neconyd | 4fb82184aebe8134de442d7936d69cb45ba5f9dcb6a8fbba2697733fe05950b2

General

Target

4fb82184aebe8134de442d7936d69cb45ba5f9dcb6a8fbba2697733fe05950b2.exe
Size

35KB
MD5

913c77c4166dbafdc682186be5afbde3
SHA1

64b1d5e0c77fa3dccd54b801315aea203777ad9e
SHA256

4fb82184aebe8134de442d7936d69cb45ba5f9dcb6a8fbba2697733fe05950b2
SHA512

b9d9e1720daac2f1401aa08436960d3ab0323a5fa4fca5dba0a8b90ec382c3e2045b444c2504a656f3bc7089a02954217778aee9a746064f4f0e310417b3227b
SSDEEP

768:L6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:28Z0kA7FHlO2OwOTUtKjpB

Score

10^/10

neconyd trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

UPX dump on OEP (original entry point) 15 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4820-1-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
C:\Users\Admin\AppData\Roaming\omsecor.exe	UPX
behavioral2/memory/4820-4-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/4376-5-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/4376-7-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/4376-10-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/4376-13-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/4376-14-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/4376-20-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
C:\Windows\SysWOW64\omsecor.exe	UPX
behavioral2/memory/4032-22-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
C:\Users\Admin\AppData\Roaming\omsecor.exe	UPX
behavioral2/memory/3832-26-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/3832-28-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/3832-31-0x0000000000400000-0x000000000042D000-memory.dmp	UPX

Executes dropped EXE 3 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exe

pid process

4376 omsecor.exe
4032 omsecor.exe
3832 omsecor.exe

pid	process
4376	omsecor.exe
4032	omsecor.exe
3832	omsecor.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4820-1-0x0000000000400000-0x000000000042D000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\omsecor.exe	upx
behavioral2/memory/4820-4-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/4376-5-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/4376-7-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/4376-10-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/4376-13-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/4376-14-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/4376-20-0x0000000000400000-0x000000000042D000-memory.dmp	upx
C:\Windows\SysWOW64\omsecor.exe	upx
behavioral2/memory/4032-22-0x0000000000400000-0x000000000042D000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\omsecor.exe	upx
behavioral2/memory/3832-26-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/3832-28-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/3832-31-0x0000000000400000-0x000000000042D000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

4fb82184aebe8134de442d7936d69cb45ba5f9dcb6a8fbba2697733fe05950b2.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 4820 wrote to memory of 4376	4820	4fb82184aebe8134de442d7936d69cb45ba5f9dcb6a8fbba2697733fe05950b2.exe	omsecor.exe
PID 4820 wrote to memory of 4376	4820	4fb82184aebe8134de442d7936d69cb45ba5f9dcb6a8fbba2697733fe05950b2.exe	omsecor.exe
PID 4820 wrote to memory of 4376	4820	4fb82184aebe8134de442d7936d69cb45ba5f9dcb6a8fbba2697733fe05950b2.exe	omsecor.exe
PID 4376 wrote to memory of 4032	4376	omsecor.exe	omsecor.exe
PID 4376 wrote to memory of 4032	4376	omsecor.exe	omsecor.exe
PID 4376 wrote to memory of 4032	4376	omsecor.exe	omsecor.exe
PID 4032 wrote to memory of 3832	4032	omsecor.exe	omsecor.exe
PID 4032 wrote to memory of 3832	4032	omsecor.exe	omsecor.exe
PID 4032 wrote to memory of 3832	4032	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\4fb82184aebe8134de442d7936d69cb45ba5f9dcb6a8fbba2697733fe05950b2.exe
"C:\Users\Admin\AppData\Local\Temp\4fb82184aebe8134de442d7936d69cb45ba5f9dcb6a8fbba2697733fe05950b2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4820

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4376

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4032

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
PID:3832

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
35KB

MD5
228e425210ac020563b2b1b6f28f5aed

SHA1
3f08728720c29a3ac8a0608bd56f3523eba431d2

SHA256
ce34686b61de6932a1322196bb096ef08542782a7df8d647c1ff7fb767f3dedd

SHA512
85cc8888f4969d9a9e616a95bfa32b922cd1b9c3326b94e90572e6b33ae0d222a652741bff7512b199661d4e6ed5b7eebb1eeab6b2875470dd761a8d18987064

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
35KB

MD5
e2adea8aedc1637e781d0a59dec101be

SHA1
51d5a770910a50d6377fee7481a9c777d624364e

SHA256
475b463606742af95a5dbbfdbae95057ea0143449593d64d7c3f8159945813cd

SHA512
fd1e591719cb84972c022aa75a885a57bd356f08658ed4be9d7700e009598dade6dd672ceae7118e1c51d009fab0d3bc9dc2a7c7fbd00952533e3dd67b5f645c

Download Submit
C:\Windows\SysWOW64\omsecor.exe
Filesize
35KB

MD5
d35e92d956e0f50a75c6e934146bdef3

SHA1
f747691742950e34de24b51da7fc74495846c8d7

SHA256
8ff45b8b0a3389a4bd1b1ac571c526f6443f9d8eb1a6769966f2159ee6f2ac0f

SHA512
7cb9044477d1e4d8ebe0fdae1a6f94ea7c39469f1d1b62f07660a68c7652b2b802b49e408a02505340ebf5047a1d33121976872b91ebc9d99b4c6ba107728f88

Download Submit
memory/3832-31-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3832-28-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3832-26-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4032-22-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4376-5-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4376-20-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4376-14-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4376-13-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4376-10-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4376-7-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4820-1-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4820-4-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads