neconyd | fe2895a9f0aa42a65b03c9829a2dfb77d1d4bd5d5cd870533422052fbeebc486

General

Target

fe2895a9f0aa42a65b03c9829a2dfb77d1d4bd5d5cd870533422052fbeebc486.exe
Size

35KB
MD5

2938df17655406f6f7dd2e487c53c1c5
SHA1

50167caa0e9766991e2b87e43d820a730ba32c8a
SHA256

fe2895a9f0aa42a65b03c9829a2dfb77d1d4bd5d5cd870533422052fbeebc486
SHA512

34447e0c51d6ce191486173ccf8dfefe5d5bac4c29daaa050f915bc6df72f0d14a14a9cde0c17332ec0718048a72cc14c8a10f3c10049e723d8c90cfaef8a8d2
SSDEEP

768:76vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:m8Z0kA7FHlO2OwOTUtKjpB

Score

10^/10

neconyd trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

UPX dump on OEP (original entry point) 13 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4780-0-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
C:\Users\Admin\AppData\Roaming\omsecor.exe	UPX
behavioral2/memory/5092-4-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/4780-6-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/5092-7-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/5092-10-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/5092-13-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/5092-14-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
C:\Windows\SysWOW64\omsecor.exe	UPX
behavioral2/memory/1068-18-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/5092-21-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/1068-22-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/1068-25-0x0000000000400000-0x000000000042D000-memory.dmp	UPX

Executes dropped EXE 2 IoCs

Processes:

omsecor.exeomsecor.exe

pid process

5092 omsecor.exe
1068 omsecor.exe

pid	process
5092	omsecor.exe
1068	omsecor.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4780-0-0x0000000000400000-0x000000000042D000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\omsecor.exe	upx
behavioral2/memory/5092-4-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/4780-6-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/5092-7-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/5092-10-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/5092-13-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/5092-14-0x0000000000400000-0x000000000042D000-memory.dmp	upx
C:\Windows\SysWOW64\omsecor.exe	upx
behavioral2/memory/1068-18-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/5092-21-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/1068-22-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/1068-25-0x0000000000400000-0x000000000042D000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

Processes:

omsecor.exeomsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe
File opened for modification C:\Windows\SysWOW64\merocz.xc6 omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

fe2895a9f0aa42a65b03c9829a2dfb77d1d4bd5d5cd870533422052fbeebc486.exeomsecor.exe

description	pid	process	target process
PID 4780 wrote to memory of 5092	4780	fe2895a9f0aa42a65b03c9829a2dfb77d1d4bd5d5cd870533422052fbeebc486.exe	omsecor.exe
PID 4780 wrote to memory of 5092	4780	fe2895a9f0aa42a65b03c9829a2dfb77d1d4bd5d5cd870533422052fbeebc486.exe	omsecor.exe
PID 4780 wrote to memory of 5092	4780	fe2895a9f0aa42a65b03c9829a2dfb77d1d4bd5d5cd870533422052fbeebc486.exe	omsecor.exe
PID 5092 wrote to memory of 1068	5092	omsecor.exe	omsecor.exe
PID 5092 wrote to memory of 1068	5092	omsecor.exe	omsecor.exe
PID 5092 wrote to memory of 1068	5092	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\fe2895a9f0aa42a65b03c9829a2dfb77d1d4bd5d5cd870533422052fbeebc486.exe
"C:\Users\Admin\AppData\Local\Temp\fe2895a9f0aa42a65b03c9829a2dfb77d1d4bd5d5cd870533422052fbeebc486.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4780

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5092

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
3⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4192 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:8
1⤵
PID:4848

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
35KB

MD5
a17bf18357316df314199e2e33b196ea

SHA1
2ae3769c1ac36b87ce8ae5c849666697d670185b

SHA256
18c9a3812e5b8ed7427e7900c73120d25bf614c391b1e2b657723740e768bd0b

SHA512
a0eb415ef6f3022ebb4c44f084c843571ff16bfca7c9b79d14259cab1a0119d004997f41d370da5dcce0be534843d2cbb07a58a3f9ad267ee1fa41046c6f38ec

Download Submit
C:\Windows\SysWOW64\omsecor.exe
Filesize
35KB

MD5
50c79d932344323f610095aa1c425244

SHA1
7b90a5575f26370e20cb6755c934bea1ce3c4566

SHA256
ce114bb478c1f2494e86902fc007f0dc3b40a406c3bb329148cd7881326c71a5

SHA512
e9cdc8c727d4102c413f0287d36315b776ede5604de3e61ee9fddcd40ef34cfed42761d335826e1035f8c7445161621768018aca86b85ed97f00e7526bdab6c5

Download Submit
memory/1068-25-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1068-22-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1068-18-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4780-6-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4780-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/5092-13-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/5092-14-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/5092-10-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/5092-7-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/5092-21-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/5092-4-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads