neconyd | 2bba7f238aa1ac64645130c2614c4b2e751c0e5e15c73c4ddd45e0b78e7750e7

General

Target

2bba7f238aa1ac64645130c2614c4b2e751c0e5e15c73c4ddd45e0b78e7750e7.exe
Size

35KB
MD5

1f4e6c8bddad2c1f80fba1b18fe4fd6d
SHA1

d393b472bf2b927c97aa4c19a42b19c6895477f1
SHA256

2bba7f238aa1ac64645130c2614c4b2e751c0e5e15c73c4ddd45e0b78e7750e7
SHA512

099c19c904fa63ead343bc54da8f56456217c116cdae1207786644ff8a57f0d858001ae0893093103c7a3641d61e406a329b66e72ec15e4256462e30e35ec18a
SSDEEP

768:P6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:S8Z0kA7FHlO2OwOTUtKjpB

Score

10^/10

neconyd trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

UPX dump on OEP (original entry point) 17 IoCs

resource	yara_rule
behavioral1/memory/1940-0-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral1/files/0x000500000000b309-2.dat	UPX
behavioral1/memory/1940-11-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral1/memory/1736-12-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral1/memory/1736-14-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral1/memory/1736-17-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral1/memory/1736-20-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral1/memory/1736-23-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral1/files/0x0005000000004ed7-25.dat	UPX
behavioral1/memory/1736-26-0x0000000000430000-0x000000000045D000-memory.dmp	UPX
behavioral1/memory/1736-33-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral1/files/0x000500000000b309-37.dat	UPX
behavioral1/memory/2240-39-0x00000000001B0000-0x00000000001DD000-memory.dmp	UPX
behavioral1/memory/2240-46-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral1/memory/3048-47-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral1/memory/3048-49-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral1/memory/3048-52-0x0000000000400000-0x000000000042D000-memory.dmp	UPX

Executes dropped EXE 3 IoCs

pid	Process
1736	omsecor.exe
2240	omsecor.exe
3048	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
1940	2bba7f238aa1ac64645130c2614c4b2e751c0e5e15c73c4ddd45e0b78e7750e7.exe
1940	2bba7f238aa1ac64645130c2614c4b2e751c0e5e15c73c4ddd45e0b78e7750e7.exe
1736	omsecor.exe
1736	omsecor.exe
2240	omsecor.exe
2240	omsecor.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1940-0-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/files/0x000500000000b309-2.dat	upx
behavioral1/memory/1940-11-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/1736-12-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/1736-14-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/1736-17-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/1736-20-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/1736-23-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/files/0x0005000000004ed7-25.dat	upx
behavioral1/memory/1736-26-0x0000000000430000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/1736-33-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/files/0x000500000000b309-37.dat	upx
behavioral1/memory/2240-39-0x00000000001B0000-0x00000000001DD000-memory.dmp	upx
behavioral1/memory/2240-46-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/3048-47-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/3048-49-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/3048-52-0x0000000000400000-0x000000000042D000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 1736	1940	2bba7f238aa1ac64645130c2614c4b2e751c0e5e15c73c4ddd45e0b78e7750e7.exe	28
PID 1940 wrote to memory of 1736	1940	2bba7f238aa1ac64645130c2614c4b2e751c0e5e15c73c4ddd45e0b78e7750e7.exe	28
PID 1940 wrote to memory of 1736	1940	2bba7f238aa1ac64645130c2614c4b2e751c0e5e15c73c4ddd45e0b78e7750e7.exe	28
PID 1940 wrote to memory of 1736	1940	2bba7f238aa1ac64645130c2614c4b2e751c0e5e15c73c4ddd45e0b78e7750e7.exe	28
PID 1736 wrote to memory of 2240	1736	omsecor.exe	32
PID 1736 wrote to memory of 2240	1736	omsecor.exe	32
PID 1736 wrote to memory of 2240	1736	omsecor.exe	32
PID 1736 wrote to memory of 2240	1736	omsecor.exe	32
PID 2240 wrote to memory of 3048	2240	omsecor.exe	33
PID 2240 wrote to memory of 3048	2240	omsecor.exe	33
PID 2240 wrote to memory of 3048	2240	omsecor.exe	33
PID 2240 wrote to memory of 3048	2240	omsecor.exe	33

C:\Users\Admin\AppData\Local\Temp\2bba7f238aa1ac64645130c2614c4b2e751c0e5e15c73c4ddd45e0b78e7750e7.exe
"C:\Users\Admin\AppData\Local\Temp\2bba7f238aa1ac64645130c2614c4b2e751c0e5e15c73c4ddd45e0b78e7750e7.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2240
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      PID:3048

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
35KB

MD5
c46d7d63d95bf61d79fd154f721af26b

SHA1
28ada29b76abf17f4647544aa5e2b8712a52c7a2

SHA256
b95acf302ac3605b6dbeace64a484f4a5128daf7bb0ba5a9d9fe194b64939bcd

SHA512
422f948b1265d422233fc490035872421a6b4fe2e6ec73ca03eb639fad60738b6b6e8963117de648ba0cd395d1e4c132a2553d83b3dab24502bcce8959098db8

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
35KB

MD5
aa6e5787f2dcbb092496f53dadc6faa0

SHA1
e4b45db6b968465eaf5cb04f9e161136aedae7a4

SHA256
562abac16abbdda23f4637d36f9c53cc5c51cbd4da4d0d40ea08cae3e905161d

SHA512
cb4a0076122226834d70477530e63303ec1a55a9edfa7ade0615cc7e14474919c297628e546be558b23fad12a849c2908df0f88270692b6bffa9c280cbc53ff4

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
35KB

MD5
6eb19d4c0e8dc5036cb86d0af718a4fb

SHA1
eb331672e94b31a66bdc86c1a32561f1298eccc9

SHA256
3e99d81814c188dc918b85932339cb2a59fa8889c824cb1188c99c6aebd6c383

SHA512
d01f101d3585dfe2de6fe4b91f12c87039827958be75150bc66b853f9c81074643054a86dc05c84969d506d936e60570d61a36ad10e99528fff32dbd9285b936

Download Submit
memory/1736-12-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1736-26-0x0000000000430000-0x000000000045D000-memory.dmp

Filesize
180KB

Download
memory/1736-14-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1736-17-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1736-20-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1736-23-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1736-33-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1940-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1940-11-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1940-9-0x0000000000220000-0x000000000024D000-memory.dmp

Filesize
180KB

Download
memory/2240-39-0x00000000001B0000-0x00000000001DD000-memory.dmp

Filesize
180KB

Download
memory/2240-46-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3048-47-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3048-49-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3048-52-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing