neconyd | 2bba7f238aa1ac64645130c2614c4b2e751c0e5e15c73c4ddd45e0b78e7750e7

General

Target

2bba7f238aa1ac64645130c2614c4b2e751c0e5e15c73c4ddd45e0b78e7750e7.exe
Size

35KB
MD5

1f4e6c8bddad2c1f80fba1b18fe4fd6d
SHA1

d393b472bf2b927c97aa4c19a42b19c6895477f1
SHA256

2bba7f238aa1ac64645130c2614c4b2e751c0e5e15c73c4ddd45e0b78e7750e7
SHA512

099c19c904fa63ead343bc54da8f56456217c116cdae1207786644ff8a57f0d858001ae0893093103c7a3641d61e406a329b66e72ec15e4256462e30e35ec18a
SSDEEP

768:P6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:S8Z0kA7FHlO2OwOTUtKjpB

Score

10^/10

neconyd trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

UPX dump on OEP (original entry point) 13 IoCs

resource	yara_rule
behavioral2/memory/4980-0-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/files/0x0006000000022f3f-3.dat	UPX
behavioral2/memory/4404-7-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/4980-6-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/4404-8-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/4404-11-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/4404-14-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/4404-15-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/files/0x000d0000000233a0-18.dat	UPX
behavioral2/memory/4404-20-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/3944-22-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/3944-23-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/3944-26-0x0000000000400000-0x000000000042D000-memory.dmp	UPX

Executes dropped EXE 2 IoCs

pid	Process
4404	omsecor.exe
3944	omsecor.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4980-0-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/files/0x0006000000022f3f-3.dat	upx
behavioral2/memory/4404-7-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/4980-6-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/4404-8-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/4404-11-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/4404-14-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/4404-15-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/files/0x000d0000000233a0-18.dat	upx
behavioral2/memory/4404-20-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/3944-22-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/3944-23-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/3944-26-0x0000000000400000-0x000000000042D000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4980 wrote to memory of 4404	4980	2bba7f238aa1ac64645130c2614c4b2e751c0e5e15c73c4ddd45e0b78e7750e7.exe	82
PID 4980 wrote to memory of 4404	4980	2bba7f238aa1ac64645130c2614c4b2e751c0e5e15c73c4ddd45e0b78e7750e7.exe	82
PID 4980 wrote to memory of 4404	4980	2bba7f238aa1ac64645130c2614c4b2e751c0e5e15c73c4ddd45e0b78e7750e7.exe	82
PID 4404 wrote to memory of 3944	4404	omsecor.exe	92
PID 4404 wrote to memory of 3944	4404	omsecor.exe	92
PID 4404 wrote to memory of 3944	4404	omsecor.exe	92

C:\Users\Admin\AppData\Local\Temp\2bba7f238aa1ac64645130c2614c4b2e751c0e5e15c73c4ddd45e0b78e7750e7.exe
"C:\Users\Admin\AppData\Local\Temp\2bba7f238aa1ac64645130c2614c4b2e751c0e5e15c73c4ddd45e0b78e7750e7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4980
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4404
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:3944

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
35KB

MD5
c46d7d63d95bf61d79fd154f721af26b

SHA1
28ada29b76abf17f4647544aa5e2b8712a52c7a2

SHA256
b95acf302ac3605b6dbeace64a484f4a5128daf7bb0ba5a9d9fe194b64939bcd

SHA512
422f948b1265d422233fc490035872421a6b4fe2e6ec73ca03eb639fad60738b6b6e8963117de648ba0cd395d1e4c132a2553d83b3dab24502bcce8959098db8

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
35KB

MD5
aac25881df71f127cbdf981279c227e7

SHA1
2ba5bbae3f8bbc3bd01b85593897d196e06c7951

SHA256
a38251209ad0fc3b382aaec85398a2d46cf62458e4cd77cc4f5dafdfc5a0ee68

SHA512
35b6139671340d34f21f918c2a10c23d23ea34bd65a8c4555fb012023ac9bfdde5e47e7a4c2172b0de8a1b8f95d1bfc4b8de6271ad94f0f9e58fa522479338c8

Download Submit
memory/3944-26-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3944-23-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3944-22-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4404-20-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4404-14-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4404-15-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4404-11-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4404-8-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4404-7-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4980-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4980-6-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing