neconyd | bb8472bb5ce410b3aa85389a15fc1028fe5c98b6c4955593f27f387b10cb9254

General

Target

bb8472bb5ce410b3aa85389a15fc1028fe5c98b6c4955593f27f387b10cb9254.exe
Size

35KB
MD5

6ff32439d9355ff831be91579c202551
SHA1

8657f981ac07473006f0c463c9a0a1685faa7ce6
SHA256

bb8472bb5ce410b3aa85389a15fc1028fe5c98b6c4955593f27f387b10cb9254
SHA512

f0df7d1e3456f9a5d6dff1e7a02be213559698fa3ad1c2331f1f5ffba235300f86957399a00cb82f3e6ecee93d9e9e8754c5dafaa5fb443e99da304fd1388a0a
SSDEEP

768:V6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:Y8Z0kA7FHlO2OwOTUtKjpB

Score

10^/10

neconyd trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

UPX dump on OEP (original entry point) 16 IoCs

resource	yara_rule
behavioral1/memory/1516-0-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral1/memory/1516-4-0x0000000000220000-0x000000000024D000-memory.dmp	UPX
behavioral1/files/0x000b000000014502-2.dat	UPX
behavioral1/memory/1516-10-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral1/memory/2104-14-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral1/memory/2104-15-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral1/memory/2104-18-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral1/memory/2104-21-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral1/memory/2104-22-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral1/files/0x0005000000004ed7-28.dat	UPX
behavioral1/memory/2584-39-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral1/memory/2104-35-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral1/files/0x000b000000014502-40.dat	UPX
behavioral1/memory/1004-48-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral1/memory/1004-50-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral1/memory/1004-53-0x0000000000400000-0x000000000042D000-memory.dmp	UPX

Executes dropped EXE 3 IoCs

pid	Process
2104	omsecor.exe
2584	omsecor.exe
1004	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
1516	bb8472bb5ce410b3aa85389a15fc1028fe5c98b6c4955593f27f387b10cb9254.exe
1516	bb8472bb5ce410b3aa85389a15fc1028fe5c98b6c4955593f27f387b10cb9254.exe
2104	omsecor.exe
2104	omsecor.exe
2584	omsecor.exe
2584	omsecor.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1516-0-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/1516-4-0x0000000000220000-0x000000000024D000-memory.dmp	upx
behavioral1/files/0x000b000000014502-2.dat	upx
behavioral1/memory/1516-10-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2104-14-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2104-15-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2104-18-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2104-21-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2104-22-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/files/0x0005000000004ed7-28.dat	upx
behavioral1/memory/2584-39-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2104-35-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/files/0x000b000000014502-40.dat	upx
behavioral1/memory/1004-48-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/1004-50-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/1004-53-0x0000000000400000-0x000000000042D000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1516 wrote to memory of 2104	1516	bb8472bb5ce410b3aa85389a15fc1028fe5c98b6c4955593f27f387b10cb9254.exe	28
PID 1516 wrote to memory of 2104	1516	bb8472bb5ce410b3aa85389a15fc1028fe5c98b6c4955593f27f387b10cb9254.exe	28
PID 1516 wrote to memory of 2104	1516	bb8472bb5ce410b3aa85389a15fc1028fe5c98b6c4955593f27f387b10cb9254.exe	28
PID 1516 wrote to memory of 2104	1516	bb8472bb5ce410b3aa85389a15fc1028fe5c98b6c4955593f27f387b10cb9254.exe	28
PID 2104 wrote to memory of 2584	2104	omsecor.exe	32
PID 2104 wrote to memory of 2584	2104	omsecor.exe	32
PID 2104 wrote to memory of 2584	2104	omsecor.exe	32
PID 2104 wrote to memory of 2584	2104	omsecor.exe	32
PID 2584 wrote to memory of 1004	2584	omsecor.exe	33
PID 2584 wrote to memory of 1004	2584	omsecor.exe	33
PID 2584 wrote to memory of 1004	2584	omsecor.exe	33
PID 2584 wrote to memory of 1004	2584	omsecor.exe	33

C:\Users\Admin\AppData\Local\Temp\bb8472bb5ce410b3aa85389a15fc1028fe5c98b6c4955593f27f387b10cb9254.exe
"C:\Users\Admin\AppData\Local\Temp\bb8472bb5ce410b3aa85389a15fc1028fe5c98b6c4955593f27f387b10cb9254.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1516
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2104
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      PID:1004

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
35KB

MD5
994e9fe3938242cbe5f7f94a1de0d656

SHA1
45106f11c18893c960138a933d650f49c7ca9747

SHA256
a2343e1b0192bc778e9e72f210605e287740bda08a4201694ada66ac753435c6

SHA512
cecb0e23d144fe0d5645afe38e38ed5220c613d0ae63394f9aaa70537cbfe7d0fc1de7eeac63a9c6c01f5c64c04c70e672b094069da2f206a0656c81797d6310

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
35KB

MD5
c1044d517bcdf9810d54c9686a443e8e

SHA1
99d11ffe6d89a450ed03d70716f12a039a8c05f7

SHA256
c79b2c13bbae4864aa9ec195e33b821caafe796ab64e9787737c0f35e772beb4

SHA512
1944accb75a14fe6014715660668723ea72ad01466d1c63c5eb5e9bfb032595a70837b5e2c67655821d2df74685f56ffc5abaad808e6bffc8a5a5d8dd3c393fe

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
35KB

MD5
cdc1f88cec7967e4cb85616bbf1d0a77

SHA1
3d5412636618b0e09264226060a7f8d5271e8891

SHA256
3b860c0af2370cabb879a6160ebdac54074c541353d2004699655c7ec803084b

SHA512
1e92e274e6846d519ef4e3ec83bae71616c4c246184cbab13f355a8a76715454839dd61babf42da21e54d34dbe98cefd277bc555102a0ce09e0a39ab069c3e53

Download Submit
memory/1004-53-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1004-50-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1004-48-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1516-4-0x0000000000220000-0x000000000024D000-memory.dmp

Filesize
180KB

Download
memory/1516-10-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1516-11-0x0000000000220000-0x000000000024D000-memory.dmp

Filesize
180KB

Download
memory/1516-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2104-21-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2104-35-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2104-22-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2104-18-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2104-15-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2104-14-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2584-39-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing