neconyd | 5690e277e56ecbbd0701366636b511715ece839feaab593a38a0d48ec3bdad69

General

Target

5690e277e56ecbbd0701366636b511715ece839feaab593a38a0d48ec3bdad69.exe
Size

92KB
MD5

9fcffd8c288108ea541c8845aab398cf
SHA1

79e9f5369930dd74b9a69af9a795ab8f4bc16fe7
SHA256

5690e277e56ecbbd0701366636b511715ece839feaab593a38a0d48ec3bdad69
SHA512

49ff20163d431f26d3eab07a0e4fd69f0b8d41507305100f483271999b8816a2e3bec10b1ca4f49bcd46eb0e49b320fefc7bb5d9126abe887d440297e2e22465
SSDEEP

768:3MEIvFGvZEh8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:3bIvYvZEgFKF6N4yS+AQmZTl/5

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 3 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exe

pid process

2804 omsecor.exe
1572 omsecor.exe
1612 omsecor.exe

pid	process
2804	omsecor.exe
1572	omsecor.exe
1612	omsecor.exe

Loads dropped DLL 6 IoCs

Processes:

5690e277e56ecbbd0701366636b511715ece839feaab593a38a0d48ec3bdad69.exeomsecor.exeomsecor.exe

pid	process
2932	5690e277e56ecbbd0701366636b511715ece839feaab593a38a0d48ec3bdad69.exe
2932	5690e277e56ecbbd0701366636b511715ece839feaab593a38a0d48ec3bdad69.exe
2804	omsecor.exe
2804	omsecor.exe
1572	omsecor.exe
1572	omsecor.exe

Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

5690e277e56ecbbd0701366636b511715ece839feaab593a38a0d48ec3bdad69.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 2932 wrote to memory of 2804	2932	5690e277e56ecbbd0701366636b511715ece839feaab593a38a0d48ec3bdad69.exe	omsecor.exe
PID 2932 wrote to memory of 2804	2932	5690e277e56ecbbd0701366636b511715ece839feaab593a38a0d48ec3bdad69.exe	omsecor.exe
PID 2932 wrote to memory of 2804	2932	5690e277e56ecbbd0701366636b511715ece839feaab593a38a0d48ec3bdad69.exe	omsecor.exe
PID 2932 wrote to memory of 2804	2932	5690e277e56ecbbd0701366636b511715ece839feaab593a38a0d48ec3bdad69.exe	omsecor.exe
PID 2804 wrote to memory of 1572	2804	omsecor.exe	omsecor.exe
PID 2804 wrote to memory of 1572	2804	omsecor.exe	omsecor.exe
PID 2804 wrote to memory of 1572	2804	omsecor.exe	omsecor.exe
PID 2804 wrote to memory of 1572	2804	omsecor.exe	omsecor.exe
PID 1572 wrote to memory of 1612	1572	omsecor.exe	omsecor.exe
PID 1572 wrote to memory of 1612	1572	omsecor.exe	omsecor.exe
PID 1572 wrote to memory of 1612	1572	omsecor.exe	omsecor.exe
PID 1572 wrote to memory of 1612	1572	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\5690e277e56ecbbd0701366636b511715ece839feaab593a38a0d48ec3bdad69.exe
"C:\Users\Admin\AppData\Local\Temp\5690e277e56ecbbd0701366636b511715ece839feaab593a38a0d48ec3bdad69.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2932

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2804

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1572

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
PID:1612

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
92KB

MD5
9d9aa122962490d224d482fa5399d3ae

SHA1
916388a7d08cd2e519033d7f172391a512cf9272

SHA256
92aad438f3ed97b0902fa179d086365440228d6d9e1062a3d8c0bcf4516a99fe

SHA512
e7a9234abce8c5d8f365abba26318831f435ff7b28c7a81f14f4838f72994838a049452b029718b2f725e41334feebcb6fb085b42cd14defa9ed8c14416b51bb

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
92KB

MD5
6edd33c693972d730ce9a2d4eaf5cd3a

SHA1
30d36d100de2b2cdaeb434af08e07b13d9fe73dc

SHA256
a0eb1c63c5bf29883645eafd5b54e4dd299383d6b8e97472b2a10f3889a0b22c

SHA512
115ad1ff94f16a0690256bbdd6141630793f5ff4fc4140459f6eb335fa2fac2b4d622ff8f68e90fb7c8a9beb65c1a907b4f392c1f1e83910fd23ce4385b48715

Download Submit
\Windows\SysWOW64\omsecor.exe
Filesize
92KB

MD5
924213c03f6f355c91c60828a5ed993c

SHA1
99d47455703345630323084d65297e6d6f24e6ae

SHA256
ea7b4c0d6435d987cca7be813987de398bae881f44e9d3f013cbdcaba73b8949

SHA512
e68547aba2131ec4a33a5c36bebc2a71351e48f92e9f8d3c982e1e04d2e7e2fdb530cab5ea919b7e997436d6543cddaa0406d7b47d352171c04c89d3a6d97a43

Download Submit
memory/1572-35-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1572-27-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1612-38-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2804-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2804-18-0x00000000020B0000-0x00000000020DB000-memory.dmp

Filesize
172KB

Download
memory/2804-13-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2804-24-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2932-10-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2932-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2932-8-0x0000000000220000-0x000000000024B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing