neconyd | 4fb82184aebe8134de442d7936d69cb45ba5f9dcb6a8fbba2697733fe05950b2

General

Target

4fb82184aebe8134de442d7936d69cb45ba5f9dcb6a8fbba2697733fe05950b2.exe
Size

35KB
MD5

913c77c4166dbafdc682186be5afbde3
SHA1

64b1d5e0c77fa3dccd54b801315aea203777ad9e
SHA256

4fb82184aebe8134de442d7936d69cb45ba5f9dcb6a8fbba2697733fe05950b2
SHA512

b9d9e1720daac2f1401aa08436960d3ab0323a5fa4fca5dba0a8b90ec382c3e2045b444c2504a656f3bc7089a02954217778aee9a746064f4f0e310417b3227b
SSDEEP

768:L6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:28Z0kA7FHlO2OwOTUtKjpB

Score

10^/10

neconyd trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

UPX dump on OEP (original entry point) 16 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2184-0-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
C:\Users\Admin\AppData\Roaming\omsecor.exe	UPX
behavioral1/memory/2012-11-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral1/memory/2184-10-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral1/memory/2012-13-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral1/memory/2012-16-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral1/memory/2012-19-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral1/memory/2012-22-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
\Windows\SysWOW64\omsecor.exe	UPX
behavioral1/memory/2012-25-0x0000000000370000-0x000000000039D000-memory.dmp	UPX
behavioral1/memory/2012-32-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
\Users\Admin\AppData\Roaming\omsecor.exe	UPX
behavioral1/memory/1608-45-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral1/memory/2728-44-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral1/memory/1608-47-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral1/memory/1608-50-0x0000000000400000-0x000000000042D000-memory.dmp	UPX

Executes dropped EXE 3 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exe

pid process

2012 omsecor.exe
2728 omsecor.exe
1608 omsecor.exe

pid	process
2012	omsecor.exe
2728	omsecor.exe
1608	omsecor.exe

Loads dropped DLL 6 IoCs

Processes:

4fb82184aebe8134de442d7936d69cb45ba5f9dcb6a8fbba2697733fe05950b2.exeomsecor.exeomsecor.exe

pid	process
2184	4fb82184aebe8134de442d7936d69cb45ba5f9dcb6a8fbba2697733fe05950b2.exe
2184	4fb82184aebe8134de442d7936d69cb45ba5f9dcb6a8fbba2697733fe05950b2.exe
2012	omsecor.exe
2012	omsecor.exe
2728	omsecor.exe
2728	omsecor.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2184-0-0x0000000000400000-0x000000000042D000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\omsecor.exe	upx
behavioral1/memory/2012-11-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2184-10-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2012-13-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2012-16-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2012-19-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2012-22-0x0000000000400000-0x000000000042D000-memory.dmp	upx
\Windows\SysWOW64\omsecor.exe	upx
behavioral1/memory/2012-25-0x0000000000370000-0x000000000039D000-memory.dmp	upx
behavioral1/memory/2012-32-0x0000000000400000-0x000000000042D000-memory.dmp	upx
\Users\Admin\AppData\Roaming\omsecor.exe	upx
behavioral1/memory/1608-45-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2728-44-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/1608-47-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/1608-50-0x0000000000400000-0x000000000042D000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

4fb82184aebe8134de442d7936d69cb45ba5f9dcb6a8fbba2697733fe05950b2.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 2184 wrote to memory of 2012	2184	4fb82184aebe8134de442d7936d69cb45ba5f9dcb6a8fbba2697733fe05950b2.exe	omsecor.exe
PID 2184 wrote to memory of 2012	2184	4fb82184aebe8134de442d7936d69cb45ba5f9dcb6a8fbba2697733fe05950b2.exe	omsecor.exe
PID 2184 wrote to memory of 2012	2184	4fb82184aebe8134de442d7936d69cb45ba5f9dcb6a8fbba2697733fe05950b2.exe	omsecor.exe
PID 2184 wrote to memory of 2012	2184	4fb82184aebe8134de442d7936d69cb45ba5f9dcb6a8fbba2697733fe05950b2.exe	omsecor.exe
PID 2012 wrote to memory of 2728	2012	omsecor.exe	omsecor.exe
PID 2012 wrote to memory of 2728	2012	omsecor.exe	omsecor.exe
PID 2012 wrote to memory of 2728	2012	omsecor.exe	omsecor.exe
PID 2012 wrote to memory of 2728	2012	omsecor.exe	omsecor.exe
PID 2728 wrote to memory of 1608	2728	omsecor.exe	omsecor.exe
PID 2728 wrote to memory of 1608	2728	omsecor.exe	omsecor.exe
PID 2728 wrote to memory of 1608	2728	omsecor.exe	omsecor.exe
PID 2728 wrote to memory of 1608	2728	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\4fb82184aebe8134de442d7936d69cb45ba5f9dcb6a8fbba2697733fe05950b2.exe
"C:\Users\Admin\AppData\Local\Temp\4fb82184aebe8134de442d7936d69cb45ba5f9dcb6a8fbba2697733fe05950b2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2184

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
PID:1608

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
35KB

MD5
e2adea8aedc1637e781d0a59dec101be

SHA1
51d5a770910a50d6377fee7481a9c777d624364e

SHA256
475b463606742af95a5dbbfdbae95057ea0143449593d64d7c3f8159945813cd

SHA512
fd1e591719cb84972c022aa75a885a57bd356f08658ed4be9d7700e009598dade6dd672ceae7118e1c51d009fab0d3bc9dc2a7c7fbd00952533e3dd67b5f645c

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
35KB

MD5
1607d3fabd9b95f05303ed4539bf2371

SHA1
4e7205eb340f0305f046a62d2f13fb891a0aa8eb

SHA256
90cedb0afdf46f1f979dfaa9bdc5425433b3ef47a029d6e72ce066c373b5787c

SHA512
5dfae15cfa5460de3843cc7b4b950bd2ce129dfb89b4831890d33c9e2f365159c4880a223a91ed4ac47545328441478185da4453a6a8e1794d10ed8032e179d9

Download Submit
\Windows\SysWOW64\omsecor.exe
Filesize
35KB

MD5
a9d3ed7a2dc69f662f2a8e853fc83d3e

SHA1
5498bc194a1b2705c8b01947e3076d4ee360d863

SHA256
324d9020dd6f3f132f8a90effa66d6541168d031093bbdc9669c345fd8878d48

SHA512
c08c6246167de706f6dd19e9926779f9c6ee877bc768994ec135fa24d3785f66d3390776f91930ca72363060879c5cdeeddb7a91b292661d889f9779b7d86d13

Download Submit
memory/1608-45-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1608-47-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1608-50-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2012-13-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2012-16-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2012-19-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2012-22-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2012-25-0x0000000000370000-0x000000000039D000-memory.dmp

Filesize
180KB

Download
memory/2012-32-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2012-11-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2184-10-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2184-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2728-44-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads