neconyd | 4f0bbbb25ad1dc81b80719b0f0b83672fe398bffad82b06f1b118d21a3441418

General

Target

4f0bbbb25ad1dc81b80719b0f0b83672fe398bffad82b06f1b118d21a3441418.exe
Size

92KB
MD5

48039238819621273dd529161aeb486b
SHA1

dd984aa2b189d1fefc1da2a70bce8ff9d7ad6b63
SHA256

4f0bbbb25ad1dc81b80719b0f0b83672fe398bffad82b06f1b118d21a3441418
SHA512

54c28a20fb544796a4cd779bb8b1ae79aed6e1f52d1cfb23520e067f9f407b8e6d2a35b1cce9ba2bedbf094e350c790b3bf405d940ce176b393b4fe5fa4f0de2
SSDEEP

768:iMEIvFGvoEr8LFK0ic46N47eSvYAHwmZGp6JXXlaa5uA:ibIvYvoEyFKF6N4ySAAQmZTl/5

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 3 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exe

pid process

1952 omsecor.exe
380 omsecor.exe
620 omsecor.exe

pid	process
1952	omsecor.exe
380	omsecor.exe
620	omsecor.exe

Loads dropped DLL 6 IoCs

Processes:

4f0bbbb25ad1dc81b80719b0f0b83672fe398bffad82b06f1b118d21a3441418.exeomsecor.exeomsecor.exe

pid	process
1612	4f0bbbb25ad1dc81b80719b0f0b83672fe398bffad82b06f1b118d21a3441418.exe
1612	4f0bbbb25ad1dc81b80719b0f0b83672fe398bffad82b06f1b118d21a3441418.exe
1952	omsecor.exe
1952	omsecor.exe
380	omsecor.exe
380	omsecor.exe

Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

4f0bbbb25ad1dc81b80719b0f0b83672fe398bffad82b06f1b118d21a3441418.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 1612 wrote to memory of 1952	1612	4f0bbbb25ad1dc81b80719b0f0b83672fe398bffad82b06f1b118d21a3441418.exe	omsecor.exe
PID 1612 wrote to memory of 1952	1612	4f0bbbb25ad1dc81b80719b0f0b83672fe398bffad82b06f1b118d21a3441418.exe	omsecor.exe
PID 1612 wrote to memory of 1952	1612	4f0bbbb25ad1dc81b80719b0f0b83672fe398bffad82b06f1b118d21a3441418.exe	omsecor.exe
PID 1612 wrote to memory of 1952	1612	4f0bbbb25ad1dc81b80719b0f0b83672fe398bffad82b06f1b118d21a3441418.exe	omsecor.exe
PID 1952 wrote to memory of 380	1952	omsecor.exe	omsecor.exe
PID 1952 wrote to memory of 380	1952	omsecor.exe	omsecor.exe
PID 1952 wrote to memory of 380	1952	omsecor.exe	omsecor.exe
PID 1952 wrote to memory of 380	1952	omsecor.exe	omsecor.exe
PID 380 wrote to memory of 620	380	omsecor.exe	omsecor.exe
PID 380 wrote to memory of 620	380	omsecor.exe	omsecor.exe
PID 380 wrote to memory of 620	380	omsecor.exe	omsecor.exe
PID 380 wrote to memory of 620	380	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\4f0bbbb25ad1dc81b80719b0f0b83672fe398bffad82b06f1b118d21a3441418.exe
"C:\Users\Admin\AppData\Local\Temp\4f0bbbb25ad1dc81b80719b0f0b83672fe398bffad82b06f1b118d21a3441418.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1612

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1952

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:380

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
PID:620

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
92KB

MD5
a2864cedce63bbee3b3e9e92db69953d

SHA1
74b64a87b2d73fa162009fc4554b612dcce8dedb

SHA256
77e72fb7e9b511e876ace38a895819cde78433bfe62423fcc6ad7c978eaa2397

SHA512
4a519bf03f4a6c2a10b17cf2a5810270bb94b95f0863b043c69e49042e5e9461b22af2efa2ff56d90c6deaf6841103877c0f161cd8f0cb5f3eb13b4e7b9bf40f

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
92KB

MD5
8bdfc2035d356787c4000441dc47922a

SHA1
8d54254516040bb582972ff2cf8296e3b886c8a6

SHA256
01763effe2625ed2ac06056474d1e79297e8c99bde006e4cb906248291d71663

SHA512
cd26c06c5cb6c475e6cee0b009083e314e72fee661788cea6c44aed9b7ec83909b3c2d02fcf49d7618b6cdd946b6652c7b4e085c4d75fa2415327ff2bc548275

Download Submit
\Windows\SysWOW64\omsecor.exe
Filesize
92KB

MD5
7742accb4580cd86d04ff2b8211c9a40

SHA1
552c99239e1159e530984a7a3cb7a17571bc2e1e

SHA256
74aab2dbe9bb98f8de870ec49e6a7ed781eb5dc9579bd5b0dc2765c9bc0cc343

SHA512
cc6a04574131619dfffa6353e58bef8332b7288634ad15716faf601e691babc8f0b6f8171de5fddcac6aaf3967b826b882a8a4774ea94bc045fc1d70bbbe9422

Download Submit
memory/380-25-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/380-28-0x0000000001B70000-0x0000000001B9B000-memory.dmp

Filesize
172KB

Download
memory/620-36-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/620-34-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1612-8-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1612-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1952-10-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1952-21-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1952-15-0x0000000000350000-0x000000000037B000-memory.dmp

Filesize
172KB

Download
memory/1952-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing