neconyd | 246ce239d15e2b241a31cb62d877cc744a023787cfcb84a802bf184bf564365f

General

Target

246ce239d15e2b241a31cb62d877cc744a023787cfcb84a802bf184bf564365f.exe
Size

35KB
MD5

e69ae221fff2dcf6c1f366e671b2078e
SHA1

5f37bf7979cf054dbb36b6cb2b2badc52529788e
SHA256

246ce239d15e2b241a31cb62d877cc744a023787cfcb84a802bf184bf564365f
SHA512

5ed74426720ef5f11df9211c9eedf541f94a5ddc3e5d18195194afa139af7e3d32a8d3636a9dccf429c39e41fcac8854fb34816a124dac122760a38f0b66c9cf
SSDEEP

768:86vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:78Z0kA7FHlO2OwOTUtKjpB

Score

10^/10

neconyd trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

UPX dump on OEP (original entry point) 15 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4356-5-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
C:\Users\Admin\AppData\Roaming\omsecor.exe	UPX
behavioral2/memory/5048-7-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/4356-0-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/5048-8-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/5048-11-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/5048-14-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/5048-15-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
C:\Windows\SysWOW64\omsecor.exe	UPX
behavioral2/memory/5048-21-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/4800-23-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
C:\Users\Admin\AppData\Roaming\omsecor.exe	UPX
behavioral2/memory/1276-27-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/1276-29-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/1276-32-0x0000000000400000-0x000000000042D000-memory.dmp	UPX

Executes dropped EXE 3 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exe

pid process

5048 omsecor.exe
4800 omsecor.exe
1276 omsecor.exe

pid	process
5048	omsecor.exe
4800	omsecor.exe
1276	omsecor.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4356-5-0x0000000000400000-0x000000000042D000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\omsecor.exe	upx
behavioral2/memory/5048-7-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/4356-0-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/5048-8-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/5048-11-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/5048-14-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/5048-15-0x0000000000400000-0x000000000042D000-memory.dmp	upx
C:\Windows\SysWOW64\omsecor.exe	upx
behavioral2/memory/5048-21-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/4800-23-0x0000000000400000-0x000000000042D000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\omsecor.exe	upx
behavioral2/memory/1276-27-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/1276-29-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/1276-32-0x0000000000400000-0x000000000042D000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

246ce239d15e2b241a31cb62d877cc744a023787cfcb84a802bf184bf564365f.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 4356 wrote to memory of 5048	4356	246ce239d15e2b241a31cb62d877cc744a023787cfcb84a802bf184bf564365f.exe	omsecor.exe
PID 4356 wrote to memory of 5048	4356	246ce239d15e2b241a31cb62d877cc744a023787cfcb84a802bf184bf564365f.exe	omsecor.exe
PID 4356 wrote to memory of 5048	4356	246ce239d15e2b241a31cb62d877cc744a023787cfcb84a802bf184bf564365f.exe	omsecor.exe
PID 5048 wrote to memory of 4800	5048	omsecor.exe	omsecor.exe
PID 5048 wrote to memory of 4800	5048	omsecor.exe	omsecor.exe
PID 5048 wrote to memory of 4800	5048	omsecor.exe	omsecor.exe
PID 4800 wrote to memory of 1276	4800	omsecor.exe	omsecor.exe
PID 4800 wrote to memory of 1276	4800	omsecor.exe	omsecor.exe
PID 4800 wrote to memory of 1276	4800	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\246ce239d15e2b241a31cb62d877cc744a023787cfcb84a802bf184bf564365f.exe
"C:\Users\Admin\AppData\Local\Temp\246ce239d15e2b241a31cb62d877cc744a023787cfcb84a802bf184bf564365f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4356

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5048

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4800

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
PID:1276

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
35KB

MD5
0fb5edc7893e1da430680ff911f73057

SHA1
84a9be3cc0cb45a6646046b1a639cd867315fa5d

SHA256
e6c75556495f35839bf8953d76453d0f4a7b1ff3582950f9f1b07b4a5455135b

SHA512
69ad5063c4cdd2320e0f2cc041dae63dcb5d6dc9333efd48a1eabf9a2eb38c87e807d369e277acc490b1fcaafcfe7273206e240cbe9f290bd88283f4ff1e6c54

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
35KB

MD5
9cebf2f0201bebbbcef9a6a383ad404a

SHA1
cc582139dd10ad753c1b4654fc2c811766bd7e71

SHA256
6d3754fb8d8c8049a77516f2834f6001d98d69d09221e9913041b02765dcf402

SHA512
43e47e9834fe918856c8ee65b45086254f18624ae56fffc210ab17f192f1c2c73426acfd24e6f38fba79b72c255e194a17d3029e40678ef2b3040da670b69b01

Download Submit
C:\Windows\SysWOW64\omsecor.exe
Filesize
35KB

MD5
6eca2aee2aa8f38b839d59f40544e3b2

SHA1
a927f98d5752bb3211517e0aef851fb90f30d427

SHA256
13e36881f2e7deb8fe0728bc6f05225802af22cd62816e19134ca9cd5c909553

SHA512
44e78480e42a012a2e143a9e6772f4fe7d0002e78ff9075c196027c4a5d2486b6f086be0e6a12804d2fffb831b9cbf528f7adaa0cd586a4e7a1c9faa57c6145e

Download Submit
memory/1276-32-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1276-29-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1276-27-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4356-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4356-5-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4800-23-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/5048-14-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/5048-21-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/5048-15-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/5048-11-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/5048-8-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/5048-7-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads