neconyd | 76527e09e91d10d2c86392e4f4792df0ead3d1fbff9aff938ef68ea5c6643187

General

Target

76527e09e91d10d2c86392e4f4792df0ead3d1fbff9aff938ef68ea5c6643187_NeikiAnalytics.exe
Size

35KB
MD5

56dc087cd5f7b574d90fa1ec3284c880
SHA1

03806dac55ceeda707b0d0ca39008997373d5998
SHA256

76527e09e91d10d2c86392e4f4792df0ead3d1fbff9aff938ef68ea5c6643187
SHA512

f3ece9aa9f350d257434a202e1ffd202c8caa26532b8e148240409e73f25df86527d729392715796df76884a3d5e1041b99930fcbbe5f71ee455c6759232ed8a
SSDEEP

768:J6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:k8Z0kA7FHlO2OwOTUtKjpB

Score

10^/10

neconyd trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 3 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exe

pid process

2188 omsecor.exe
1920 omsecor.exe
2184 omsecor.exe

pid	process
2188	omsecor.exe
1920	omsecor.exe
2184	omsecor.exe

Loads dropped DLL 6 IoCs

Processes:

76527e09e91d10d2c86392e4f4792df0ead3d1fbff9aff938ef68ea5c6643187_NeikiAnalytics.exeomsecor.exeomsecor.exe

pid	process
1992	76527e09e91d10d2c86392e4f4792df0ead3d1fbff9aff938ef68ea5c6643187_NeikiAnalytics.exe
1992	76527e09e91d10d2c86392e4f4792df0ead3d1fbff9aff938ef68ea5c6643187_NeikiAnalytics.exe
2188	omsecor.exe
2188	omsecor.exe
1920	omsecor.exe
1920	omsecor.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1992-0-0x0000000000400000-0x000000000042D000-memory.dmp	upx
\Users\Admin\AppData\Roaming\omsecor.exe	upx
behavioral1/memory/1992-4-0x0000000000220000-0x000000000024D000-memory.dmp	upx
behavioral1/memory/1992-10-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2188-13-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2188-19-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2188-22-0x0000000000400000-0x000000000042D000-memory.dmp	upx
\Windows\SysWOW64\omsecor.exe	upx
behavioral1/memory/2188-25-0x0000000000280000-0x00000000002AD000-memory.dmp	upx
behavioral1/memory/2188-32-0x0000000000400000-0x000000000042D000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\omsecor.exe	upx
behavioral1/memory/1920-43-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2184-45-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2184-47-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2184-50-0x0000000000400000-0x000000000042D000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

76527e09e91d10d2c86392e4f4792df0ead3d1fbff9aff938ef68ea5c6643187_NeikiAnalytics.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 1992 wrote to memory of 2188	1992	76527e09e91d10d2c86392e4f4792df0ead3d1fbff9aff938ef68ea5c6643187_NeikiAnalytics.exe	omsecor.exe
PID 1992 wrote to memory of 2188	1992	76527e09e91d10d2c86392e4f4792df0ead3d1fbff9aff938ef68ea5c6643187_NeikiAnalytics.exe	omsecor.exe
PID 1992 wrote to memory of 2188	1992	76527e09e91d10d2c86392e4f4792df0ead3d1fbff9aff938ef68ea5c6643187_NeikiAnalytics.exe	omsecor.exe
PID 1992 wrote to memory of 2188	1992	76527e09e91d10d2c86392e4f4792df0ead3d1fbff9aff938ef68ea5c6643187_NeikiAnalytics.exe	omsecor.exe
PID 2188 wrote to memory of 1920	2188	omsecor.exe	omsecor.exe
PID 2188 wrote to memory of 1920	2188	omsecor.exe	omsecor.exe
PID 2188 wrote to memory of 1920	2188	omsecor.exe	omsecor.exe
PID 2188 wrote to memory of 1920	2188	omsecor.exe	omsecor.exe
PID 1920 wrote to memory of 2184	1920	omsecor.exe	omsecor.exe
PID 1920 wrote to memory of 2184	1920	omsecor.exe	omsecor.exe
PID 1920 wrote to memory of 2184	1920	omsecor.exe	omsecor.exe
PID 1920 wrote to memory of 2184	1920	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\76527e09e91d10d2c86392e4f4792df0ead3d1fbff9aff938ef68ea5c6643187_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\76527e09e91d10d2c86392e4f4792df0ead3d1fbff9aff938ef68ea5c6643187_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1992

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2188

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1920

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
PID:2184

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
35KB

MD5
539be159b383aad7e2719fdba7008c25

SHA1
676038fa82f2b9eed66c761bcaf66b900fbd7aa8

SHA256
e48de03c1a650725635273807c7a15775eba213a8347cfe124b3dd6c9f9de0b4

SHA512
172dda99b814c3431e49a2680a70e38500333704095a1f0d8311086ca9a34337f9751b0820b77a7a794f8529a7497f62762f11b0af8e769acc7a2d9d1195177d

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
35KB

MD5
a5dd43764ad353142c2f2c0494a2bff4

SHA1
eb51684bc7f09e6487144283f76e2bd681983a5a

SHA256
1fb35b9a815b7951d8603302cd63fcb5b862f7d1f248b3b120ce6734225ce5bf

SHA512
dcf8c5f3500fb68d3609d9c7ff7739095932a36ca256a390d5ad62cac8e32ea3f01817d253f24f2b2aaae00389da389a325cf97991abce5b91cbd061813a2eb7

Download Submit
\Windows\SysWOW64\omsecor.exe
Filesize
35KB

MD5
d17006b464b057242ee5069aaebd819b

SHA1
ae2bc00f3264b1fa0c6b5e059d5b929e5b88d728

SHA256
6ee1cff0dc2e9669c08d2dcf45fe809917f222958dce11910daca9946e8e2976

SHA512
c0ab61579d31bb224d049dc40349e13875987d5ac0b9753d50514214d4bf93b0ee5a78258f753f0c0c3ceb1d0ee971ee08d7bb3d4f9751a211c685acb3508140

Download Submit
memory/1920-43-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1992-4-0x0000000000220000-0x000000000024D000-memory.dmp

Filesize
180KB

Download
memory/1992-10-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1992-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2184-50-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2184-47-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2184-45-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2188-22-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2188-32-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2188-25-0x0000000000280000-0x00000000002AD000-memory.dmp

Filesize
180KB

Download
memory/2188-19-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2188-13-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads