fb1a2d3e9fedb6d3c38788a8660abab0e8febfa7fb6f78a82e_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1080

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:640

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2420

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
PID:1080

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
35KB

MD5
502a68b5a6ed95480da38f2ffeda8203

SHA1
ab920dd38e718e0cbd3e5e2e41c955aad3c20f28

SHA256
d8eb945ea9781489b0fa42f3800e4e99285c133de85e45b1d0830eb6bdb92090

SHA512
ba96045a15b3e41b500d702f7a81c81994b1e8d81a1d55436d92070e161a74ca36435ddfdafbac0823e9f3f6d202c2df6b7c31fad0208cea567520e8a1553f06

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
35KB

MD5
ef9a09776315c7a5b1eefdc69f51d39e

SHA1
162578d8dd1c38a42bc41124873c4358a70047a2

SHA256
e3870a605f4f393d0fba006d080c562474b5dc625374d81f6b3e1ca924440a3f

SHA512
264e3a524bf764c1157aae9d9bd224dd469a5971f8926744da7e57ce82fcd50144c08815e4a78e9fa9af0b5c7196fdc8e586b8db4dccd2b8a14afd535f5b2623

Download Submit
C:\Windows\SysWOW64\omsecor.exe
Filesize
35KB

MD5
310a1d74cef7dd5d50ae301c7351c246

SHA1
a8a80239cf7ec0f1cfcafa07853938a55d94107f

SHA256
8882d28769db2275a6d47252bd37ca2d024a2f090025f30e0b5aa9184cbee5a1

SHA512
96d76e154b0060e51e296aad1ec7729ad3afc793836cbeff2f9940eaddc979eb087f59ff97d581da6e959baa0e69790b987a796d319bf653ed2b4dfe6462bf51

Download Submit
memory/640-8-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/640-11-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/640-14-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/640-15-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/640-7-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/640-21-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1080-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1080-6-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1080-29-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1080-30-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1080-33-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2420-22-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2420-27-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing