neconyd | 58efcf20523a4fffcc4fdc229f2323a52ef0b1a355d713606702f1a7308cccb2

General

Target

58efcf20523a4fffcc4fdc229f2323a52ef0b1a355d713606702f1a7308cccb2.exe
Size

35KB
MD5

11fa304e0abec32f6a61eb96578784a0
SHA1

4a8727736d141a4fab9fda2f10402b62c081b712
SHA256

58efcf20523a4fffcc4fdc229f2323a52ef0b1a355d713606702f1a7308cccb2
SHA512

96b4a5def62ce0e13e3a0c7aff1ed422224844bb7243faacc5604423b088413746cd74e26f15b4019b54b5b7e3c5cce33bb43e4d210f52d83034b9c793f89c23
SSDEEP

768:L6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:28Z0kA7FHlO2OwOTUtKjpB

Score

10^/10

neconyd trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 3 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exe

pid process

1800 omsecor.exe
2344 omsecor.exe
2388 omsecor.exe

pid	process
1800	omsecor.exe
2344	omsecor.exe
2388	omsecor.exe

Loads dropped DLL 6 IoCs

Processes:

58efcf20523a4fffcc4fdc229f2323a52ef0b1a355d713606702f1a7308cccb2.exeomsecor.exeomsecor.exe

pid	process
1740	58efcf20523a4fffcc4fdc229f2323a52ef0b1a355d713606702f1a7308cccb2.exe
1740	58efcf20523a4fffcc4fdc229f2323a52ef0b1a355d713606702f1a7308cccb2.exe
1800	omsecor.exe
1800	omsecor.exe
2344	omsecor.exe
2344	omsecor.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1740-0-0x0000000000400000-0x000000000042D000-memory.dmp	upx
\Users\Admin\AppData\Roaming\omsecor.exe	upx
behavioral1/memory/1740-9-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/1800-12-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/1800-13-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/1800-16-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/1800-19-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/1800-22-0x0000000000400000-0x000000000042D000-memory.dmp	upx
\Windows\SysWOW64\omsecor.exe	upx
behavioral1/memory/1800-25-0x0000000000290000-0x00000000002BD000-memory.dmp	upx
behavioral1/memory/1800-32-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2344-36-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2344-39-0x00000000003C0000-0x00000000003ED000-memory.dmp	upx
\Users\Admin\AppData\Roaming\omsecor.exe	upx
behavioral1/memory/2388-46-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2388-48-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2388-51-0x0000000000400000-0x000000000042D000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

58efcf20523a4fffcc4fdc229f2323a52ef0b1a355d713606702f1a7308cccb2.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 1740 wrote to memory of 1800	1740	58efcf20523a4fffcc4fdc229f2323a52ef0b1a355d713606702f1a7308cccb2.exe	omsecor.exe
PID 1740 wrote to memory of 1800	1740	58efcf20523a4fffcc4fdc229f2323a52ef0b1a355d713606702f1a7308cccb2.exe	omsecor.exe
PID 1740 wrote to memory of 1800	1740	58efcf20523a4fffcc4fdc229f2323a52ef0b1a355d713606702f1a7308cccb2.exe	omsecor.exe
PID 1740 wrote to memory of 1800	1740	58efcf20523a4fffcc4fdc229f2323a52ef0b1a355d713606702f1a7308cccb2.exe	omsecor.exe
PID 1800 wrote to memory of 2344	1800	omsecor.exe	omsecor.exe
PID 1800 wrote to memory of 2344	1800	omsecor.exe	omsecor.exe
PID 1800 wrote to memory of 2344	1800	omsecor.exe	omsecor.exe
PID 1800 wrote to memory of 2344	1800	omsecor.exe	omsecor.exe
PID 2344 wrote to memory of 2388	2344	omsecor.exe	omsecor.exe
PID 2344 wrote to memory of 2388	2344	omsecor.exe	omsecor.exe
PID 2344 wrote to memory of 2388	2344	omsecor.exe	omsecor.exe
PID 2344 wrote to memory of 2388	2344	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\58efcf20523a4fffcc4fdc229f2323a52ef0b1a355d713606702f1a7308cccb2.exe
"C:\Users\Admin\AppData\Local\Temp\58efcf20523a4fffcc4fdc229f2323a52ef0b1a355d713606702f1a7308cccb2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1740

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1800

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2344

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
PID:2388

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
35KB

MD5
aa0e450021dfba3816c1a7ffd49778f1

SHA1
0f89d7867dda58b71d655e6742dcbceb624f2f97

SHA256
251b86da5a2b3f77c16022d2cb2db5ce2744a4878c5c5e5c672eb8cc13512112

SHA512
7909175c217c6f165953f2a0ddeddf680d37f040893f3a22db237a36bfb572784a81a599d66d9e9e6f448f8aaa8c6251a7f73aa142f2d6bf66b3826bd752cecb

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
35KB

MD5
1568b913a6c759401b3cba106ba05a93

SHA1
f5d325f5d30d673a158d3113ac47ec51b00271c6

SHA256
5d3b63fe847c6204a27a495e1cd96b8bd666423ac476c9c3be118e3a9942708f

SHA512
5d8758a895453034bb0a3df48c3e4e714114da22283241284f2b275ca3e721a3a78fc64925a939ab46728d9d33a622a2eb8818789828d041e418973fa8fba7cc

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
35KB

MD5
977a898b28b95ff324e407822597bdf9

SHA1
127f3a09bce71cd6c23fa1637ed186a751f25f26

SHA256
dcdec63f18f0a984d847ef1b8932d8254cbd9abae4d8a0667a569249eaf8ff17

SHA512
77ac870977091ff76cde1c7e6774373ae96b3770d76d47c5e21581ebcbb946566c10414ce2c2e2a8982701ec5194dd1a0f69ed5a9180185020c2ace06cfb505e

Download Submit
memory/1740-9-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1740-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1800-13-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1800-19-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1800-22-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1800-16-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1800-25-0x0000000000290000-0x00000000002BD000-memory.dmp

Filesize
180KB

Download
memory/1800-32-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1800-12-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2344-36-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2344-39-0x00000000003C0000-0x00000000003ED000-memory.dmp

Filesize
180KB

Download
memory/2388-46-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2388-48-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2388-51-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads