neconyd | 7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a

General

Target

7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe
Size

96KB
MD5

8ea940fd1dd40ecdd53a3b8b35343c25
SHA1

487e78f505875dd49cd42d44d557722261a1176d
SHA256

7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a
SHA512

70c077ad17d0f63446edfac760c94142ddb3efbd9da144c1bb77b58585489df0e903784111d93fa5b470444de6a932503dc1acfae077d5c7605ffa39a93d4c26
SSDEEP

1536:cnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:cGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Detects executables built or packed with MPress PE compressor 13 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1044-0-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1044-7-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2148-21-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_MPress
C:\Users\Admin\AppData\Roaming\omsecor.exe	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2148-32-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_MPress
\Windows\SysWOW64\omsecor.exe	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2668-47-0x0000000001FA0000-0x0000000001FC3000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1628-57-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1628-66-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1872-72-0x0000000000230000-0x0000000000253000-memory.dmp	INDICATOR_EXE_Packed_MPress
\Users\Admin\AppData\Roaming\omsecor.exe	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1436-80-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1436-88-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_MPress

Executes dropped EXE 6 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exe

pid process

2148 omsecor.exe
2668 omsecor.exe
1628 omsecor.exe
1872 omsecor.exe
1436 omsecor.exe
2108 omsecor.exe

pid	process
2148	omsecor.exe
2668	omsecor.exe
1628	omsecor.exe
1872	omsecor.exe
1436	omsecor.exe
2108	omsecor.exe

Loads dropped DLL 7 IoCs

Processes:

7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exeomsecor.exeomsecor.exeomsecor.exe

pid	process
2352	7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe
2352	7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe
2148	omsecor.exe
2668	omsecor.exe
2668	omsecor.exe
1872	omsecor.exe
1872	omsecor.exe

Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exeomsecor.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 1044 set thread context of 2352	1044	7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe	7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe
PID 2148 set thread context of 2668	2148	omsecor.exe	omsecor.exe
PID 1628 set thread context of 1872	1628	omsecor.exe	omsecor.exe
PID 1436 set thread context of 2108	1436	omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 1044 wrote to memory of 2352	1044	7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe	7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe
PID 1044 wrote to memory of 2352	1044	7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe	7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe
PID 1044 wrote to memory of 2352	1044	7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe	7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe
PID 1044 wrote to memory of 2352	1044	7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe	7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe
PID 1044 wrote to memory of 2352	1044	7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe	7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe
PID 1044 wrote to memory of 2352	1044	7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe	7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe
PID 2352 wrote to memory of 2148	2352	7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe	omsecor.exe
PID 2352 wrote to memory of 2148	2352	7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe	omsecor.exe
PID 2352 wrote to memory of 2148	2352	7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe	omsecor.exe
PID 2352 wrote to memory of 2148	2352	7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe	omsecor.exe
PID 2148 wrote to memory of 2668	2148	omsecor.exe	omsecor.exe
PID 2148 wrote to memory of 2668	2148	omsecor.exe	omsecor.exe
PID 2148 wrote to memory of 2668	2148	omsecor.exe	omsecor.exe
PID 2148 wrote to memory of 2668	2148	omsecor.exe	omsecor.exe
PID 2148 wrote to memory of 2668	2148	omsecor.exe	omsecor.exe
PID 2148 wrote to memory of 2668	2148	omsecor.exe	omsecor.exe
PID 2668 wrote to memory of 1628	2668	omsecor.exe	omsecor.exe
PID 2668 wrote to memory of 1628	2668	omsecor.exe	omsecor.exe
PID 2668 wrote to memory of 1628	2668	omsecor.exe	omsecor.exe
PID 2668 wrote to memory of 1628	2668	omsecor.exe	omsecor.exe
PID 1628 wrote to memory of 1872	1628	omsecor.exe	omsecor.exe
PID 1628 wrote to memory of 1872	1628	omsecor.exe	omsecor.exe
PID 1628 wrote to memory of 1872	1628	omsecor.exe	omsecor.exe
PID 1628 wrote to memory of 1872	1628	omsecor.exe	omsecor.exe
PID 1628 wrote to memory of 1872	1628	omsecor.exe	omsecor.exe
PID 1628 wrote to memory of 1872	1628	omsecor.exe	omsecor.exe
PID 1872 wrote to memory of 1436	1872	omsecor.exe	omsecor.exe
PID 1872 wrote to memory of 1436	1872	omsecor.exe	omsecor.exe
PID 1872 wrote to memory of 1436	1872	omsecor.exe	omsecor.exe
PID 1872 wrote to memory of 1436	1872	omsecor.exe	omsecor.exe
PID 1436 wrote to memory of 2108	1436	omsecor.exe	omsecor.exe
PID 1436 wrote to memory of 2108	1436	omsecor.exe	omsecor.exe
PID 1436 wrote to memory of 2108	1436	omsecor.exe	omsecor.exe
PID 1436 wrote to memory of 2108	1436	omsecor.exe	omsecor.exe
PID 1436 wrote to memory of 2108	1436	omsecor.exe	omsecor.exe
PID 1436 wrote to memory of 2108	1436	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe
"C:\Users\Admin\AppData\Local\Temp\7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1044

C:\Users\Admin\AppData\Local\Temp\7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe
C:\Users\Admin\AppData\Local\Temp\7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2352

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2148

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2668

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1628

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1872

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1436

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
8⤵
- Executes dropped EXE
PID:2108

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
342c1f27b63f3dd81606fe21901ebb65

SHA1
e5438fc895f4c26b7fbd879f7442b19e3f6ed486

SHA256
d78f06f365ab3ce20d8ad4c742fa2d16f8b4cfe82356277a3f291c0ec8edb380

SHA512
590f1a0a7d3ce6b18c9329712bc8d7a1691cea326c898e043dc8520b29e2c98a2464df30e6c4c3d77218a40d6af57a2887d7ab18e1270e069aa8c435ad1a1d97

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
b5c4f93e9556e1bab078f380f2bb849f

SHA1
2bd76859b82b713fbe08bfee01cda9355d6ed1f8

SHA256
7436a298b9795942e8d034e20fe5468db4de8f80b96f78fbd2585be0df9d4bcc

SHA512
7cffcb00bf0558c822a49283e8bea1cb91d39f2119612771cb26fe9322fa54c89b005b03e6f410d5a4048303b85e4a1887635df943f9a75524bb84322829247c

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
de06521985c90e93cf1bc3b9e5cc0d7c

SHA1
fa9c1fd2898442fbd212c253a791f7022070d7bc

SHA256
b0297f775479413c82d55762e1a97f409eb8cdd93e4b948e645f1280b819c4a5

SHA512
ff76a7fd58302b28c2cb1d187674250988e33e64e533bfd5884abf992213a8a064699dab6e3ba69e4d19974e594f5cf1be03b0f6a323a16a331877b1062163eb

Download Submit
memory/1044-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1044-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1436-80-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1436-88-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1628-66-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1628-57-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1872-72-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2108-90-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2108-93-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2148-24-0x00000000001C0000-0x00000000001E3000-memory.dmp

Filesize
140KB

Download
memory/2148-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2148-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2352-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2352-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2352-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2352-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2352-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2668-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2668-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2668-47-0x0000000001FA0000-0x0000000001FC3000-memory.dmp

Filesize
140KB

Download
memory/2668-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2668-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2668-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads