neconyd | f3e23a69b9ecbed6c605290c8e00dd09976f24b686bcbb18784b0d81da22d665

General

Target

2dd069da99cf55a18fd2ebdd016e6ba0N.exe
Size

35KB
MD5

2dd069da99cf55a18fd2ebdd016e6ba0
SHA1

7d741c26b775b651ef58356fb12302f2d1a10211
SHA256

f3e23a69b9ecbed6c605290c8e00dd09976f24b686bcbb18784b0d81da22d665
SHA512

79ec9c897b49d7127d00f5e812f3fe86ecf379f3a3c4ac2a3c2e701d3be2db3469f023a971bc5567ff75a472cccee944a8376c99f3ca5704779d0bf1bb76af79
SSDEEP

768:N6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:A8Z0kA7FHlO2OwOTUtKjpB

Score

10^/10

neconyd trojan upx

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 3 IoCs

pid	Process
2504	omsecor.exe
668	omsecor.exe
1856	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2396	2dd069da99cf55a18fd2ebdd016e6ba0N.exe
2396	2dd069da99cf55a18fd2ebdd016e6ba0N.exe
2504	omsecor.exe
2504	omsecor.exe
668	omsecor.exe
668	omsecor.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2396-1-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/files/0x00090000000120fb-7.dat	upx
behavioral1/memory/2504-11-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2504-12-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2504-15-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2504-18-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/2504-21-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/files/0x0005000000004ed7-23.dat	upx
behavioral1/memory/2504-30-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/files/0x00090000000120fb-34.dat	upx
behavioral1/memory/1856-43-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/668-41-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral1/memory/1856-45-0x0000000000400000-0x000000000042D000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 2504	2396	2dd069da99cf55a18fd2ebdd016e6ba0N.exe	30
PID 2396 wrote to memory of 2504	2396	2dd069da99cf55a18fd2ebdd016e6ba0N.exe	30
PID 2396 wrote to memory of 2504	2396	2dd069da99cf55a18fd2ebdd016e6ba0N.exe	30
PID 2396 wrote to memory of 2504	2396	2dd069da99cf55a18fd2ebdd016e6ba0N.exe	30
PID 2504 wrote to memory of 668	2504	omsecor.exe	33
PID 2504 wrote to memory of 668	2504	omsecor.exe	33
PID 2504 wrote to memory of 668	2504	omsecor.exe	33
PID 2504 wrote to memory of 668	2504	omsecor.exe	33
PID 668 wrote to memory of 1856	668	omsecor.exe	34
PID 668 wrote to memory of 1856	668	omsecor.exe	34
PID 668 wrote to memory of 1856	668	omsecor.exe	34
PID 668 wrote to memory of 1856	668	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\2dd069da99cf55a18fd2ebdd016e6ba0N.exe
"C:\Users\Admin\AppData\Local\Temp\2dd069da99cf55a18fd2ebdd016e6ba0N.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:668
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      PID:1856

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
35KB

MD5
923f64bb856b9462a3d7b7042a00eed1

SHA1
08d353bda5535bab6dd039027025592f43782f7d

SHA256
7c3b47509a049218ac27af0e62a2b659e1a6d6284799beaccc7fa29f321b1851

SHA512
b49071aad3f40f39669fee5830431db523607bed5a65a47840bb60b88d090c70eb607072658d3e9093cc61a73753bb191922259c4efc8ae67717c38a58fac34b

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
35KB

MD5
e9d13dca5c666a1edce8a550c365d3dc

SHA1
25100ae9b917d9897af82982a0deb3eb0beedd2f

SHA256
2014dd200cb53c91de51b76150f2b904cfa7b6ef2154c2ac446703672fdeed8e

SHA512
fb2cca995a507e1cb945f5d9d86ef791f25968ac039bdfe97be78a195e3e3af823df93c2327c54399a6effb379c81635b673a1d84361e4427fef40e6e3c71ead

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
35KB

MD5
4c4f822ad0af63a37fa8f789d74e463f

SHA1
cbfb1e2f615e563a662e77ccfcf670ea23fe75d7

SHA256
22afefb5df179044e296653882001293fbb3af2e77de5f741660f81e1dbf90ef

SHA512
ce8ee2975963fb46cd7fbb6aad594bcc54382ba2a8e63f4c5d8b4552cc2dbc4f53127cf69c64005de6ca1f790f76caa7e8a0b84d50fffcc0824ef8652403579c

Download Submit
memory/668-41-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1856-45-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1856-43-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2396-1-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2504-12-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2504-30-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2504-21-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2504-18-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2504-15-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2504-11-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing