neconyd | 50278bf37d78e519739479949085e4109b5272460948d9bbb3e7b8958784bfce

General

Target

50278bf37d78e519739479949085e4109b5272460948d9bbb3e7b8958784bfce.exe
Size

72KB
MD5

efa71cb9ad8a61e610054887015740a3
SHA1

dabbefd99a1af75822e4df7d38dd133c72505264
SHA256

50278bf37d78e519739479949085e4109b5272460948d9bbb3e7b8958784bfce
SHA512

3f0ffb5a9f574ddac1721eaaaf8d0005ef54fc2a8b7b52394dab7ba3d6ffad0c910b15e91aa5267e8363ccdaedf042e56a37923d310e2d50ad06f9caa9bd4977
SSDEEP

768:8MEIvFGvoEr8LFK0ic46N47eSvYAHwmZGp6JXXlaa5uA:8bIvYvoEyFKF6N4ySAAQmZTl/5

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 3 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exe

pid process

2328 omsecor.exe
2012 omsecor.exe
1208 omsecor.exe

pid	process
2328	omsecor.exe
2012	omsecor.exe
1208	omsecor.exe

Loads dropped DLL 6 IoCs

Processes:

50278bf37d78e519739479949085e4109b5272460948d9bbb3e7b8958784bfce.exeomsecor.exeomsecor.exe

pid	process
836	50278bf37d78e519739479949085e4109b5272460948d9bbb3e7b8958784bfce.exe
836	50278bf37d78e519739479949085e4109b5272460948d9bbb3e7b8958784bfce.exe
2328	omsecor.exe
2328	omsecor.exe
2012	omsecor.exe
2012	omsecor.exe

Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

50278bf37d78e519739479949085e4109b5272460948d9bbb3e7b8958784bfce.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 836 wrote to memory of 2328	836	50278bf37d78e519739479949085e4109b5272460948d9bbb3e7b8958784bfce.exe	omsecor.exe
PID 836 wrote to memory of 2328	836	50278bf37d78e519739479949085e4109b5272460948d9bbb3e7b8958784bfce.exe	omsecor.exe
PID 836 wrote to memory of 2328	836	50278bf37d78e519739479949085e4109b5272460948d9bbb3e7b8958784bfce.exe	omsecor.exe
PID 836 wrote to memory of 2328	836	50278bf37d78e519739479949085e4109b5272460948d9bbb3e7b8958784bfce.exe	omsecor.exe
PID 2328 wrote to memory of 2012	2328	omsecor.exe	omsecor.exe
PID 2328 wrote to memory of 2012	2328	omsecor.exe	omsecor.exe
PID 2328 wrote to memory of 2012	2328	omsecor.exe	omsecor.exe
PID 2328 wrote to memory of 2012	2328	omsecor.exe	omsecor.exe
PID 2012 wrote to memory of 1208	2012	omsecor.exe	omsecor.exe
PID 2012 wrote to memory of 1208	2012	omsecor.exe	omsecor.exe
PID 2012 wrote to memory of 1208	2012	omsecor.exe	omsecor.exe
PID 2012 wrote to memory of 1208	2012	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\50278bf37d78e519739479949085e4109b5272460948d9bbb3e7b8958784bfce.exe
"C:\Users\Admin\AppData\Local\Temp\50278bf37d78e519739479949085e4109b5272460948d9bbb3e7b8958784bfce.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:836

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2328

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2012

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
PID:1208

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
72KB

MD5
2e3a04c7437f52b16f134cf7a56f2961

SHA1
bc2dc3ce8cbae3f2625c4dea1b12f81468f5c3a1

SHA256
16eecd31e364d097bac9c975f13f6163b2a80cf251364561a6c1cab33ee10db0

SHA512
2db0788feb00a4170d7cb080b5677c5fa7baa19dc1d8ca624cd85de200452a06f86592eec3e061c81bc278f4e4528847c40c877430d4d0b7da2d45dba04b8c62

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
72KB

MD5
04ff573ba6d9fd30e5a5f9abcf496c18

SHA1
87d29bf1c23c07be06698bc965fbeb3c736be88c

SHA256
3f1266d33a12b1d265026c21bd232edf25565714192187d88b0390ca93305941

SHA512
0ccab192cf9cb28fab20a2802ff5d933c4bbdc57e1a95d4aa5ca7694f291d7350ab07bbf1fce8f0e6e2b9eef0f38e10d1cd49ac352961bd767f7234920754720

Download Submit
\Windows\SysWOW64\omsecor.exe
Filesize
72KB

MD5
7efd26ec4108afa01250afd06d682c3d

SHA1
44ff2eff77391e73eba0c8cb74da133b89958ffb

SHA256
feb7729122bbf01e151cdb2b9707df3edfcf34ce091f4cc54e1cb0c045fa623d

SHA512
51d2c2976fab4404d454ea5dcf3bae1d472d483d92e848adeb48f95469dbec9bf13c5c6a608cf15df35825b5803c0a69032c2e61e7171815233f510855c8d7cd

Download Submit
memory/836-8-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/836-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1208-38-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1208-36-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2012-34-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2012-25-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2328-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2328-24-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2328-17-0x0000000000430000-0x000000000045B000-memory.dmp

Filesize
172KB

Download
memory/2328-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing