neconyd | 16331d6f1437dc842ff61774b7f71f2e951cb2e259282a6e25314b9e2d87db5c

General

Target

16331d6f1437dc842ff61774b7f71f2e951cb2e259282a6e25314b9e2d87db5c.exe
Size

92KB
MD5

6ba54844031eb80d4d6da6e516b8e657
SHA1

208618d23bb152da38915ddd1286f5d5e057e68b
SHA256

16331d6f1437dc842ff61774b7f71f2e951cb2e259282a6e25314b9e2d87db5c
SHA512

ce776f945ee1f165713dd245438941c22ba2529dc2639d89c73e2fc6b91230112963fd9c0b9b1f5386d906746102309e1bf641824f9f38d67bb005254bcac483
SSDEEP

768:hMEIvFGvoEr8LFK0ic46N47eSvYAHwmZGp6JXXlaa5uA:hbIvYvoEyFKF6N4ySAAQmZTl/5

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 3 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exe

pid process

3040 omsecor.exe
1940 omsecor.exe
1976 omsecor.exe

pid	process
3040	omsecor.exe
1940	omsecor.exe
1976	omsecor.exe

Loads dropped DLL 6 IoCs

Processes:

16331d6f1437dc842ff61774b7f71f2e951cb2e259282a6e25314b9e2d87db5c.exeomsecor.exeomsecor.exe

pid	process
3008	16331d6f1437dc842ff61774b7f71f2e951cb2e259282a6e25314b9e2d87db5c.exe
3008	16331d6f1437dc842ff61774b7f71f2e951cb2e259282a6e25314b9e2d87db5c.exe
3040	omsecor.exe
3040	omsecor.exe
1940	omsecor.exe
1940	omsecor.exe

Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

16331d6f1437dc842ff61774b7f71f2e951cb2e259282a6e25314b9e2d87db5c.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 3008 wrote to memory of 3040	3008	16331d6f1437dc842ff61774b7f71f2e951cb2e259282a6e25314b9e2d87db5c.exe	omsecor.exe
PID 3008 wrote to memory of 3040	3008	16331d6f1437dc842ff61774b7f71f2e951cb2e259282a6e25314b9e2d87db5c.exe	omsecor.exe
PID 3008 wrote to memory of 3040	3008	16331d6f1437dc842ff61774b7f71f2e951cb2e259282a6e25314b9e2d87db5c.exe	omsecor.exe
PID 3008 wrote to memory of 3040	3008	16331d6f1437dc842ff61774b7f71f2e951cb2e259282a6e25314b9e2d87db5c.exe	omsecor.exe
PID 3040 wrote to memory of 1940	3040	omsecor.exe	omsecor.exe
PID 3040 wrote to memory of 1940	3040	omsecor.exe	omsecor.exe
PID 3040 wrote to memory of 1940	3040	omsecor.exe	omsecor.exe
PID 3040 wrote to memory of 1940	3040	omsecor.exe	omsecor.exe
PID 1940 wrote to memory of 1976	1940	omsecor.exe	omsecor.exe
PID 1940 wrote to memory of 1976	1940	omsecor.exe	omsecor.exe
PID 1940 wrote to memory of 1976	1940	omsecor.exe	omsecor.exe
PID 1940 wrote to memory of 1976	1940	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\16331d6f1437dc842ff61774b7f71f2e951cb2e259282a6e25314b9e2d87db5c.exe
"C:\Users\Admin\AppData\Local\Temp\16331d6f1437dc842ff61774b7f71f2e951cb2e259282a6e25314b9e2d87db5c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3008

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3040

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1940

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
PID:1976

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
92KB

MD5
e1979a757a663d0d47976310da3a2fcb

SHA1
9e5073caac16ef7810beeca6e80d58324e102a38

SHA256
6ddf688fa5afce979fcd073964f7175ec38854b7e8c1bf163ee3526b238ba8be

SHA512
dc354566bd0fe60624b13bf2c91cdc099dc36b78842b137070f4fed841cbf40fe7392dcaac60d0c4ab8e5aafe3adf41dd707c5ef0b4c770523eefa30eed79134

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
92KB

MD5
db46a93fb4a2a2c492a8c9d21f301388

SHA1
3f15f1bebd1cbf48225a59f5aa5129e1bedc9447

SHA256
7c74e0c37f2e88b642e202a079f4656644d4ebe915054065746c8455bfb199df

SHA512
c0bc448a845c2cb7f67ddf1560059ae72b69b9b61150d2a3550f3ed4046f7f1cd36a2df57c269fd5c1c6792125f5689ec6b63c9ecf22c1a95e7ebf8cc5721a8e

Download Submit
\Windows\SysWOW64\omsecor.exe
Filesize
92KB

MD5
b9c7c67da40253e812c0058589f7964d

SHA1
baaaf608205cfdbb387eaa67eb9f827a587fe145

SHA256
421ef27522d23a72d020b749c02e5ee8275c1fe598412c525d3c39365fe9877d

SHA512
95e086113c0aa1b0e1044d25327e433f552272498c82227dca8b12d2d0f68b823110776f29eee4edbfac7def092e81a8603b2663541fbca0bfa2ed8766963212

Download Submit
memory/1940-33-0x0000000000220000-0x000000000024B000-memory.dmp

Filesize
172KB

Download
memory/1940-34-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1940-32-0x0000000000220000-0x000000000024B000-memory.dmp

Filesize
172KB

Download
memory/1976-36-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3008-9-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3008-1-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3040-10-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3040-22-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3040-15-0x00000000004B0000-0x00000000004DB000-memory.dmp

Filesize
172KB

Download
memory/3040-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing