neconyd | ec8b859f6e7e0ad553c484d1dabb1832feee70d0362e60fce49176d763c904de

General

Target

ec8b859f6e7e0ad553c484d1dabb1832feee70d0362e60fce49176d763c904de.exe
Size

76KB
MD5

6c91618b400534c4f5023e9e291f2872
SHA1

46731e532f24dd3ec64bd9f0082a6c2ccc8fdcd4
SHA256

ec8b859f6e7e0ad553c484d1dabb1832feee70d0362e60fce49176d763c904de
SHA512

98670f31c3fc0f7655b50aa3867fa89f9d43af2b182a42731e21b30fe0a21437eeb3a666e11ff41e5d7dc62cf2c8ace385d116c884ee3a747ca5d12e46d614b5
SSDEEP

1536:pd9dseIOcE93dIvYvZDyF4EEOF6N4yS+AQmZTl/5R11:pdseIOKEZDyFjEOFqTiQm5l/5R11

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 3 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exe

pid process

1508 omsecor.exe
2288 omsecor.exe
1648 omsecor.exe

pid	process
1508	omsecor.exe
2288	omsecor.exe
1648	omsecor.exe

Loads dropped DLL 6 IoCs

Processes:

ec8b859f6e7e0ad553c484d1dabb1832feee70d0362e60fce49176d763c904de.exeomsecor.exeomsecor.exe

pid	process
2328	ec8b859f6e7e0ad553c484d1dabb1832feee70d0362e60fce49176d763c904de.exe
2328	ec8b859f6e7e0ad553c484d1dabb1832feee70d0362e60fce49176d763c904de.exe
1508	omsecor.exe
1508	omsecor.exe
2288	omsecor.exe
2288	omsecor.exe

Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

ec8b859f6e7e0ad553c484d1dabb1832feee70d0362e60fce49176d763c904de.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 2328 wrote to memory of 1508	2328	ec8b859f6e7e0ad553c484d1dabb1832feee70d0362e60fce49176d763c904de.exe	omsecor.exe
PID 2328 wrote to memory of 1508	2328	ec8b859f6e7e0ad553c484d1dabb1832feee70d0362e60fce49176d763c904de.exe	omsecor.exe
PID 2328 wrote to memory of 1508	2328	ec8b859f6e7e0ad553c484d1dabb1832feee70d0362e60fce49176d763c904de.exe	omsecor.exe
PID 2328 wrote to memory of 1508	2328	ec8b859f6e7e0ad553c484d1dabb1832feee70d0362e60fce49176d763c904de.exe	omsecor.exe
PID 1508 wrote to memory of 2288	1508	omsecor.exe	omsecor.exe
PID 1508 wrote to memory of 2288	1508	omsecor.exe	omsecor.exe
PID 1508 wrote to memory of 2288	1508	omsecor.exe	omsecor.exe
PID 1508 wrote to memory of 2288	1508	omsecor.exe	omsecor.exe
PID 2288 wrote to memory of 1648	2288	omsecor.exe	omsecor.exe
PID 2288 wrote to memory of 1648	2288	omsecor.exe	omsecor.exe
PID 2288 wrote to memory of 1648	2288	omsecor.exe	omsecor.exe
PID 2288 wrote to memory of 1648	2288	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\ec8b859f6e7e0ad553c484d1dabb1832feee70d0362e60fce49176d763c904de.exe
"C:\Users\Admin\AppData\Local\Temp\ec8b859f6e7e0ad553c484d1dabb1832feee70d0362e60fce49176d763c904de.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2328

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2288

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
PID:1648

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
76KB

MD5
a7f31a4455044935b61af7af119c39ec

SHA1
a9e6bb3ade77fd041178f61c79c2445782d16daf

SHA256
d7fc0e31f36dbd4b9feef2a2c644ebf3cea080f179370de88148fc8efd84b719

SHA512
8350b14bde59b349940a53bd2e27581b3bb3d6b37b3d2749d81163fc16f75e401dc8dbae61f4462916cc02ca54c9644506e21c98d9527d4f32b3d844c894bab8

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
76KB

MD5
f165ed1e7f8dd8a31e76a225b4c4edfa

SHA1
4b5e777702a63900f62c70aef93db0007f2b7e1c

SHA256
4b24807e3017ca949d79dbb19f08746441aeadea4b348e58001c7a1ef5e94330

SHA512
576bf902cbfee114a45e651927012d61fa157ef37f4490dff583f54094e11e483c96d1231bdcdc572610584d30608e47f8f7b2886dd5c5d175c99e7a9b8a30de

Download Submit
\Windows\SysWOW64\omsecor.exe
Filesize
76KB

MD5
8f79288573d94247985574dbd9418f0b

SHA1
eb263b672f6afeb385ddf0e3a09c5b98915fbf40

SHA256
b1c62da4132ce2a471de4783a25a7a60b181e3cf9564090ed0c17cc1f68b0a3e

SHA512
4037c71f38dc550c6d3190f2ef39fcadbffbf56a9bc1e3d8b5a496b8ed9d4d27fb1140836dbf374d04d0c846369c7af9a6e065cbf45a0fdd9ae8d04521906701

Download Submit
memory/1508-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1508-18-0x00000000003B0000-0x00000000003DA000-memory.dmp

Filesize
168KB

Download
memory/1508-23-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1648-35-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1648-37-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2288-33-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2328-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2328-4-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/2328-9-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing