neconyd | 06fb849c085af20e8ed815b454bb051212215479347f373a99175f0631c7c4d0

General

Target

06fb849c085af20e8ed815b454bb051212215479347f373a99175f0631c7c4d0.exe
Size

72KB
MD5

9a0584fbce47d592dae45689049a44d4
SHA1

5cd3174b1116f5f06287e9c0df5d962b7e8acda6
SHA256

06fb849c085af20e8ed815b454bb051212215479347f373a99175f0631c7c4d0
SHA512

a217f638a6edc71c64c4afd62252dad20f0739c06ce55ad13c49e17f19d7d76ebd8c497398fdc47a10bc2d5fe3b4f1d605ee0eaeb1e0e07fd221236ce1973c90
SSDEEP

768:7MEIvFGvoEr8LFK0ic46N47eSvYAHwmZGp6JXXlaa5uA:7bIvYvoEyFKF6N4ySAAQmZTl/5

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 3 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exe

pid process

2784 omsecor.exe
2892 omsecor.exe
2336 omsecor.exe

pid	process
2784	omsecor.exe
2892	omsecor.exe
2336	omsecor.exe

Loads dropped DLL 6 IoCs

Processes:

06fb849c085af20e8ed815b454bb051212215479347f373a99175f0631c7c4d0.exeomsecor.exeomsecor.exe

pid	process
2944	06fb849c085af20e8ed815b454bb051212215479347f373a99175f0631c7c4d0.exe
2944	06fb849c085af20e8ed815b454bb051212215479347f373a99175f0631c7c4d0.exe
2784	omsecor.exe
2784	omsecor.exe
2892	omsecor.exe
2892	omsecor.exe

Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

06fb849c085af20e8ed815b454bb051212215479347f373a99175f0631c7c4d0.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 2944 wrote to memory of 2784	2944	06fb849c085af20e8ed815b454bb051212215479347f373a99175f0631c7c4d0.exe	omsecor.exe
PID 2944 wrote to memory of 2784	2944	06fb849c085af20e8ed815b454bb051212215479347f373a99175f0631c7c4d0.exe	omsecor.exe
PID 2944 wrote to memory of 2784	2944	06fb849c085af20e8ed815b454bb051212215479347f373a99175f0631c7c4d0.exe	omsecor.exe
PID 2944 wrote to memory of 2784	2944	06fb849c085af20e8ed815b454bb051212215479347f373a99175f0631c7c4d0.exe	omsecor.exe
PID 2784 wrote to memory of 2892	2784	omsecor.exe	omsecor.exe
PID 2784 wrote to memory of 2892	2784	omsecor.exe	omsecor.exe
PID 2784 wrote to memory of 2892	2784	omsecor.exe	omsecor.exe
PID 2784 wrote to memory of 2892	2784	omsecor.exe	omsecor.exe
PID 2892 wrote to memory of 2336	2892	omsecor.exe	omsecor.exe
PID 2892 wrote to memory of 2336	2892	omsecor.exe	omsecor.exe
PID 2892 wrote to memory of 2336	2892	omsecor.exe	omsecor.exe
PID 2892 wrote to memory of 2336	2892	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\06fb849c085af20e8ed815b454bb051212215479347f373a99175f0631c7c4d0.exe
"C:\Users\Admin\AppData\Local\Temp\06fb849c085af20e8ed815b454bb051212215479347f373a99175f0631c7c4d0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2944

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2784

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2892

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
PID:2336

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
72KB

MD5
19ccaf464a091e062b03fb80d35f1c27

SHA1
0c0e9b32f66d49e2754af7ff83f2109bd643c470

SHA256
8906730d7858dcd68ea18026427d8934b326abfc3a5d0d8070cb18430de7a53d

SHA512
6e413b862bb7fbb1bebcebabe0dd0397185e2625ec17364c21720d12179583e4965f279c56798049aeef45367a5031b324c6122888c2b6bba21ca40610bdf96c

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
72KB

MD5
d51254081752e3d1b0cb209f83286409

SHA1
e2dfac25296695c910dfb53ccfe3f3b2eba34ed8

SHA256
26b7172810d076f1c63b9689d02ba50faff080f61b22c85256d4db2c87a572ed

SHA512
fe092d75310462d4afcb9722254deebb0eb39c11d880bdbf19874044d0dcc58da6dc43b30dc1a7bd94a15288a17b90f6782db25fa815088c4e6f363b2cede88d

Download Submit
\Windows\SysWOW64\omsecor.exe
Filesize
72KB

MD5
7be4cd475ec7c45b167f721bfdaa1a17

SHA1
a7e764a8edfd65809574b2cc1aec2b7f00c044cd

SHA256
032431f8729ebb7701cd1f97af441366c7c2f7000b4b92b2eb72ea8adda55399

SHA512
9f9062bfa83fc5da25255f6f0ec6ed7ac16d6238cee9d7a8d627fa0c08a51cabf954e815dc3d0f653242b437ecb94536958dd440860ec629f26e17bbd50a3cb9

Download Submit
memory/2336-40-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2336-38-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2784-14-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2784-19-0x00000000004B0000-0x00000000004DB000-memory.dmp

Filesize
172KB

Download
memory/2784-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2784-25-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2892-29-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2892-32-0x00000000003C0000-0x00000000003EB000-memory.dmp

Filesize
172KB

Download
memory/2944-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2944-8-0x0000000000220000-0x000000000024B000-memory.dmp

Filesize
172KB

Download
memory/2944-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2944-9-0x0000000000220000-0x000000000024B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing