neconyd | 099817e2325f7d0fa8ac7ec210fbed44df2c83fbb11a22271a45d2066304cacd

General

Target

099817e2325f7d0fa8ac7ec210fbed44df2c83fbb11a22271a45d2066304cacd.exe
Size

96KB
MD5

b86eb52ade79eafd4a5287071e6a45e3
SHA1

2ec72902a04de05bbcd9b042e6ec6bcb43689ae6
SHA256

099817e2325f7d0fa8ac7ec210fbed44df2c83fbb11a22271a45d2066304cacd
SHA512

092428c2d92eab6b08568fefa3d64c49b769688515326d1f97a2eced5e1de46f6b209b53cc5f492f5a9f59081bc5c786e6f895cc6601f66e09d4472bb61a138e
SSDEEP

1536:5nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:5Gs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Detects executables built or packed with MPress PE compressor 13 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2420-0-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2420-7-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_MPress
C:\Users\Admin\AppData\Roaming\omsecor.exe	INDICATOR_EXE_Packed_MPress
behavioral1/memory/3040-21-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/3040-31-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2436-56-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_MPress
C:\Users\Admin\AppData\Roaming\omsecor.exe	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1532-87-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1532-80-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2644-76-0x00000000003C0000-0x00000000003E3000-memory.dmp	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\omsecor.exe	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2436-64-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2588-46-0x00000000002A0000-0x00000000002C3000-memory.dmp	INDICATOR_EXE_Packed_MPress

Executes dropped EXE 6 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exe

pid process

3040 omsecor.exe
2588 omsecor.exe
2436 omsecor.exe
2644 omsecor.exe
1532 omsecor.exe
2072 omsecor.exe

pid	process
3040	omsecor.exe
2588	omsecor.exe
2436	omsecor.exe
2644	omsecor.exe
1532	omsecor.exe
2072	omsecor.exe

Loads dropped DLL 7 IoCs

Processes:

099817e2325f7d0fa8ac7ec210fbed44df2c83fbb11a22271a45d2066304cacd.exeomsecor.exeomsecor.exeomsecor.exe

pid	process
1400	099817e2325f7d0fa8ac7ec210fbed44df2c83fbb11a22271a45d2066304cacd.exe
1400	099817e2325f7d0fa8ac7ec210fbed44df2c83fbb11a22271a45d2066304cacd.exe
3040	omsecor.exe
2588	omsecor.exe
2588	omsecor.exe
2644	omsecor.exe
2644	omsecor.exe

Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

099817e2325f7d0fa8ac7ec210fbed44df2c83fbb11a22271a45d2066304cacd.exeomsecor.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 2420 set thread context of 1400	2420	099817e2325f7d0fa8ac7ec210fbed44df2c83fbb11a22271a45d2066304cacd.exe	099817e2325f7d0fa8ac7ec210fbed44df2c83fbb11a22271a45d2066304cacd.exe
PID 3040 set thread context of 2588	3040	omsecor.exe	omsecor.exe
PID 2436 set thread context of 2644	2436	omsecor.exe	omsecor.exe
PID 1532 set thread context of 2072	1532	omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

099817e2325f7d0fa8ac7ec210fbed44df2c83fbb11a22271a45d2066304cacd.exe099817e2325f7d0fa8ac7ec210fbed44df2c83fbb11a22271a45d2066304cacd.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 2420 wrote to memory of 1400	2420	099817e2325f7d0fa8ac7ec210fbed44df2c83fbb11a22271a45d2066304cacd.exe	099817e2325f7d0fa8ac7ec210fbed44df2c83fbb11a22271a45d2066304cacd.exe
PID 2420 wrote to memory of 1400	2420	099817e2325f7d0fa8ac7ec210fbed44df2c83fbb11a22271a45d2066304cacd.exe	099817e2325f7d0fa8ac7ec210fbed44df2c83fbb11a22271a45d2066304cacd.exe
PID 2420 wrote to memory of 1400	2420	099817e2325f7d0fa8ac7ec210fbed44df2c83fbb11a22271a45d2066304cacd.exe	099817e2325f7d0fa8ac7ec210fbed44df2c83fbb11a22271a45d2066304cacd.exe
PID 2420 wrote to memory of 1400	2420	099817e2325f7d0fa8ac7ec210fbed44df2c83fbb11a22271a45d2066304cacd.exe	099817e2325f7d0fa8ac7ec210fbed44df2c83fbb11a22271a45d2066304cacd.exe
PID 2420 wrote to memory of 1400	2420	099817e2325f7d0fa8ac7ec210fbed44df2c83fbb11a22271a45d2066304cacd.exe	099817e2325f7d0fa8ac7ec210fbed44df2c83fbb11a22271a45d2066304cacd.exe
PID 2420 wrote to memory of 1400	2420	099817e2325f7d0fa8ac7ec210fbed44df2c83fbb11a22271a45d2066304cacd.exe	099817e2325f7d0fa8ac7ec210fbed44df2c83fbb11a22271a45d2066304cacd.exe
PID 1400 wrote to memory of 3040	1400	099817e2325f7d0fa8ac7ec210fbed44df2c83fbb11a22271a45d2066304cacd.exe	omsecor.exe
PID 1400 wrote to memory of 3040	1400	099817e2325f7d0fa8ac7ec210fbed44df2c83fbb11a22271a45d2066304cacd.exe	omsecor.exe
PID 1400 wrote to memory of 3040	1400	099817e2325f7d0fa8ac7ec210fbed44df2c83fbb11a22271a45d2066304cacd.exe	omsecor.exe
PID 1400 wrote to memory of 3040	1400	099817e2325f7d0fa8ac7ec210fbed44df2c83fbb11a22271a45d2066304cacd.exe	omsecor.exe
PID 3040 wrote to memory of 2588	3040	omsecor.exe	omsecor.exe
PID 3040 wrote to memory of 2588	3040	omsecor.exe	omsecor.exe
PID 3040 wrote to memory of 2588	3040	omsecor.exe	omsecor.exe
PID 3040 wrote to memory of 2588	3040	omsecor.exe	omsecor.exe
PID 3040 wrote to memory of 2588	3040	omsecor.exe	omsecor.exe
PID 3040 wrote to memory of 2588	3040	omsecor.exe	omsecor.exe
PID 2588 wrote to memory of 2436	2588	omsecor.exe	omsecor.exe
PID 2588 wrote to memory of 2436	2588	omsecor.exe	omsecor.exe
PID 2588 wrote to memory of 2436	2588	omsecor.exe	omsecor.exe
PID 2588 wrote to memory of 2436	2588	omsecor.exe	omsecor.exe
PID 2436 wrote to memory of 2644	2436	omsecor.exe	omsecor.exe
PID 2436 wrote to memory of 2644	2436	omsecor.exe	omsecor.exe
PID 2436 wrote to memory of 2644	2436	omsecor.exe	omsecor.exe
PID 2436 wrote to memory of 2644	2436	omsecor.exe	omsecor.exe
PID 2436 wrote to memory of 2644	2436	omsecor.exe	omsecor.exe
PID 2436 wrote to memory of 2644	2436	omsecor.exe	omsecor.exe
PID 2644 wrote to memory of 1532	2644	omsecor.exe	omsecor.exe
PID 2644 wrote to memory of 1532	2644	omsecor.exe	omsecor.exe
PID 2644 wrote to memory of 1532	2644	omsecor.exe	omsecor.exe
PID 2644 wrote to memory of 1532	2644	omsecor.exe	omsecor.exe
PID 1532 wrote to memory of 2072	1532	omsecor.exe	omsecor.exe
PID 1532 wrote to memory of 2072	1532	omsecor.exe	omsecor.exe
PID 1532 wrote to memory of 2072	1532	omsecor.exe	omsecor.exe
PID 1532 wrote to memory of 2072	1532	omsecor.exe	omsecor.exe
PID 1532 wrote to memory of 2072	1532	omsecor.exe	omsecor.exe
PID 1532 wrote to memory of 2072	1532	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\099817e2325f7d0fa8ac7ec210fbed44df2c83fbb11a22271a45d2066304cacd.exe
"C:\Users\Admin\AppData\Local\Temp\099817e2325f7d0fa8ac7ec210fbed44df2c83fbb11a22271a45d2066304cacd.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2420

C:\Users\Admin\AppData\Local\Temp\099817e2325f7d0fa8ac7ec210fbed44df2c83fbb11a22271a45d2066304cacd.exe
C:\Users\Admin\AppData\Local\Temp\099817e2325f7d0fa8ac7ec210fbed44df2c83fbb11a22271a45d2066304cacd.exe
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1400

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3040

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2588

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2436

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2644

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1532

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
8⤵
- Executes dropped EXE
PID:2072

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
96KB

MD5
dc4a6518619f10e3468bb9de4184f126

SHA1
59c0c21982fd8f4e81eb31c8046de4afc6ef06df

SHA256
1862344f30d972f7ad6efc373c0857941dce1da672ea63afae2bb18df5e1d544

SHA512
4de77029a1f1132a88a75589e6f08c11236de21b7d918fb5d01a91fdf7e154955e8e10bca1b4214340b3dd7b90e4cf46c51f5ec698e80371b4f08becfabe1406

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
96KB

MD5
9e377fa6464ab57d50901235edfc44b6

SHA1
192f4d4922ce8216ca5e4db69fc374bec9fe0677

SHA256
c69d8ee935bb082666f07ce962f85df544741acc85b4d4305dbc79cf0217e8b8

SHA512
c01cec202db828d777a53d530b8c7c6b032c7b25a013cd9d9c4c859a90222e277d040e7351fe490f3f5947df7a746c89217fd24d1d15f384c8ca655cbc5e5c45

Download Submit
C:\Windows\SysWOW64\omsecor.exe
Filesize
96KB

MD5
0bda56d045f3941600e707822542d425

SHA1
9febd4a73b189786d3088a8f7eea2c6d5d992fcd

SHA256
326774eb1c93fd10282319ffa6bb9f33e11507cdf1e368756b837ef31ff4386e

SHA512
d599d594432dadf084faec0af637f881e1f2ec429496c5091503af81a600568b1f38c42817b7c2d2b48af5383f035139ab137aa800c2cde3f23002c67de81b67

Download Submit
memory/1400-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1400-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1400-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1400-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1400-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1532-87-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1532-80-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2072-93-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2072-90-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2420-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2420-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2436-64-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2436-56-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2588-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2588-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2588-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2588-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2588-46-0x00000000002A0000-0x00000000002C3000-memory.dmp

Filesize
140KB

Download
memory/2644-78-0x00000000003C0000-0x00000000003E3000-memory.dmp

Filesize
140KB

Download
memory/2644-76-0x00000000003C0000-0x00000000003E3000-memory.dmp

Filesize
140KB

Download
memory/3040-31-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3040-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads