neconyd | 7750709b5ba108038b5126f673db722609674b25b168696da8c655081a8ec5e7

General

Target

451d48292ec18689a4e693b00d631fa0N.exe
Size

35KB
MD5

451d48292ec18689a4e693b00d631fa0
SHA1

c66b7bf099b120184c2ea3ce6fcf8fe88402e352
SHA256

7750709b5ba108038b5126f673db722609674b25b168696da8c655081a8ec5e7
SHA512

928f3e7f0f06488f0e3bdeb3964c68b45c03a44b99bb731d615040b53f176b16f0bd2a037b70191a2e684c3c3727888092ba62d8dcaf0f5db8cd4d0dc9ee80e2
SSDEEP

768:+6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:F8Z0kA7FHlO2OwOTUtKjpB

Score

10^/10

neconyd trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 3 IoCs

pid	Process
2752	omsecor.exe
1732	omsecor.exe
2336	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2696	451d48292ec18689a4e693b00d631fa0N.exe
2696	451d48292ec18689a4e693b00d631fa0N.exe
2752	omsecor.exe
2752	omsecor.exe
1732	omsecor.exe
1732	omsecor.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2696-0-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/files/0x000c00000001227f-2.dat	upx
behavioral1/memory/2696-4-0x00000000001B0000-0x00000000001DD000-memory.dmp	upx
behavioral1/memory/2696-10-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2752-13-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2752-14-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2752-17-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2752-20-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2752-23-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/files/0x001b000000016c80-25.dat	upx
behavioral1/memory/2752-32-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/1732-34-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/files/0x000c00000001227f-37.dat	upx
behavioral1/memory/1732-44-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2336-46-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2336-48-0x0000000000400000-0x000000000042D000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 2752	2696	451d48292ec18689a4e693b00d631fa0N.exe	31
PID 2696 wrote to memory of 2752	2696	451d48292ec18689a4e693b00d631fa0N.exe	31
PID 2696 wrote to memory of 2752	2696	451d48292ec18689a4e693b00d631fa0N.exe	31
PID 2696 wrote to memory of 2752	2696	451d48292ec18689a4e693b00d631fa0N.exe	31
PID 2752 wrote to memory of 1732	2752	omsecor.exe	33
PID 2752 wrote to memory of 1732	2752	omsecor.exe	33
PID 2752 wrote to memory of 1732	2752	omsecor.exe	33
PID 2752 wrote to memory of 1732	2752	omsecor.exe	33
PID 1732 wrote to memory of 2336	1732	omsecor.exe	34
PID 1732 wrote to memory of 2336	1732	omsecor.exe	34
PID 1732 wrote to memory of 2336	1732	omsecor.exe	34
PID 1732 wrote to memory of 2336	1732	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\451d48292ec18689a4e693b00d631fa0N.exe
"C:\Users\Admin\AppData\Local\Temp\451d48292ec18689a4e693b00d631fa0N.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1732
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      PID:2336

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
35KB

MD5
e542adb730b0b9f68cbc9c7aedd94aaf

SHA1
50e4324287e957f5bc84c10a29343d3efd18acfd

SHA256
a6e9cc0e5b38be2c7fe8a96f55ffec671c83787dc943b3c7a0b6bacd11d7fe20

SHA512
35a9ab220255514bc4defb99d1a7ab67a699bc57747f603be834d9bf3eede206a3130f8efaf1fb614e71dc86964c2d449edba29144f9457d5ed873ac238c4584

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
35KB

MD5
54a0d46b4b6b53a18a9f1886482c3b87

SHA1
3e84cf42bd675a352a327f40441475e91ee0b7db

SHA256
03fefaa91ea9ca0f962c40f1d2d0e51d8120f675e51a2d56845f42faceb1de4a

SHA512
f51c6a65c2d19bbf6e854e322963c998e7e4aeea821158e3f240db7134e9e06fe3011581060f08b9c90db2005673c8f7fc7afcaf0bd83d13198457ff4da690dc

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
35KB

MD5
bc88dc114da0b72324b5f084fb5024cb

SHA1
908606caf95306fa0a264ff222bafaf513e7f7d3

SHA256
861ec40d9485080333aab7b9bb1910394c6150d60f5f1355aa896c6ee9ef03bf

SHA512
c9b8c85ec5661d28e38e6ecb5a35f5ceb7f6d12c4ed6f317bf59634841915a0615b256f40b8f89eeb3709f5c4586829065c3f86405d605f26c6fb660ad411268

Download Submit
memory/1732-34-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1732-44-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2336-48-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2336-46-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2696-4-0x00000000001B0000-0x00000000001DD000-memory.dmp

Filesize
180KB

Download
memory/2696-10-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2696-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2752-13-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2752-32-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2752-23-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2752-20-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2752-17-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2752-14-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing