neconyd | a4c334a1ea001a8ac50e673f0075817e061e2a894be2f8bd9e7b064c485baf7d

General

Target

a4c334a1ea001a8ac50e673f0075817e061e2a894be2f8bd9e7b064c485baf7d.exe
Size

92KB
MD5

af4277dd98ae2f012297ad52052eefb2
SHA1

ba27fd7a75787eeaac04ba8e1e1c375175a6c096
SHA256

a4c334a1ea001a8ac50e673f0075817e061e2a894be2f8bd9e7b064c485baf7d
SHA512

cf2b92ffe29df2184503a7b3ff1291eb7167acbb5482cf76e13b55b5a50a55402b4799d9de5022549d47c5989078675a6a689413f1e474b4cc8f1357473b546d
SSDEEP

768:SMEIvFGvZEr8LFK0ic4PN47eSdYAHwmZNp6JXXlaa5uA:SbIvYvZEyFKFPN4yS+AQmZol/5

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 3 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exe

pid process

1724 omsecor.exe
2924 omsecor.exe
316 omsecor.exe

pid	process
1724	omsecor.exe
2924	omsecor.exe
316	omsecor.exe

Loads dropped DLL 6 IoCs

Processes:

a4c334a1ea001a8ac50e673f0075817e061e2a894be2f8bd9e7b064c485baf7d.exeomsecor.exeomsecor.exe

pid	process
2236	a4c334a1ea001a8ac50e673f0075817e061e2a894be2f8bd9e7b064c485baf7d.exe
2236	a4c334a1ea001a8ac50e673f0075817e061e2a894be2f8bd9e7b064c485baf7d.exe
1724	omsecor.exe
1724	omsecor.exe
2924	omsecor.exe
2924	omsecor.exe

Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

a4c334a1ea001a8ac50e673f0075817e061e2a894be2f8bd9e7b064c485baf7d.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 2236 wrote to memory of 1724	2236	a4c334a1ea001a8ac50e673f0075817e061e2a894be2f8bd9e7b064c485baf7d.exe	omsecor.exe
PID 2236 wrote to memory of 1724	2236	a4c334a1ea001a8ac50e673f0075817e061e2a894be2f8bd9e7b064c485baf7d.exe	omsecor.exe
PID 2236 wrote to memory of 1724	2236	a4c334a1ea001a8ac50e673f0075817e061e2a894be2f8bd9e7b064c485baf7d.exe	omsecor.exe
PID 2236 wrote to memory of 1724	2236	a4c334a1ea001a8ac50e673f0075817e061e2a894be2f8bd9e7b064c485baf7d.exe	omsecor.exe
PID 1724 wrote to memory of 2924	1724	omsecor.exe	omsecor.exe
PID 1724 wrote to memory of 2924	1724	omsecor.exe	omsecor.exe
PID 1724 wrote to memory of 2924	1724	omsecor.exe	omsecor.exe
PID 1724 wrote to memory of 2924	1724	omsecor.exe	omsecor.exe
PID 2924 wrote to memory of 316	2924	omsecor.exe	omsecor.exe
PID 2924 wrote to memory of 316	2924	omsecor.exe	omsecor.exe
PID 2924 wrote to memory of 316	2924	omsecor.exe	omsecor.exe
PID 2924 wrote to memory of 316	2924	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\a4c334a1ea001a8ac50e673f0075817e061e2a894be2f8bd9e7b064c485baf7d.exe
"C:\Users\Admin\AppData\Local\Temp\a4c334a1ea001a8ac50e673f0075817e061e2a894be2f8bd9e7b064c485baf7d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2236

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2924

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
PID:316

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
92KB

MD5
eb1594b3d0c7f76d46121377d070ec22

SHA1
c8390571254d431b0fd9ce66bc66ca946a36f8dd

SHA256
c3b10a9f0ab06a358aedf2b12faf1402a621728a09691b05a1b1cb268d7f6552

SHA512
80f0382ffc489a9d8968aee0c435d31f24bd1968d2680d8bc37f89a9814de30e38a31ae925a613a6572210f3358c5c3996fd2ed8506de09e1cfb8fb5b45d96c4

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
92KB

MD5
59e5b0c6b6e48cbf791958e40e8a608a

SHA1
e39d1fd6deb61c2adbbfcf919c70b5ce2b152bd6

SHA256
d23edb8ef1c1f2cd89079d88338570759a13c075f13fffb77e5ee07016fe84fa

SHA512
6f8bf2313deee43011946b6bf2c8dcf54641009d0cb53d6000504ac3295b963c66ef02ea3bfa98b6dc72876e154c681ce63395971107c6dc7301cbea105420ae

Download Submit
\Windows\SysWOW64\omsecor.exe
Filesize
92KB

MD5
a795a9bffb4223060a28e35ad32b5eb2

SHA1
cf8aba9ef8126ddbc47bb7cc6ba57003d09a1b91

SHA256
95d5b069dc1779f9e1630ad8a7b9da03d1eb24204ed3894f4d5dcecee2c4cc6d

SHA512
274a959c451f0913f45f13f815cbd06667c2607c05f40ffd343803bd2db9432f831cc968dfa7b1e437c9043b30768a58449d57a0ac12ef655899ba74db59c028

Download Submit
memory/316-36-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/316-38-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1724-13-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1724-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1724-25-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1724-19-0x0000000000320000-0x000000000034B000-memory.dmp

Filesize
172KB

Download
memory/2236-9-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2236-4-0x00000000001B0000-0x00000000001DB000-memory.dmp

Filesize
172KB

Download
memory/2236-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2924-28-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing