neconyd | 76527e09e91d10d2c86392e4f4792df0ead3d1fbff9aff938ef68ea5c6643187

General

Target

76527e09e91d10d2c86392e4f4792df0ead3d1fbff9aff938ef68ea5c6643187_NeikiAnalytics.exe
Size

35KB
MD5

56dc087cd5f7b574d90fa1ec3284c880
SHA1

03806dac55ceeda707b0d0ca39008997373d5998
SHA256

76527e09e91d10d2c86392e4f4792df0ead3d1fbff9aff938ef68ea5c6643187
SHA512

f3ece9aa9f350d257434a202e1ffd202c8caa26532b8e148240409e73f25df86527d729392715796df76884a3d5e1041b99930fcbbe5f71ee455c6759232ed8a
SSDEEP

768:J6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:k8Z0kA7FHlO2OwOTUtKjpB

Score

10^/10

neconyd trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 3 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exe

pid process

216 omsecor.exe
2128 omsecor.exe
2212 omsecor.exe

pid	process
216	omsecor.exe
2128	omsecor.exe
2212	omsecor.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/960-0-0x0000000000400000-0x000000000042D000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\omsecor.exe	upx
behavioral2/memory/216-7-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/960-5-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/216-8-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/216-11-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/216-14-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/216-15-0x0000000000400000-0x000000000042D000-memory.dmp	upx
C:\Windows\SysWOW64\omsecor.exe	upx
behavioral2/memory/216-21-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/2128-22-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/2128-26-0x0000000000400000-0x000000000042D000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\omsecor.exe	upx
behavioral2/memory/2212-29-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/2212-30-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/2212-33-0x0000000000400000-0x000000000042D000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

76527e09e91d10d2c86392e4f4792df0ead3d1fbff9aff938ef68ea5c6643187_NeikiAnalytics.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 960 wrote to memory of 216	960	76527e09e91d10d2c86392e4f4792df0ead3d1fbff9aff938ef68ea5c6643187_NeikiAnalytics.exe	omsecor.exe
PID 960 wrote to memory of 216	960	76527e09e91d10d2c86392e4f4792df0ead3d1fbff9aff938ef68ea5c6643187_NeikiAnalytics.exe	omsecor.exe
PID 960 wrote to memory of 216	960	76527e09e91d10d2c86392e4f4792df0ead3d1fbff9aff938ef68ea5c6643187_NeikiAnalytics.exe	omsecor.exe
PID 216 wrote to memory of 2128	216	omsecor.exe	omsecor.exe
PID 216 wrote to memory of 2128	216	omsecor.exe	omsecor.exe
PID 216 wrote to memory of 2128	216	omsecor.exe	omsecor.exe
PID 2128 wrote to memory of 2212	2128	omsecor.exe	omsecor.exe
PID 2128 wrote to memory of 2212	2128	omsecor.exe	omsecor.exe
PID 2128 wrote to memory of 2212	2128	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\76527e09e91d10d2c86392e4f4792df0ead3d1fbff9aff938ef68ea5c6643187_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\76527e09e91d10d2c86392e4f4792df0ead3d1fbff9aff938ef68ea5c6643187_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:960

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:216

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2128

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
PID:2212

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
35KB

MD5
3c9c7d55f88b0c4efb4f19816d4eab17

SHA1
a2259da2f240d6bd2133964934951598a4f10c11

SHA256
5831cfba6867711b203fd052a150a3e6cebe038b43ab00bae463750c1d70436a

SHA512
0f09ec735b3abdf0572b87cdeb578d286be8e2d41deb49b441c1c4fd705e655ef8c521eb36f338f934daed8e8818cffadaf9616ee93b6dd73f9699500cf83301

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
35KB

MD5
a5dd43764ad353142c2f2c0494a2bff4

SHA1
eb51684bc7f09e6487144283f76e2bd681983a5a

SHA256
1fb35b9a815b7951d8603302cd63fcb5b862f7d1f248b3b120ce6734225ce5bf

SHA512
dcf8c5f3500fb68d3609d9c7ff7739095932a36ca256a390d5ad62cac8e32ea3f01817d253f24f2b2aaae00389da389a325cf97991abce5b91cbd061813a2eb7

Download Submit
C:\Windows\SysWOW64\omsecor.exe
Filesize
35KB

MD5
c8c1799e878f34d5edc84b686e2430cc

SHA1
7fca95da67696aca4a97f290dbd3bfb7ece6bf7b

SHA256
022262e68d90d8c340fa1cabc47bf2b01a6682e168bc54d908890137cd48ab1e

SHA512
89060dc24a7338b7b5588348cc3aa6d95977c1d81bac75b74a472ba471d70e1e8e7d8c33c94dd90d3b605f0eb3df60ed5efdc4366dd21d4ff97a9ed939efbe43

Download Submit
memory/216-21-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/216-8-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/216-11-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/216-14-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/216-15-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/216-7-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/960-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/960-5-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2128-22-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2128-26-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2212-29-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2212-30-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2212-33-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing