neconyd | 3c014cc9f2646064bf7c9b5fbcad16528a9fe9c532179a6468ce1f2946b6acd6

General

Target

3c014cc9f2646064bf7c9b5fbcad16528a9fe9c532179a6468ce1f2946b6acd6.exe
Size

35KB
MD5

5c976cc0ae922d683fda7143d7f00624
SHA1

7229b68a02f34b51685e76bd4f5fdca6b18634fa
SHA256

3c014cc9f2646064bf7c9b5fbcad16528a9fe9c532179a6468ce1f2946b6acd6
SHA512

092e21992c72879684fad918738088d18303c6661b3b6d2e25c80a2f0ae3ccfcb6e5ef53d9931ba5f254269c1e8354855c9c59369d31b1c1e40add874b3892bb
SSDEEP

768:i6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:R8Z0kA7FHlO2OwOTUtKjpB

Score

10^/10

neconyd trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 3 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exe

pid process

3500 omsecor.exe
2416 omsecor.exe
452 omsecor.exe

pid	process
3500	omsecor.exe
2416	omsecor.exe
452	omsecor.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3152-0-0x0000000000400000-0x000000000042D000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\omsecor.exe	upx
behavioral2/memory/3152-5-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/3500-6-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/3500-7-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/3500-10-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/3500-13-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/3500-14-0x0000000000400000-0x000000000042D000-memory.dmp	upx
C:\Windows\SysWOW64\omsecor.exe	upx
behavioral2/memory/3500-19-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/2416-21-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/2416-26-0x0000000000400000-0x000000000042D000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\omsecor.exe	upx
behavioral2/memory/452-27-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/452-29-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/452-32-0x0000000000400000-0x000000000042D000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

3c014cc9f2646064bf7c9b5fbcad16528a9fe9c532179a6468ce1f2946b6acd6.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 3152 wrote to memory of 3500	3152	3c014cc9f2646064bf7c9b5fbcad16528a9fe9c532179a6468ce1f2946b6acd6.exe	omsecor.exe
PID 3152 wrote to memory of 3500	3152	3c014cc9f2646064bf7c9b5fbcad16528a9fe9c532179a6468ce1f2946b6acd6.exe	omsecor.exe
PID 3152 wrote to memory of 3500	3152	3c014cc9f2646064bf7c9b5fbcad16528a9fe9c532179a6468ce1f2946b6acd6.exe	omsecor.exe
PID 3500 wrote to memory of 2416	3500	omsecor.exe	omsecor.exe
PID 3500 wrote to memory of 2416	3500	omsecor.exe	omsecor.exe
PID 3500 wrote to memory of 2416	3500	omsecor.exe	omsecor.exe
PID 2416 wrote to memory of 452	2416	omsecor.exe	omsecor.exe
PID 2416 wrote to memory of 452	2416	omsecor.exe	omsecor.exe
PID 2416 wrote to memory of 452	2416	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\3c014cc9f2646064bf7c9b5fbcad16528a9fe9c532179a6468ce1f2946b6acd6.exe
"C:\Users\Admin\AppData\Local\Temp\3c014cc9f2646064bf7c9b5fbcad16528a9fe9c532179a6468ce1f2946b6acd6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3152

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3500

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2416

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
PID:452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1036,i,13640054265074968359,8146127767143474550,262144 --variations-seed-version --mojo-platform-channel-handle=1308 /prefetch:8
1⤵
PID:4104

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
35KB

MD5
3cdd4dc8fd15885fe545e8acf7c016ac

SHA1
9071e6d15ba0fb2e132daf9064afbc7b067bb8b8

SHA256
2ac90bc6530dbdcf025b5bd08bb9d9a29bffef98463dc7fcc19189c4510d67a3

SHA512
443013daec362fccecd5d00f66381aeba8a8a44e5f1bc5e1202b1dd7e3ce6e79293a6fe032d1e8fcf7b2c08ed18c5e2e481f741cbe8533333eb7c912d149cd89

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
35KB

MD5
94649c28606d6e3aa3622bc1db94a390

SHA1
ee4545baf07a4b156bbb4bc96db63da5efe75238

SHA256
30c57dbb22b534f0104ac3fe63e0ebfb8cd831857e092a8dae2e2afdb1b0832c

SHA512
57b3d996118ddc487d26429120bd127d45132e8b8b39a687efeebdb6ef20639a3f58286ba1924e5671f605a7d8a38669f33469e8360a9f11fc8f13575ba2ed9f

Download Submit
C:\Windows\SysWOW64\omsecor.exe
Filesize
35KB

MD5
d7653d7bb5e1abd7aba673a794937c1b

SHA1
afd32ce7f5c9bcfbf930dce718a086577ecc7ecd

SHA256
b8e8f5be837fb6f87337fa0b1fa8d657645963d54d055e10862549d5ca18b01b

SHA512
2298b3151ba6dc87e2a48fc7c3f53760306ab5c6169d9fa59db58243915b7d2f5b71aaa7a0eeca3b973b8e7aebfc715aa4415d01bec649b7a97c4e550b6ae7e5

Download Submit
memory/452-32-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/452-29-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/452-27-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2416-21-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2416-26-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3152-5-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3152-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3500-13-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3500-19-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3500-14-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3500-6-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3500-10-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3500-7-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing