neconyd | 3c014cc9f2646064bf7c9b5fbcad16528a9fe9c532179a6468ce1f2946b6acd6

General

Target

3c014cc9f2646064bf7c9b5fbcad16528a9fe9c532179a6468ce1f2946b6acd6.exe
Size

35KB
MD5

5c976cc0ae922d683fda7143d7f00624
SHA1

7229b68a02f34b51685e76bd4f5fdca6b18634fa
SHA256

3c014cc9f2646064bf7c9b5fbcad16528a9fe9c532179a6468ce1f2946b6acd6
SHA512

092e21992c72879684fad918738088d18303c6661b3b6d2e25c80a2f0ae3ccfcb6e5ef53d9931ba5f254269c1e8354855c9c59369d31b1c1e40add874b3892bb
SSDEEP

768:i6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:R8Z0kA7FHlO2OwOTUtKjpB

Score

10^/10

neconyd trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 2 IoCs

Processes:

omsecor.exeomsecor.exe

pid process

1680 omsecor.exe
2796 omsecor.exe

pid	process
1680	omsecor.exe
2796	omsecor.exe

Loads dropped DLL 4 IoCs

Processes:

3c014cc9f2646064bf7c9b5fbcad16528a9fe9c532179a6468ce1f2946b6acd6.exeomsecor.exe

pid	process
944	3c014cc9f2646064bf7c9b5fbcad16528a9fe9c532179a6468ce1f2946b6acd6.exe
944	3c014cc9f2646064bf7c9b5fbcad16528a9fe9c532179a6468ce1f2946b6acd6.exe
1680	omsecor.exe
1680	omsecor.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/944-0-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/944-9-0x0000000000400000-0x000000000042D000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\omsecor.exe	upx
behavioral1/memory/1680-12-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/1680-13-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/1680-16-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/1680-19-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/1680-22-0x0000000000400000-0x000000000042D000-memory.dmp	upx
\Windows\SysWOW64\omsecor.exe	upx
behavioral1/memory/1680-25-0x0000000000340000-0x000000000036D000-memory.dmp	upx
behavioral1/memory/1680-32-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2796-35-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2796-36-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2796-39-0x0000000000400000-0x000000000042D000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

Processes:

omsecor.exeomsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe
File opened for modification C:\Windows\SysWOW64\merocz.xc6 omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

3c014cc9f2646064bf7c9b5fbcad16528a9fe9c532179a6468ce1f2946b6acd6.exeomsecor.exe

description	pid	process	target process
PID 944 wrote to memory of 1680	944	3c014cc9f2646064bf7c9b5fbcad16528a9fe9c532179a6468ce1f2946b6acd6.exe	omsecor.exe
PID 944 wrote to memory of 1680	944	3c014cc9f2646064bf7c9b5fbcad16528a9fe9c532179a6468ce1f2946b6acd6.exe	omsecor.exe
PID 944 wrote to memory of 1680	944	3c014cc9f2646064bf7c9b5fbcad16528a9fe9c532179a6468ce1f2946b6acd6.exe	omsecor.exe
PID 944 wrote to memory of 1680	944	3c014cc9f2646064bf7c9b5fbcad16528a9fe9c532179a6468ce1f2946b6acd6.exe	omsecor.exe
PID 1680 wrote to memory of 2796	1680	omsecor.exe	omsecor.exe
PID 1680 wrote to memory of 2796	1680	omsecor.exe	omsecor.exe
PID 1680 wrote to memory of 2796	1680	omsecor.exe	omsecor.exe
PID 1680 wrote to memory of 2796	1680	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\3c014cc9f2646064bf7c9b5fbcad16528a9fe9c532179a6468ce1f2946b6acd6.exe
"C:\Users\Admin\AppData\Local\Temp\3c014cc9f2646064bf7c9b5fbcad16528a9fe9c532179a6468ce1f2946b6acd6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:944

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
3⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2796

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
35KB

MD5
94649c28606d6e3aa3622bc1db94a390

SHA1
ee4545baf07a4b156bbb4bc96db63da5efe75238

SHA256
30c57dbb22b534f0104ac3fe63e0ebfb8cd831857e092a8dae2e2afdb1b0832c

SHA512
57b3d996118ddc487d26429120bd127d45132e8b8b39a687efeebdb6ef20639a3f58286ba1924e5671f605a7d8a38669f33469e8360a9f11fc8f13575ba2ed9f

Download Submit
\Windows\SysWOW64\omsecor.exe
Filesize
35KB

MD5
55fd133b77f1469b3debedbaaf87aa48

SHA1
f0a1e94bbe973e58bd43cee6a7fa3255c4d734e2

SHA256
a461f0e28f19c9de0e8ed11ee563c1fc43270214028f21ba3b43590b9a5f3463

SHA512
a1c77d2ce6c85e5728a8dffe3e9b1d65e0bcdbf24202ccb88475cbf451ab1789554c65c953b9004b406dfd6cf60fb17d1b2d80bda408519efdb3f4c320a00207

Download Submit
memory/944-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/944-9-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1680-19-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1680-16-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1680-13-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1680-22-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1680-12-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1680-25-0x0000000000340000-0x000000000036D000-memory.dmp

Filesize
180KB

Download
memory/1680-32-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1680-34-0x0000000000340000-0x000000000036D000-memory.dmp

Filesize
180KB

Download
memory/2796-35-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2796-36-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2796-39-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads