neconyd | fe2895a9f0aa42a65b03c9829a2dfb77d1d4bd5d5cd870533422052fbeebc486

General

Target

fe2895a9f0aa42a65b03c9829a2dfb77d1d4bd5d5cd870533422052fbeebc486.exe
Size

35KB
MD5

2938df17655406f6f7dd2e487c53c1c5
SHA1

50167caa0e9766991e2b87e43d820a730ba32c8a
SHA256

fe2895a9f0aa42a65b03c9829a2dfb77d1d4bd5d5cd870533422052fbeebc486
SHA512

34447e0c51d6ce191486173ccf8dfefe5d5bac4c29daaa050f915bc6df72f0d14a14a9cde0c17332ec0718048a72cc14c8a10f3c10049e723d8c90cfaef8a8d2
SSDEEP

768:76vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:m8Z0kA7FHlO2OwOTUtKjpB

Score

10^/10

neconyd trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

UPX dump on OEP (original entry point) 16 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2980-0-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
\Users\Admin\AppData\Roaming\omsecor.exe	UPX
behavioral1/memory/2980-3-0x00000000005C0000-0x00000000005ED000-memory.dmp	UPX
behavioral1/memory/2980-10-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral1/memory/1716-12-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral1/memory/1716-14-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral1/memory/1716-20-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral1/memory/1716-23-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
\Windows\SysWOW64\omsecor.exe	UPX
behavioral1/memory/1716-26-0x0000000000310000-0x000000000033D000-memory.dmp	UPX
behavioral1/memory/1768-37-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral1/memory/1716-34-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
\Users\Admin\AppData\Roaming\omsecor.exe	UPX
behavioral1/memory/1768-43-0x0000000000220000-0x000000000024D000-memory.dmp	UPX
behavioral1/memory/1268-49-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral1/memory/1268-52-0x0000000000400000-0x000000000042D000-memory.dmp	UPX

Executes dropped EXE 3 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exe

pid process

1716 omsecor.exe
1768 omsecor.exe
1268 omsecor.exe

pid	process
1716	omsecor.exe
1768	omsecor.exe
1268	omsecor.exe

Loads dropped DLL 6 IoCs

Processes:

fe2895a9f0aa42a65b03c9829a2dfb77d1d4bd5d5cd870533422052fbeebc486.exeomsecor.exeomsecor.exe

pid	process
2980	fe2895a9f0aa42a65b03c9829a2dfb77d1d4bd5d5cd870533422052fbeebc486.exe
2980	fe2895a9f0aa42a65b03c9829a2dfb77d1d4bd5d5cd870533422052fbeebc486.exe
1716	omsecor.exe
1716	omsecor.exe
1768	omsecor.exe
1768	omsecor.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2980-0-0x0000000000400000-0x000000000042D000-memory.dmp	upx
\Users\Admin\AppData\Roaming\omsecor.exe	upx
behavioral1/memory/2980-3-0x00000000005C0000-0x00000000005ED000-memory.dmp	upx
behavioral1/memory/2980-10-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/1716-12-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/1716-14-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/1716-20-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/1716-23-0x0000000000400000-0x000000000042D000-memory.dmp	upx
\Windows\SysWOW64\omsecor.exe	upx
behavioral1/memory/1716-26-0x0000000000310000-0x000000000033D000-memory.dmp	upx
behavioral1/memory/1768-37-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/1716-34-0x0000000000400000-0x000000000042D000-memory.dmp	upx
\Users\Admin\AppData\Roaming\omsecor.exe	upx
behavioral1/memory/1768-43-0x0000000000220000-0x000000000024D000-memory.dmp	upx
behavioral1/memory/1268-49-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/1268-52-0x0000000000400000-0x000000000042D000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

fe2895a9f0aa42a65b03c9829a2dfb77d1d4bd5d5cd870533422052fbeebc486.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 2980 wrote to memory of 1716	2980	fe2895a9f0aa42a65b03c9829a2dfb77d1d4bd5d5cd870533422052fbeebc486.exe	omsecor.exe
PID 2980 wrote to memory of 1716	2980	fe2895a9f0aa42a65b03c9829a2dfb77d1d4bd5d5cd870533422052fbeebc486.exe	omsecor.exe
PID 2980 wrote to memory of 1716	2980	fe2895a9f0aa42a65b03c9829a2dfb77d1d4bd5d5cd870533422052fbeebc486.exe	omsecor.exe
PID 2980 wrote to memory of 1716	2980	fe2895a9f0aa42a65b03c9829a2dfb77d1d4bd5d5cd870533422052fbeebc486.exe	omsecor.exe
PID 1716 wrote to memory of 1768	1716	omsecor.exe	omsecor.exe
PID 1716 wrote to memory of 1768	1716	omsecor.exe	omsecor.exe
PID 1716 wrote to memory of 1768	1716	omsecor.exe	omsecor.exe
PID 1716 wrote to memory of 1768	1716	omsecor.exe	omsecor.exe
PID 1768 wrote to memory of 1268	1768	omsecor.exe	omsecor.exe
PID 1768 wrote to memory of 1268	1768	omsecor.exe	omsecor.exe
PID 1768 wrote to memory of 1268	1768	omsecor.exe	omsecor.exe
PID 1768 wrote to memory of 1268	1768	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\fe2895a9f0aa42a65b03c9829a2dfb77d1d4bd5d5cd870533422052fbeebc486.exe
"C:\Users\Admin\AppData\Local\Temp\fe2895a9f0aa42a65b03c9829a2dfb77d1d4bd5d5cd870533422052fbeebc486.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2980

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1716

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1768

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
PID:1268

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
35KB

MD5
a17bf18357316df314199e2e33b196ea

SHA1
2ae3769c1ac36b87ce8ae5c849666697d670185b

SHA256
18c9a3812e5b8ed7427e7900c73120d25bf614c391b1e2b657723740e768bd0b

SHA512
a0eb415ef6f3022ebb4c44f084c843571ff16bfca7c9b79d14259cab1a0119d004997f41d370da5dcce0be534843d2cbb07a58a3f9ad267ee1fa41046c6f38ec

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
35KB

MD5
f872c8966d1f5920ef50e2a24863591d

SHA1
0da78760d705676d606f3f8f269c3c40ecaa935c

SHA256
70bd26c73f5feaf4f72f80300701ed1c3a6cdd6d200dd550b3b16ed166eb76b2

SHA512
2fab512d57b8957443cdcb22997b377063926e373f8a7970b7c3e43098086d6d74edc4b6458411e276176427a55dc9a371a7e5e39e2e7bc173e8bc4f43236039

Download Submit
\Windows\SysWOW64\omsecor.exe
Filesize
35KB

MD5
c0eadf00e84a73691c7f6a0ae9526e60

SHA1
8840b5a1e1be568ed9a9c928fb69328782ad2640

SHA256
5610df1c0f1d5fcd13539e3097ea7e2456d4795dc394623284df0a8748471979

SHA512
0277837e7a6f9a2edb4d0d759321d0ea5673f5f46caa1ce6c76cd62429ba655013cdd60ff378d3954ce412d0ea655c47759531eab3325c4bc5290033dcb0de11

Download Submit
memory/1268-49-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1268-52-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1716-26-0x0000000000310000-0x000000000033D000-memory.dmp

Filesize
180KB

Download
memory/1716-20-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1716-23-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1716-34-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1716-14-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1716-12-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1768-37-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1768-46-0x0000000000220000-0x000000000024D000-memory.dmp

Filesize
180KB

Download
memory/1768-43-0x0000000000220000-0x000000000024D000-memory.dmp

Filesize
180KB

Download
memory/2980-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2980-10-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2980-3-0x00000000005C0000-0x00000000005ED000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads