neconyd | 8bc55600e204e023eb09abc63317dc6fb3a13abaecc30840039083c4e427ef9a

General

Target

8bc55600e204e023eb09abc63317dc6fb3a13abaecc30840039083c4e427ef9a.exe
Size

35KB
MD5

692c37c16abf8cef8cd25830e274c63f
SHA1

641ebc7e8eba0d9b479f2f1a7c3e69f414161f1b
SHA256

8bc55600e204e023eb09abc63317dc6fb3a13abaecc30840039083c4e427ef9a
SHA512

ed5714b6a5f005f11ae2868202d50b77e3b7714c15dff23ce865b463741cc020fda1fe9c464bd5bf214edb769f434950fc0eba2f13aaa0c84d3d7af70b626965
SSDEEP

768:b6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:G8Z0kA7FHlO2OwOTUtKjpB

Score

10^/10

neconyd trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

UPX dump on OEP (original entry point) 13 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2980-0-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
\Users\Admin\AppData\Roaming\omsecor.exe	UPX
behavioral1/memory/2980-8-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral1/memory/2052-10-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral1/memory/2052-12-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral1/memory/2052-18-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral1/memory/2052-21-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
\Windows\SysWOW64\omsecor.exe	UPX
behavioral1/memory/2052-24-0x00000000004B0000-0x00000000004DD000-memory.dmp	UPX
behavioral1/memory/2788-34-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral1/memory/2052-32-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral1/memory/2788-35-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral1/memory/2788-38-0x0000000000400000-0x000000000042D000-memory.dmp	UPX

Executes dropped EXE 2 IoCs

Processes:

omsecor.exeomsecor.exe

pid process

2052 omsecor.exe
2788 omsecor.exe

pid	process
2052	omsecor.exe
2788	omsecor.exe

Loads dropped DLL 4 IoCs

Processes:

8bc55600e204e023eb09abc63317dc6fb3a13abaecc30840039083c4e427ef9a.exeomsecor.exe

pid	process
2980	8bc55600e204e023eb09abc63317dc6fb3a13abaecc30840039083c4e427ef9a.exe
2980	8bc55600e204e023eb09abc63317dc6fb3a13abaecc30840039083c4e427ef9a.exe
2052	omsecor.exe
2052	omsecor.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2980-0-0x0000000000400000-0x000000000042D000-memory.dmp	upx
\Users\Admin\AppData\Roaming\omsecor.exe	upx
behavioral1/memory/2980-8-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2052-10-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2052-12-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2052-18-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2052-21-0x0000000000400000-0x000000000042D000-memory.dmp	upx
\Windows\SysWOW64\omsecor.exe	upx
behavioral1/memory/2052-24-0x00000000004B0000-0x00000000004DD000-memory.dmp	upx
behavioral1/memory/2788-34-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2052-32-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2788-35-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2788-38-0x0000000000400000-0x000000000042D000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

Processes:

omsecor.exeomsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe
File opened for modification C:\Windows\SysWOW64\merocz.xc6 omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

8bc55600e204e023eb09abc63317dc6fb3a13abaecc30840039083c4e427ef9a.exeomsecor.exe

description	pid	process	target process
PID 2980 wrote to memory of 2052	2980	8bc55600e204e023eb09abc63317dc6fb3a13abaecc30840039083c4e427ef9a.exe	omsecor.exe
PID 2980 wrote to memory of 2052	2980	8bc55600e204e023eb09abc63317dc6fb3a13abaecc30840039083c4e427ef9a.exe	omsecor.exe
PID 2980 wrote to memory of 2052	2980	8bc55600e204e023eb09abc63317dc6fb3a13abaecc30840039083c4e427ef9a.exe	omsecor.exe
PID 2980 wrote to memory of 2052	2980	8bc55600e204e023eb09abc63317dc6fb3a13abaecc30840039083c4e427ef9a.exe	omsecor.exe
PID 2052 wrote to memory of 2788	2052	omsecor.exe	omsecor.exe
PID 2052 wrote to memory of 2788	2052	omsecor.exe	omsecor.exe
PID 2052 wrote to memory of 2788	2052	omsecor.exe	omsecor.exe
PID 2052 wrote to memory of 2788	2052	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\8bc55600e204e023eb09abc63317dc6fb3a13abaecc30840039083c4e427ef9a.exe
"C:\Users\Admin\AppData\Local\Temp\8bc55600e204e023eb09abc63317dc6fb3a13abaecc30840039083c4e427ef9a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2980

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2052

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
3⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2788

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
35KB

MD5
543410c82f8490b634419c0dc3538e3d

SHA1
455ab12d07ac106c8227fbf37c7f94a57a1c2bda

SHA256
a324a7fcae58aa4187e00b731021a1241042fe7222e6b9f21bcff3650c5d28f5

SHA512
be296076cb1a86a98a37f866c90e595b2ae90fc420415e13b33db599c3ef6893e36d44ca24455552b83f56a49701abe7b7273fa990b0a9ca69033ea55d40eb14

Download Submit
\Windows\SysWOW64\omsecor.exe
Filesize
35KB

MD5
36825be1264e801f9cfe9e9b8769df7a

SHA1
f816d7dc1ebef1a90b2073941b8944453fe0752d

SHA256
14e10b960f527a178c6ab566a04615033a13d7dcd5fef9f423f3eeb2149fd2bf

SHA512
abfdc7b8255da19d05377b60d48a24a139c0693af7071a28a95c1664b39633f5e2c1abf80a1a6fb6eb4dc28199ac0b65579f2176c71d695c193bc1b5af2a8b32

Download Submit
memory/2052-21-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2052-10-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2052-12-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2052-18-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2052-24-0x00000000004B0000-0x00000000004DD000-memory.dmp

Filesize
180KB

Download
memory/2052-32-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2788-34-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2788-35-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2788-38-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2980-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2980-8-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads