neconyd | 45c5b51df1901df83f6c1947331b5fbb13e27d13c5ea0b9c2b6ff9e5bedc5a96

General

Target

45c5b51df1901df83f6c1947331b5fbb13e27d13c5ea0b9c2b6ff9e5bedc5a96_NeikiAnalytics.exe
Size

35KB
MD5

3b4fba3f44d07aadbab4a658e865b190
SHA1

2414153f73ea03b84089f14356d69bd0b653a8cb
SHA256

45c5b51df1901df83f6c1947331b5fbb13e27d13c5ea0b9c2b6ff9e5bedc5a96
SHA512

ee6740e80da38278d1509a252d92e4e67c4195dd030fe6e2d24e4f621f3ddf944e3bda11c33864debec998d36f8f459d0d1ffdd4c7a7957088f2f2944b245e13
SSDEEP

768:e6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:l8Z0kA7FHlO2OwOTUtKjpB

Score

10^/10

neconyd trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 2 IoCs

Processes:

omsecor.exeomsecor.exe

pid process

1284 omsecor.exe
4600 omsecor.exe

pid	process
1284	omsecor.exe
4600	omsecor.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3184-0-0x0000000000400000-0x000000000042D000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\omsecor.exe	upx
behavioral2/memory/1284-5-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/3184-6-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/1284-7-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/1284-10-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/1284-13-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/1284-14-0x0000000000400000-0x000000000042D000-memory.dmp	upx
C:\Windows\SysWOW64\omsecor.exe	upx
behavioral2/memory/4600-18-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/1284-20-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/4600-21-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/4600-24-0x0000000000400000-0x000000000042D000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

Processes:

omsecor.exeomsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe
File opened for modification C:\Windows\SysWOW64\merocz.xc6 omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

45c5b51df1901df83f6c1947331b5fbb13e27d13c5ea0b9c2b6ff9e5bedc5a96_NeikiAnalytics.exeomsecor.exe

description	pid	process	target process
PID 3184 wrote to memory of 1284	3184	45c5b51df1901df83f6c1947331b5fbb13e27d13c5ea0b9c2b6ff9e5bedc5a96_NeikiAnalytics.exe	omsecor.exe
PID 3184 wrote to memory of 1284	3184	45c5b51df1901df83f6c1947331b5fbb13e27d13c5ea0b9c2b6ff9e5bedc5a96_NeikiAnalytics.exe	omsecor.exe
PID 3184 wrote to memory of 1284	3184	45c5b51df1901df83f6c1947331b5fbb13e27d13c5ea0b9c2b6ff9e5bedc5a96_NeikiAnalytics.exe	omsecor.exe
PID 1284 wrote to memory of 4600	1284	omsecor.exe	omsecor.exe
PID 1284 wrote to memory of 4600	1284	omsecor.exe	omsecor.exe
PID 1284 wrote to memory of 4600	1284	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\45c5b51df1901df83f6c1947331b5fbb13e27d13c5ea0b9c2b6ff9e5bedc5a96_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\45c5b51df1901df83f6c1947331b5fbb13e27d13c5ea0b9c2b6ff9e5bedc5a96_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3184

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1284

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
3⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4092 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:8
1⤵
PID:3648

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
35KB

MD5
e48a8a045991fe9fa98dc91c014042d7

SHA1
50f31e988c590a62dc64e246dff0199958445a66

SHA256
3299caa7f355dd474bede0d5af400365a3eecbff3db2d3eaf49c8db1ed70181a

SHA512
dd0cbcd8c7b90180cb79f7ed7ccefdfbb57c55e3ba08dd3789e6b547ca458ed2343f9cd6ad654b57b10b04457a60000a7e5ee514a84f186226c29585af394b61

Download Submit
C:\Windows\SysWOW64\omsecor.exe
Filesize
35KB

MD5
bb7892f877bac00db3e9b102506da1ca

SHA1
f8f6183c6b42dd8da5bc07975af79e6f3563da38

SHA256
4afb1ef9d63712d1bc21ea2932db27dea84e238e268687882602c21aac046087

SHA512
798e53bf56b5d1788bcde4d1aecbbd03079409f3708db7d1375c19d0dda85a08597c662741a54c9b979869f91b51cbda1d7538b7de15190f42d591b541e55e39

Download Submit
memory/1284-5-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1284-20-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1284-7-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1284-10-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1284-13-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1284-14-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3184-6-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3184-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4600-18-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4600-21-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4600-24-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing