neconyd | f2ac925ed9c3727ae63f1e754ffc4aeff43a672d5ad9ceffd5e8504cd4204ca9

General

Target

f2ac925ed9c3727ae63f1e754ffc4aeff43a672d5ad9ceffd5e8504cd4204ca9.exe
Size

92KB
MD5

6bc7d09b34f66619a52cb94681609178
SHA1

b2e26fe961d14b823370701f2eb2b92849af9e77
SHA256

f2ac925ed9c3727ae63f1e754ffc4aeff43a672d5ad9ceffd5e8504cd4204ca9
SHA512

07e014f150d0df5549360a53cfe22f6faf46a3fde31041de3dc9062b24c8564143b86f02f313f56eae96f41a5bfad87aa1159882ae26e98067ceea60a435ebfc
SSDEEP

1536:md9dseIOcEE3bIvYvZEyF4EEOF6N4yS+AQmZTl/5:edseIO/EZEyFjEOFqTiQm5l/5

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 3 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exe

pid process

1520 omsecor.exe
2512 omsecor.exe
1944 omsecor.exe

pid	process
1520	omsecor.exe
2512	omsecor.exe
1944	omsecor.exe

Loads dropped DLL 6 IoCs

Processes:

f2ac925ed9c3727ae63f1e754ffc4aeff43a672d5ad9ceffd5e8504cd4204ca9.exeomsecor.exeomsecor.exe

pid	process
552	f2ac925ed9c3727ae63f1e754ffc4aeff43a672d5ad9ceffd5e8504cd4204ca9.exe
552	f2ac925ed9c3727ae63f1e754ffc4aeff43a672d5ad9ceffd5e8504cd4204ca9.exe
1520	omsecor.exe
1520	omsecor.exe
2512	omsecor.exe
2512	omsecor.exe

Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

f2ac925ed9c3727ae63f1e754ffc4aeff43a672d5ad9ceffd5e8504cd4204ca9.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 552 wrote to memory of 1520	552	f2ac925ed9c3727ae63f1e754ffc4aeff43a672d5ad9ceffd5e8504cd4204ca9.exe	omsecor.exe
PID 552 wrote to memory of 1520	552	f2ac925ed9c3727ae63f1e754ffc4aeff43a672d5ad9ceffd5e8504cd4204ca9.exe	omsecor.exe
PID 552 wrote to memory of 1520	552	f2ac925ed9c3727ae63f1e754ffc4aeff43a672d5ad9ceffd5e8504cd4204ca9.exe	omsecor.exe
PID 552 wrote to memory of 1520	552	f2ac925ed9c3727ae63f1e754ffc4aeff43a672d5ad9ceffd5e8504cd4204ca9.exe	omsecor.exe
PID 1520 wrote to memory of 2512	1520	omsecor.exe	omsecor.exe
PID 1520 wrote to memory of 2512	1520	omsecor.exe	omsecor.exe
PID 1520 wrote to memory of 2512	1520	omsecor.exe	omsecor.exe
PID 1520 wrote to memory of 2512	1520	omsecor.exe	omsecor.exe
PID 2512 wrote to memory of 1944	2512	omsecor.exe	omsecor.exe
PID 2512 wrote to memory of 1944	2512	omsecor.exe	omsecor.exe
PID 2512 wrote to memory of 1944	2512	omsecor.exe	omsecor.exe
PID 2512 wrote to memory of 1944	2512	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\f2ac925ed9c3727ae63f1e754ffc4aeff43a672d5ad9ceffd5e8504cd4204ca9.exe
"C:\Users\Admin\AppData\Local\Temp\f2ac925ed9c3727ae63f1e754ffc4aeff43a672d5ad9ceffd5e8504cd4204ca9.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:552

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2512

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
PID:1944

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
92KB

MD5
c7fafb80b51c5be0e184cf666097f261

SHA1
4e6e67548e6880b31d9f61e003db130c7edcca34

SHA256
30ae25188c50dc166f884a0983f3d9a00418b1a3a58f5bbeb2e4619ea115a1fa

SHA512
91dfdbe3bed8d9e412996b85408bf475d88dfab04beb45c20440141518f20d678e4430fc1bd200f71a147db37ee080f95e8afd531eac60b67a6be7b962fde45f

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
92KB

MD5
06c7438dfe4b5b96eabfaa786e5b5b91

SHA1
d54d401a62a0e824e687df42ea8bdf01143b50c9

SHA256
77f8bd7c9e090320d6d1b27077cbc305ee5f169381da9b2793c7b9dd895f8ae1

SHA512
79bf819ba63a8ba04518da8ac4af04b336dd4c0a377b07f2c5b2baf1169ce362e59049f9498fe8f44e7be4ab44db872a2b5f2579b40a4cc54448900eb0840d2f

Download Submit
\Windows\SysWOW64\omsecor.exe
Filesize
92KB

MD5
575e704ca33d9345c1925ef9fc502601

SHA1
8a9cfb2c3974228ce6583ecaedea315fbad77ecc

SHA256
aab0f52ce4213c6d874310c8642067d1918fc338ffb7f3c3f4c2f1e229c57544

SHA512
46c6a478a04899fe70545baa6d5ee2a3cb6349a024b28de8411aa1bbe60fd4e3a5bfbbe709dafbc80012985b0a4679ebaaa127ab1fe5c0e8499a1822a02f70a8

Download Submit
memory/552-9-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/552-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/552-4-0x00000000001B0000-0x00000000001DB000-memory.dmp

Filesize
172KB

Download
memory/1520-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1520-17-0x0000000000430000-0x000000000045B000-memory.dmp

Filesize
172KB

Download
memory/1520-23-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1944-36-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1944-38-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2512-30-0x0000000000220000-0x000000000024B000-memory.dmp

Filesize
172KB

Download
memory/2512-27-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing