neconyd | d91b3ec73ca8044d0e377c7fe634d91e3d751913a801f45f4bef34570afef18b

General

Target

732b2433782c09459f211457ff9a6f20_NEAS.exe
Size

119KB
MD5

732b2433782c09459f211457ff9a6f20
SHA1

801d09fe6a3b1488740465bc9fa246947f792838
SHA256

d91b3ec73ca8044d0e377c7fe634d91e3d751913a801f45f4bef34570afef18b
SHA512

467369ddbd45434162d7f83465930a3de01a14716a82a54374182b61d43fb845edbf987b6cf85baeb9e67484e7e4c26194bb2417dcb8745595c1c30777e8077a
SSDEEP

1536:Dd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZznOeibgX7H:jdseIOMEZEyFjEOFqTiQmxnOeV7H

Score

10^/10

neconyd trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 3 IoCs

pid	Process
1240	omsecor.exe
2880	omsecor.exe
2564	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2036	732b2433782c09459f211457ff9a6f20_NEAS.exe
2036	732b2433782c09459f211457ff9a6f20_NEAS.exe
1240	omsecor.exe
1240	omsecor.exe
2880	omsecor.exe
2880	omsecor.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000b000000012301-10.dat	upx
behavioral1/memory/1240-9-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2036-7-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/1240-11-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/files/0x0005000000004ed7-15.dat	upx
behavioral1/memory/1240-16-0x0000000000290000-0x00000000002BD000-memory.dmp	upx
behavioral1/memory/1240-22-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/files/0x000b000000012301-26.dat	upx
behavioral1/memory/2880-28-0x0000000000220000-0x000000000024D000-memory.dmp	upx
behavioral1/memory/2880-33-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2564-36-0x0000000000400000-0x000000000042D000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 1240	2036	732b2433782c09459f211457ff9a6f20_NEAS.exe	28
PID 2036 wrote to memory of 1240	2036	732b2433782c09459f211457ff9a6f20_NEAS.exe	28
PID 2036 wrote to memory of 1240	2036	732b2433782c09459f211457ff9a6f20_NEAS.exe	28
PID 2036 wrote to memory of 1240	2036	732b2433782c09459f211457ff9a6f20_NEAS.exe	28
PID 1240 wrote to memory of 2880	1240	omsecor.exe	32
PID 1240 wrote to memory of 2880	1240	omsecor.exe	32
PID 1240 wrote to memory of 2880	1240	omsecor.exe	32
PID 1240 wrote to memory of 2880	1240	omsecor.exe	32
PID 2880 wrote to memory of 2564	2880	omsecor.exe	33
PID 2880 wrote to memory of 2564	2880	omsecor.exe	33
PID 2880 wrote to memory of 2564	2880	omsecor.exe	33
PID 2880 wrote to memory of 2564	2880	omsecor.exe	33

C:\Users\Admin\AppData\Local\Temp\732b2433782c09459f211457ff9a6f20_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\732b2433782c09459f211457ff9a6f20_NEAS.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1240
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2880
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      PID:2564

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
119KB

MD5
3e5de6382dc23be53bcc614366dfade1

SHA1
904dc747d63d024776d92243fb07b7bba0fb901b

SHA256
11af0fc11e9b51624a2a844e9264d59ef0a26a098fc579aac0a6a282cbc5dec6

SHA512
423c395e8428778cfbd57d1f0b3e19970118acefa59779ceeefa1a3070e4c87080d06854fc3f237e971f912b083d558dc5fce4baef17aa33761a3be6bcda5138

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
119KB

MD5
14603b8cb35e7f4ead1ab0bd8beb216e

SHA1
883071ce413f9793def0503a6fa6e32d2d2d20c7

SHA256
a55c8fc3cfa53dfa699ac9be23e490f743e568f6b2bad3234609fd7b1c570967

SHA512
d4b9af7266a35b67dbeb19d8a255e8d21be93a76792f5f48cc6ca5a8b91c0ecb9c183a74611213d98f05f8e8006fb48b340c7dc84d2a78fe81a85437812f3b28

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
119KB

MD5
136b7370bab9eefe01e5da2fee33bf66

SHA1
46ea6993adba39d9a46ad8afc662dcd1a712b705

SHA256
f5f9bd9e00bd54db80780be8e9d608d9748dcb8e5901cc75f8c543c9f55e888a

SHA512
d55e08e758c06322f31ce25880c236c7938dff14b02b11904ddabba99e6a852782c392eab36ded0f399a4756211e6f519c2269e0afcaee57f8d6092dda830749

Download Submit
memory/1240-9-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1240-11-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1240-16-0x0000000000290000-0x00000000002BD000-memory.dmp

Filesize
180KB

Download
memory/1240-22-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2036-7-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2564-36-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2880-28-0x0000000000220000-0x000000000024D000-memory.dmp

Filesize
180KB

Download
memory/2880-33-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing