neconyd | 246ce239d15e2b241a31cb62d877cc744a023787cfcb84a802bf184bf564365f

General

Target

246ce239d15e2b241a31cb62d877cc744a023787cfcb84a802bf184bf564365f.exe
Size

35KB
MD5

e69ae221fff2dcf6c1f366e671b2078e
SHA1

5f37bf7979cf054dbb36b6cb2b2badc52529788e
SHA256

246ce239d15e2b241a31cb62d877cc744a023787cfcb84a802bf184bf564365f
SHA512

5ed74426720ef5f11df9211c9eedf541f94a5ddc3e5d18195194afa139af7e3d32a8d3636a9dccf429c39e41fcac8854fb34816a124dac122760a38f0b66c9cf
SSDEEP

768:86vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:78Z0kA7FHlO2OwOTUtKjpB

Score

10^/10

neconyd trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

UPX dump on OEP (original entry point) 15 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3048-0-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
C:\Users\Admin\AppData\Roaming\omsecor.exe	UPX
behavioral1/memory/2192-12-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral1/memory/3048-9-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral1/memory/2192-13-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral1/memory/2192-19-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral1/memory/2192-22-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
\Windows\SysWOW64\omsecor.exe	UPX
behavioral1/memory/2484-33-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral1/memory/2192-31-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
\Users\Admin\AppData\Roaming\omsecor.exe	UPX
behavioral1/memory/2484-44-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral1/memory/1968-46-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral1/memory/1968-48-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral1/memory/1968-51-0x0000000000400000-0x000000000042D000-memory.dmp	UPX

Executes dropped EXE 3 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exe

pid process

2192 omsecor.exe
2484 omsecor.exe
1968 omsecor.exe

pid	process
2192	omsecor.exe
2484	omsecor.exe
1968	omsecor.exe

Loads dropped DLL 6 IoCs

Processes:

246ce239d15e2b241a31cb62d877cc744a023787cfcb84a802bf184bf564365f.exeomsecor.exeomsecor.exe

pid	process
3048	246ce239d15e2b241a31cb62d877cc744a023787cfcb84a802bf184bf564365f.exe
3048	246ce239d15e2b241a31cb62d877cc744a023787cfcb84a802bf184bf564365f.exe
2192	omsecor.exe
2192	omsecor.exe
2484	omsecor.exe
2484	omsecor.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/3048-0-0x0000000000400000-0x000000000042D000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\omsecor.exe	upx
behavioral1/memory/2192-12-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/3048-9-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2192-13-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2192-19-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2192-22-0x0000000000400000-0x000000000042D000-memory.dmp	upx
\Windows\SysWOW64\omsecor.exe	upx
behavioral1/memory/2484-33-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2192-31-0x0000000000400000-0x000000000042D000-memory.dmp	upx
\Users\Admin\AppData\Roaming\omsecor.exe	upx
behavioral1/memory/2484-44-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/1968-46-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/1968-48-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/1968-51-0x0000000000400000-0x000000000042D000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

246ce239d15e2b241a31cb62d877cc744a023787cfcb84a802bf184bf564365f.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 3048 wrote to memory of 2192	3048	246ce239d15e2b241a31cb62d877cc744a023787cfcb84a802bf184bf564365f.exe	omsecor.exe
PID 3048 wrote to memory of 2192	3048	246ce239d15e2b241a31cb62d877cc744a023787cfcb84a802bf184bf564365f.exe	omsecor.exe
PID 3048 wrote to memory of 2192	3048	246ce239d15e2b241a31cb62d877cc744a023787cfcb84a802bf184bf564365f.exe	omsecor.exe
PID 3048 wrote to memory of 2192	3048	246ce239d15e2b241a31cb62d877cc744a023787cfcb84a802bf184bf564365f.exe	omsecor.exe
PID 2192 wrote to memory of 2484	2192	omsecor.exe	omsecor.exe
PID 2192 wrote to memory of 2484	2192	omsecor.exe	omsecor.exe
PID 2192 wrote to memory of 2484	2192	omsecor.exe	omsecor.exe
PID 2192 wrote to memory of 2484	2192	omsecor.exe	omsecor.exe
PID 2484 wrote to memory of 1968	2484	omsecor.exe	omsecor.exe
PID 2484 wrote to memory of 1968	2484	omsecor.exe	omsecor.exe
PID 2484 wrote to memory of 1968	2484	omsecor.exe	omsecor.exe
PID 2484 wrote to memory of 1968	2484	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\246ce239d15e2b241a31cb62d877cc744a023787cfcb84a802bf184bf564365f.exe
"C:\Users\Admin\AppData\Local\Temp\246ce239d15e2b241a31cb62d877cc744a023787cfcb84a802bf184bf564365f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3048

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2192

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2484

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
PID:1968

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
35KB

MD5
9cebf2f0201bebbbcef9a6a383ad404a

SHA1
cc582139dd10ad753c1b4654fc2c811766bd7e71

SHA256
6d3754fb8d8c8049a77516f2834f6001d98d69d09221e9913041b02765dcf402

SHA512
43e47e9834fe918856c8ee65b45086254f18624ae56fffc210ab17f192f1c2c73426acfd24e6f38fba79b72c255e194a17d3029e40678ef2b3040da670b69b01

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
35KB

MD5
89333ff258e8e1d800e6ad708825caed

SHA1
9f71c4bcb00027799f6a1d86a5ed7639173fa59a

SHA256
680a674a3f93dc11bb72291debc32770ed41dc70e5c8ce09553e95fd25083f4b

SHA512
23b45bdb8987d9a19cbc52c76a2281f9fdead93ca31997b2cf46971ca2f96a56304a9b7472c1ebab6516b038b9bef84b8776986a2eb60d3a1caf9afbc88745e0

Download Submit
\Windows\SysWOW64\omsecor.exe
Filesize
35KB

MD5
586cc9daba8f13419532f8238c93a620

SHA1
30f44284c750268e5d8023c21635d3e80e4d5186

SHA256
84b90e5cb4fcfaa24c53ebf11645827146481855ba0e4200ab933e8ca4050dca

SHA512
50b4ffa221bd8e374d6cca64b65e2087c1d859d8d8ffbdc60312ff69f5edb3c7e11b9c4ed1c25b894129edf06edb8069adf7954a5cd3baa292111ce71be6f5d5

Download Submit
memory/1968-51-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1968-48-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1968-46-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2192-12-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2192-13-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2192-19-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2192-22-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2192-31-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2484-33-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2484-44-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2484-38-0x0000000000220000-0x000000000024D000-memory.dmp

Filesize
180KB

Download
memory/3048-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3048-9-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads