neconyd | 7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a

General

Target

7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe
Size

96KB
MD5

8ea940fd1dd40ecdd53a3b8b35343c25
SHA1

487e78f505875dd49cd42d44d557722261a1176d
SHA256

7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a
SHA512

70c077ad17d0f63446edfac760c94142ddb3efbd9da144c1bb77b58585489df0e903784111d93fa5b470444de6a932503dc1acfae077d5c7605ffa39a93d4c26
SSDEEP

1536:cnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:cGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Detects executables built or packed with MPress PE compressor 10 IoCs

Processes:

resource	yara_rule
behavioral2/memory/852-0-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_MPress
C:\Users\Admin\AppData\Roaming\omsecor.exe	INDICATOR_EXE_Packed_MPress
behavioral2/memory/4364-9-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/852-19-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/4364-18-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\omsecor.exe	INDICATOR_EXE_Packed_MPress
behavioral2/memory/2864-32-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3060-45-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_MPress
C:\Users\Admin\AppData\Roaming\omsecor.exe	INDICATOR_EXE_Packed_MPress
behavioral2/memory/2864-52-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_MPress

Executes dropped EXE 6 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exe

pid process

4364 omsecor.exe
964 omsecor.exe
2864 omsecor.exe
956 omsecor.exe
3060 omsecor.exe
3512 omsecor.exe
Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

pid	process
4364	omsecor.exe
964	omsecor.exe
2864	omsecor.exe
956	omsecor.exe
3060	omsecor.exe
3512	omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exeomsecor.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 852 set thread context of 2132	852	7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe	7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe
PID 4364 set thread context of 964	4364	omsecor.exe	omsecor.exe
PID 2864 set thread context of 956	2864	omsecor.exe	omsecor.exe
PID 3060 set thread context of 3512	3060	omsecor.exe	omsecor.exe

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4668	4364	WerFault.exe	omsecor.exe
3028	852	WerFault.exe	7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe
4700	2864	WerFault.exe	omsecor.exe
4936	3060	WerFault.exe	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 852 wrote to memory of 2132	852	7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe	7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe
PID 852 wrote to memory of 2132	852	7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe	7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe
PID 852 wrote to memory of 2132	852	7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe	7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe
PID 852 wrote to memory of 2132	852	7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe	7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe
PID 852 wrote to memory of 2132	852	7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe	7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe
PID 2132 wrote to memory of 4364	2132	7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe	omsecor.exe
PID 2132 wrote to memory of 4364	2132	7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe	omsecor.exe
PID 2132 wrote to memory of 4364	2132	7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe	omsecor.exe
PID 4364 wrote to memory of 964	4364	omsecor.exe	omsecor.exe
PID 4364 wrote to memory of 964	4364	omsecor.exe	omsecor.exe
PID 4364 wrote to memory of 964	4364	omsecor.exe	omsecor.exe
PID 4364 wrote to memory of 964	4364	omsecor.exe	omsecor.exe
PID 4364 wrote to memory of 964	4364	omsecor.exe	omsecor.exe
PID 964 wrote to memory of 2864	964	omsecor.exe	omsecor.exe
PID 964 wrote to memory of 2864	964	omsecor.exe	omsecor.exe
PID 964 wrote to memory of 2864	964	omsecor.exe	omsecor.exe
PID 2864 wrote to memory of 956	2864	omsecor.exe	omsecor.exe
PID 2864 wrote to memory of 956	2864	omsecor.exe	omsecor.exe
PID 2864 wrote to memory of 956	2864	omsecor.exe	omsecor.exe
PID 2864 wrote to memory of 956	2864	omsecor.exe	omsecor.exe
PID 2864 wrote to memory of 956	2864	omsecor.exe	omsecor.exe
PID 956 wrote to memory of 3060	956	omsecor.exe	omsecor.exe
PID 956 wrote to memory of 3060	956	omsecor.exe	omsecor.exe
PID 956 wrote to memory of 3060	956	omsecor.exe	omsecor.exe
PID 3060 wrote to memory of 3512	3060	omsecor.exe	omsecor.exe
PID 3060 wrote to memory of 3512	3060	omsecor.exe	omsecor.exe
PID 3060 wrote to memory of 3512	3060	omsecor.exe	omsecor.exe
PID 3060 wrote to memory of 3512	3060	omsecor.exe	omsecor.exe
PID 3060 wrote to memory of 3512	3060	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe
"C:\Users\Admin\AppData\Local\Temp\7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:852

C:\Users\Admin\AppData\Local\Temp\7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe
C:\Users\Admin\AppData\Local\Temp\7c1c369f13d684b5d0db3c1cbe91e3ab8193f5f4bc3d6d5ef1b147114bf1516a.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2132

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4364

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:964

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2864

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:956

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3060

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
8⤵
- Executes dropped EXE
PID:3512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 268
8⤵
- Program crash
PID:4936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 292
6⤵
- Program crash
PID:4700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 288
4⤵
- Program crash
PID:4668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 288
2⤵
- Program crash
PID:3028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 852 -ip 852
1⤵
PID:996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4364 -ip 4364
1⤵
PID:3024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2864 -ip 2864
1⤵
PID:3616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3060 -ip 3060
1⤵
PID:1200

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
3bb9c444c5e4e3b0c1a700e4a1eb85de

SHA1
fedfa290358194f03b650aa5186eefee3422b9eb

SHA256
4837eee11d66048351b0af6cd9b15820d7bb172f35a7df4fdec219be69a4ca90

SHA512
a8c57ace27c781fe9e0b84ed27f48e2d226087f13f798f5bdc25ad16be023373a6036950e12a9e418dfaa389478744f507628d43ed63dc078625ccd2174075b0

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
342c1f27b63f3dd81606fe21901ebb65

SHA1
e5438fc895f4c26b7fbd879f7442b19e3f6ed486

SHA256
d78f06f365ab3ce20d8ad4c742fa2d16f8b4cfe82356277a3f291c0ec8edb380

SHA512
590f1a0a7d3ce6b18c9329712bc8d7a1691cea326c898e043dc8520b29e2c98a2464df30e6c4c3d77218a40d6af57a2887d7ab18e1270e069aa8c435ad1a1d97

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
e1268c780e8e6bfaa2b333327814d898

SHA1
fe8f2e7a200d2ebf4e952c841159eb885641aa20

SHA256
a3d9414932dae1411388c8bb0aa56f00d0144dfe13ea4b2f7933dc421dd032f8

SHA512
e3b51b50190f99f4d780b700ba386d6da3e9bb3fc170da2346d9f20250681a9dbe6381e6f48f9a2028a417c3afe42ba61f88a4d8b6c36c7c79720e86c79c4e29

Download Submit
memory/852-19-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/852-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/956-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/956-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/956-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/964-27-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/964-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/964-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/964-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/964-13-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/964-31-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/964-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2132-6-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2132-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2132-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2132-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2864-32-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2864-52-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3060-45-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3512-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3512-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3512-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3512-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4364-9-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4364-18-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads