neconyd | 7987ef4c639a7a865312889bfd976edb86e8c642da3b4d7cbe2d6240e72e577f

General

Target

7987ef4c639a7a865312889bfd976edb86e8c642da3b4d7cbe2d6240e72e577f.exe
Size

35KB
MD5

23a7ea04451a9470711d2b32bca34d40
SHA1

d1c6d7c1191d6468d1ffb74d016ee6e23558caec
SHA256

7987ef4c639a7a865312889bfd976edb86e8c642da3b4d7cbe2d6240e72e577f
SHA512

b622a77c2fa520f9669cf662e196b98693ddcbc0b5170ebbfc1a9c981ccfdf385a6c018fda01a79d74136ded7b0290c1ec80d957b68aadbcfc9d09e3f1158f34
SSDEEP

768:R6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:c8Z0kA7FHlO2OwOTUtKjpB

Score

10^/10

neconyd trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 3 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exe

pid process

3356 omsecor.exe
3480 omsecor.exe
4832 omsecor.exe

pid	process
3356	omsecor.exe
3480	omsecor.exe
4832	omsecor.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3472-0-0x0000000000400000-0x000000000042D000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\omsecor.exe	upx
behavioral2/memory/3472-4-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/3356-6-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/3356-7-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/3356-10-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/3356-13-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/3356-14-0x0000000000400000-0x000000000042D000-memory.dmp	upx
C:\Windows\SysWOW64\omsecor.exe	upx
behavioral2/memory/3356-19-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/3480-21-0x0000000000400000-0x000000000042D000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\omsecor.exe	upx
behavioral2/memory/3480-25-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/4832-27-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/4832-29-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/4832-32-0x0000000000400000-0x000000000042D000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

7987ef4c639a7a865312889bfd976edb86e8c642da3b4d7cbe2d6240e72e577f.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 3472 wrote to memory of 3356	3472	7987ef4c639a7a865312889bfd976edb86e8c642da3b4d7cbe2d6240e72e577f.exe	omsecor.exe
PID 3472 wrote to memory of 3356	3472	7987ef4c639a7a865312889bfd976edb86e8c642da3b4d7cbe2d6240e72e577f.exe	omsecor.exe
PID 3472 wrote to memory of 3356	3472	7987ef4c639a7a865312889bfd976edb86e8c642da3b4d7cbe2d6240e72e577f.exe	omsecor.exe
PID 3356 wrote to memory of 3480	3356	omsecor.exe	omsecor.exe
PID 3356 wrote to memory of 3480	3356	omsecor.exe	omsecor.exe
PID 3356 wrote to memory of 3480	3356	omsecor.exe	omsecor.exe
PID 3480 wrote to memory of 4832	3480	omsecor.exe	omsecor.exe
PID 3480 wrote to memory of 4832	3480	omsecor.exe	omsecor.exe
PID 3480 wrote to memory of 4832	3480	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\7987ef4c639a7a865312889bfd976edb86e8c642da3b4d7cbe2d6240e72e577f.exe
"C:\Users\Admin\AppData\Local\Temp\7987ef4c639a7a865312889bfd976edb86e8c642da3b4d7cbe2d6240e72e577f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3472

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3356

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3480

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
PID:4832

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
35KB

MD5
56ce10ddc8a1d3ca7d0bcb758335ee68

SHA1
082130b08780c6c1a1da23dc3de8a7f6fe2e87ef

SHA256
2caea9708f6ab2807eceea782c56d93edfc07f850889e0dcf28d50f4403446e4

SHA512
9e25a81b937c987e3f53c02592e36026d488e9e61c6a3b1882594f6001958a44488d423537f9dad60f33d2e0c7ef2c21dc2ac642cb06dea5da92c631d38f89ac

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
35KB

MD5
747a912e7c5c5e0f9b2c37c549a81700

SHA1
d73df6317c5429eb1ee1d7fe9070d65c805b3c20

SHA256
f6c288c3d50782bac08ce5334fce9ac97ca9a412975d338b0bbd9c48edc12b03

SHA512
d931a7015ca377228238a33d39c4cf8f9d21271839f82c030fdcf72347b4c4943164905732562b30aa065d4f480789617bcf5e1f305576146b040fdf5fce4fd7

Download Submit
C:\Windows\SysWOW64\omsecor.exe
Filesize
35KB

MD5
0c00f02ff814142b6ad8a352f13228c4

SHA1
7d67a38653c17f75f64086485a158ac00e9e45dd

SHA256
0f6a67886019d650a8cb32ac92cc2155de4c8df8c9089f1fb293445b53daae5a

SHA512
34b9d8ae4eb3ec4fc2d320b3f97a121ac00d97ee8cdaa96e33dcbc9534f0b699516d654d2c724cbadf98bbec5f2359f6c588fa7e9cffc7c18c9b782f5991296e

Download Submit
memory/3356-7-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3356-10-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3356-13-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3356-14-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3356-6-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3356-19-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3472-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3472-4-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3480-21-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3480-25-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4832-27-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4832-29-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4832-32-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing