neconyd | c030b1de23d9ec70b3780d5cc12e43a7153cafbd5ae640c7fdbd4bd951c3d093

General

Target

c030b1de23d9ec70b3780d5cc12e43a7153cafbd5ae640c7fdbd4bd951c3d093.exe
Size

35KB
MD5

cdfdfc6b39bf8aa959c22ed497b69a2e
SHA1

9912be4cf7cdfbebd2626867183c7c9416bc1c9d
SHA256

c030b1de23d9ec70b3780d5cc12e43a7153cafbd5ae640c7fdbd4bd951c3d093
SHA512

f094e9b95797e92a256ae7025a5fde40b2fa7fa64f17ffb51aa48466e557ed2793f7ac432d5f1c158d431a68006a3332e46317d840cab42d1b3255f3087468fe
SSDEEP

768:N6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:A8Z0kA7FHlO2OwOTUtKjpB

Score

10^/10

neconyd trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

UPX dump on OEP (original entry point) 16 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4512-0-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
C:\Users\Admin\AppData\Roaming\omsecor.exe	UPX
behavioral2/memory/4512-5-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/1628-7-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/1628-8-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/1628-11-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/1628-14-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/1628-15-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
C:\Windows\SysWOW64\omsecor.exe	UPX
behavioral2/memory/1628-20-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/692-22-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/692-27-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
C:\Users\Admin\AppData\Roaming\omsecor.exe	UPX
behavioral2/memory/4324-28-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/4324-30-0x0000000000400000-0x000000000042D000-memory.dmp	UPX
behavioral2/memory/4324-33-0x0000000000400000-0x000000000042D000-memory.dmp	UPX

Executes dropped EXE 3 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exe

pid process

1628 omsecor.exe
692 omsecor.exe
4324 omsecor.exe

pid	process
1628	omsecor.exe
692	omsecor.exe
4324	omsecor.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4512-0-0x0000000000400000-0x000000000042D000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\omsecor.exe	upx
behavioral2/memory/4512-5-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/1628-7-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/1628-8-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/1628-11-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/1628-14-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/1628-15-0x0000000000400000-0x000000000042D000-memory.dmp	upx
C:\Windows\SysWOW64\omsecor.exe	upx
behavioral2/memory/1628-20-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/692-22-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/692-27-0x0000000000400000-0x000000000042D000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\omsecor.exe	upx
behavioral2/memory/4324-28-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/4324-30-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/4324-33-0x0000000000400000-0x000000000042D000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

c030b1de23d9ec70b3780d5cc12e43a7153cafbd5ae640c7fdbd4bd951c3d093.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 4512 wrote to memory of 1628	4512	c030b1de23d9ec70b3780d5cc12e43a7153cafbd5ae640c7fdbd4bd951c3d093.exe	omsecor.exe
PID 4512 wrote to memory of 1628	4512	c030b1de23d9ec70b3780d5cc12e43a7153cafbd5ae640c7fdbd4bd951c3d093.exe	omsecor.exe
PID 4512 wrote to memory of 1628	4512	c030b1de23d9ec70b3780d5cc12e43a7153cafbd5ae640c7fdbd4bd951c3d093.exe	omsecor.exe
PID 1628 wrote to memory of 692	1628	omsecor.exe	omsecor.exe
PID 1628 wrote to memory of 692	1628	omsecor.exe	omsecor.exe
PID 1628 wrote to memory of 692	1628	omsecor.exe	omsecor.exe
PID 692 wrote to memory of 4324	692	omsecor.exe	omsecor.exe
PID 692 wrote to memory of 4324	692	omsecor.exe	omsecor.exe
PID 692 wrote to memory of 4324	692	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\c030b1de23d9ec70b3780d5cc12e43a7153cafbd5ae640c7fdbd4bd951c3d093.exe
"C:\Users\Admin\AppData\Local\Temp\c030b1de23d9ec70b3780d5cc12e43a7153cafbd5ae640c7fdbd4bd951c3d093.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4512

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1628

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:692

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
PID:4324

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
35KB

MD5
7c9bbea4e90bf8c123078ba5410c9080

SHA1
a6a90ed312e350321c57d1755984eb6de2d2a1bb

SHA256
fa4148e7a3cfbb923f077a78a09a16836e61eeae52933ac9d21032318983fdff

SHA512
f07f3d0fefcb0a43a40d045ba4d6a8b24dac8e928c29c8fe9fa8806b9b81496f324c202ec8c62455b557981333c9e22bcdc3bf9cc70ad8ea94d07ec13916480e

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
35KB

MD5
c969e4d8611084ccb26c12fbde1f6d97

SHA1
e2bcc63fe01b638fffefb191d7582d543803c3d8

SHA256
f8feb1df2a4086581cdc552151cd22b8b328320c348f4d7245791ac3db3df8ff

SHA512
e5668caeadcc31163a12813d249aca09e48d3ffe28644f9280b7329239f31cf0f692a1a0f7592fca02680cad74146462a64a4cd92b960715fe1ec42936b358e8

Download Submit
C:\Windows\SysWOW64\omsecor.exe
Filesize
35KB

MD5
b6a8cbe02ae0d2649c01fe01b246ea48

SHA1
8ea31e20aa6d7738f15ada92cdcdb42bcf43732f

SHA256
2f4d8c663036c0287bf0527f10c50b95ceed57cfc3d31da4edb946ea5f5f056b

SHA512
bd649a3100866c5f551ebc669f6538a1d7f1d5a0ec6be46e418cfef57df022f8ea9eba3eebce1beae2f9c9d89c138712695800e70295116985cd152136ee7bab

Download Submit
memory/692-22-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/692-27-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1628-20-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1628-14-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1628-15-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1628-7-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1628-11-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1628-8-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4324-28-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4324-30-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4324-33-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4512-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4512-5-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads