neconyd | 45c5b51df1901df83f6c1947331b5fbb13e27d13c5ea0b9c2b6ff9e5bedc5a96

General

Target

45c5b51df1901df83f6c1947331b5fbb13e27d13c5ea0b9c2b6ff9e5bedc5a96_NeikiAnalytics.exe
Size

35KB
MD5

3b4fba3f44d07aadbab4a658e865b190
SHA1

2414153f73ea03b84089f14356d69bd0b653a8cb
SHA256

45c5b51df1901df83f6c1947331b5fbb13e27d13c5ea0b9c2b6ff9e5bedc5a96
SHA512

ee6740e80da38278d1509a252d92e4e67c4195dd030fe6e2d24e4f621f3ddf944e3bda11c33864debec998d36f8f459d0d1ffdd4c7a7957088f2f2944b245e13
SSDEEP

768:e6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:l8Z0kA7FHlO2OwOTUtKjpB

Score

10^/10

neconyd trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 3 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exe

pid process

2600 omsecor.exe
2836 omsecor.exe
1800 omsecor.exe

pid	process
2600	omsecor.exe
2836	omsecor.exe
1800	omsecor.exe

Loads dropped DLL 6 IoCs

Processes:

45c5b51df1901df83f6c1947331b5fbb13e27d13c5ea0b9c2b6ff9e5bedc5a96_NeikiAnalytics.exeomsecor.exeomsecor.exe

pid	process
860	45c5b51df1901df83f6c1947331b5fbb13e27d13c5ea0b9c2b6ff9e5bedc5a96_NeikiAnalytics.exe
860	45c5b51df1901df83f6c1947331b5fbb13e27d13c5ea0b9c2b6ff9e5bedc5a96_NeikiAnalytics.exe
2600	omsecor.exe
2600	omsecor.exe
2836	omsecor.exe
2836	omsecor.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/860-1-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/860-4-0x0000000000220000-0x000000000024D000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\omsecor.exe	upx
behavioral1/memory/860-12-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2600-14-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2600-17-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2600-20-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2600-23-0x0000000000400000-0x000000000042D000-memory.dmp	upx
\Windows\SysWOW64\omsecor.exe	upx
behavioral1/memory/2600-26-0x0000000000350000-0x000000000037D000-memory.dmp	upx
behavioral1/memory/2600-33-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2836-35-0x0000000000400000-0x000000000042D000-memory.dmp	upx
\Users\Admin\AppData\Roaming\omsecor.exe	upx
behavioral1/memory/2836-40-0x0000000000220000-0x000000000024D000-memory.dmp	upx
behavioral1/memory/2836-46-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/1800-49-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/1800-52-0x0000000000400000-0x000000000042D000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

45c5b51df1901df83f6c1947331b5fbb13e27d13c5ea0b9c2b6ff9e5bedc5a96_NeikiAnalytics.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 860 wrote to memory of 2600	860	45c5b51df1901df83f6c1947331b5fbb13e27d13c5ea0b9c2b6ff9e5bedc5a96_NeikiAnalytics.exe	omsecor.exe
PID 860 wrote to memory of 2600	860	45c5b51df1901df83f6c1947331b5fbb13e27d13c5ea0b9c2b6ff9e5bedc5a96_NeikiAnalytics.exe	omsecor.exe
PID 860 wrote to memory of 2600	860	45c5b51df1901df83f6c1947331b5fbb13e27d13c5ea0b9c2b6ff9e5bedc5a96_NeikiAnalytics.exe	omsecor.exe
PID 860 wrote to memory of 2600	860	45c5b51df1901df83f6c1947331b5fbb13e27d13c5ea0b9c2b6ff9e5bedc5a96_NeikiAnalytics.exe	omsecor.exe
PID 2600 wrote to memory of 2836	2600	omsecor.exe	omsecor.exe
PID 2600 wrote to memory of 2836	2600	omsecor.exe	omsecor.exe
PID 2600 wrote to memory of 2836	2600	omsecor.exe	omsecor.exe
PID 2600 wrote to memory of 2836	2600	omsecor.exe	omsecor.exe
PID 2836 wrote to memory of 1800	2836	omsecor.exe	omsecor.exe
PID 2836 wrote to memory of 1800	2836	omsecor.exe	omsecor.exe
PID 2836 wrote to memory of 1800	2836	omsecor.exe	omsecor.exe
PID 2836 wrote to memory of 1800	2836	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\45c5b51df1901df83f6c1947331b5fbb13e27d13c5ea0b9c2b6ff9e5bedc5a96_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\45c5b51df1901df83f6c1947331b5fbb13e27d13c5ea0b9c2b6ff9e5bedc5a96_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:860

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2600

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2836

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
PID:1800

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
35KB

MD5
e48a8a045991fe9fa98dc91c014042d7

SHA1
50f31e988c590a62dc64e246dff0199958445a66

SHA256
3299caa7f355dd474bede0d5af400365a3eecbff3db2d3eaf49c8db1ed70181a

SHA512
dd0cbcd8c7b90180cb79f7ed7ccefdfbb57c55e3ba08dd3789e6b547ca458ed2343f9cd6ad654b57b10b04457a60000a7e5ee514a84f186226c29585af394b61

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
35KB

MD5
6b929af8674c414152c74a4323f264ed

SHA1
fcb47e85bd370e99aca32a02ab54988b2cace656

SHA256
e8f6840104afe62f741d7a9bc9a25f672d9bb69c9bb318fb5bdc21fd95d09265

SHA512
6df79107a9a88154626614cbc504ac1280618a999bc71c3b0748d38dea20289c9a61cf8165c283412b0691ca2c1f78fef5ec9f3e3986ea4d22dd4b20711501ec

Download Submit
\Windows\SysWOW64\omsecor.exe
Filesize
35KB

MD5
e7bcf5cf6b9c7c186637cb14771b2023

SHA1
810c9e196c40c1581418f5fe89e9824d1b9b1042

SHA256
0a317b7c3eabc670bdbe45346e3bd37c926e1fd8a3cc376c3769fd2d74ab66bf

SHA512
dc47fb58c6f513590ba6113aa92daacbaa3a626fb30ff7e26467554361ba9c3bcbd78a9f5aa70f0526afb3a872d314a1fb82e81ae78d388eb9f08b87ee9f3f06

Download Submit
memory/860-4-0x0000000000220000-0x000000000024D000-memory.dmp

Filesize
180KB

Download
memory/860-9-0x0000000000220000-0x000000000024D000-memory.dmp

Filesize
180KB

Download
memory/860-12-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/860-1-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1800-52-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1800-49-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2600-23-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2600-26-0x0000000000350000-0x000000000037D000-memory.dmp

Filesize
180KB

Download
memory/2600-33-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2600-20-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2600-17-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2600-14-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2836-35-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2836-40-0x0000000000220000-0x000000000024D000-memory.dmp

Filesize
180KB

Download
memory/2836-46-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads