neconyd | 363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796

General

Target

363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe
Size

134KB
MD5

4b9ebb020ec10103e5f0781604e4a3c8
SHA1

dd1466d8ca8c1e25851980a47598ea33a2745e6e
SHA256

363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796
SHA512

a94f701e5d0721a2feda003c7df09c82e4bef6ead2268f27cfab73b4687a60632f7f0d228830d68b5a463921c521665a0094d737398a7755e62f9171bb2439f8
SSDEEP

1536:0DfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCia:KiRTeH0iqAW6J6f1tqF6dngNmaZCia

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Detects executables built or packed with MPress PE compressor 12 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2884-0-0x0000000000400000-0x0000000000424000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2884-7-0x0000000000400000-0x0000000000424000-memory.dmp	INDICATOR_EXE_Packed_MPress
\Users\Admin\AppData\Roaming\omsecor.exe	INDICATOR_EXE_Packed_MPress
behavioral1/memory/3008-20-0x0000000000400000-0x0000000000424000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/3008-29-0x0000000000400000-0x0000000000424000-memory.dmp	INDICATOR_EXE_Packed_MPress
\Windows\SysWOW64\omsecor.exe	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2996-45-0x0000000001F50000-0x0000000001F74000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2660-55-0x0000000000400000-0x0000000000424000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2660-63-0x0000000000400000-0x0000000000424000-memory.dmp	INDICATOR_EXE_Packed_MPress
\Users\Admin\AppData\Roaming\omsecor.exe	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1308-76-0x0000000000400000-0x0000000000424000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1308-83-0x0000000000400000-0x0000000000424000-memory.dmp	INDICATOR_EXE_Packed_MPress

Executes dropped EXE 6 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exe

pid process

3008 omsecor.exe
2996 omsecor.exe
2660 omsecor.exe
1600 omsecor.exe
1308 omsecor.exe
2300 omsecor.exe

pid	process
3008	omsecor.exe
2996	omsecor.exe
2660	omsecor.exe
1600	omsecor.exe
1308	omsecor.exe
2300	omsecor.exe

Loads dropped DLL 7 IoCs

Processes:

363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exeomsecor.exeomsecor.exeomsecor.exe

pid	process
2960	363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe
2960	363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe
3008	omsecor.exe
2996	omsecor.exe
2996	omsecor.exe
1600	omsecor.exe
1600	omsecor.exe

Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exeomsecor.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 2884 set thread context of 2960	2884	363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe	363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe
PID 3008 set thread context of 2996	3008	omsecor.exe	omsecor.exe
PID 2660 set thread context of 1600	2660	omsecor.exe	omsecor.exe
PID 1308 set thread context of 2300	1308	omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 2884 wrote to memory of 2960	2884	363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe	363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe
PID 2884 wrote to memory of 2960	2884	363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe	363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe
PID 2884 wrote to memory of 2960	2884	363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe	363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe
PID 2884 wrote to memory of 2960	2884	363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe	363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe
PID 2884 wrote to memory of 2960	2884	363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe	363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe
PID 2884 wrote to memory of 2960	2884	363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe	363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe
PID 2960 wrote to memory of 3008	2960	363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe	omsecor.exe
PID 2960 wrote to memory of 3008	2960	363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe	omsecor.exe
PID 2960 wrote to memory of 3008	2960	363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe	omsecor.exe
PID 2960 wrote to memory of 3008	2960	363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe	omsecor.exe
PID 3008 wrote to memory of 2996	3008	omsecor.exe	omsecor.exe
PID 3008 wrote to memory of 2996	3008	omsecor.exe	omsecor.exe
PID 3008 wrote to memory of 2996	3008	omsecor.exe	omsecor.exe
PID 3008 wrote to memory of 2996	3008	omsecor.exe	omsecor.exe
PID 3008 wrote to memory of 2996	3008	omsecor.exe	omsecor.exe
PID 3008 wrote to memory of 2996	3008	omsecor.exe	omsecor.exe
PID 2996 wrote to memory of 2660	2996	omsecor.exe	omsecor.exe
PID 2996 wrote to memory of 2660	2996	omsecor.exe	omsecor.exe
PID 2996 wrote to memory of 2660	2996	omsecor.exe	omsecor.exe
PID 2996 wrote to memory of 2660	2996	omsecor.exe	omsecor.exe
PID 2660 wrote to memory of 1600	2660	omsecor.exe	omsecor.exe
PID 2660 wrote to memory of 1600	2660	omsecor.exe	omsecor.exe
PID 2660 wrote to memory of 1600	2660	omsecor.exe	omsecor.exe
PID 2660 wrote to memory of 1600	2660	omsecor.exe	omsecor.exe
PID 2660 wrote to memory of 1600	2660	omsecor.exe	omsecor.exe
PID 2660 wrote to memory of 1600	2660	omsecor.exe	omsecor.exe
PID 1600 wrote to memory of 1308	1600	omsecor.exe	omsecor.exe
PID 1600 wrote to memory of 1308	1600	omsecor.exe	omsecor.exe
PID 1600 wrote to memory of 1308	1600	omsecor.exe	omsecor.exe
PID 1600 wrote to memory of 1308	1600	omsecor.exe	omsecor.exe
PID 1308 wrote to memory of 2300	1308	omsecor.exe	omsecor.exe
PID 1308 wrote to memory of 2300	1308	omsecor.exe	omsecor.exe
PID 1308 wrote to memory of 2300	1308	omsecor.exe	omsecor.exe
PID 1308 wrote to memory of 2300	1308	omsecor.exe	omsecor.exe
PID 1308 wrote to memory of 2300	1308	omsecor.exe	omsecor.exe
PID 1308 wrote to memory of 2300	1308	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe
"C:\Users\Admin\AppData\Local\Temp\363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2884

C:\Users\Admin\AppData\Local\Temp\363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe
C:\Users\Admin\AppData\Local\Temp\363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2960

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3008

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2996

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2660

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1600

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1308

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
8⤵
- Executes dropped EXE
PID:2300

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
134KB

MD5
6edf1945c3296c6f87680e8bb518f7f5

SHA1
7f7414a27b3a2774a90219f9c3dd40d13fffb0db

SHA256
e36bddcb580a9183a39b202060b32f699aa4a7c30149716c7e7b9f73da2013bc

SHA512
df41dd39b797ffc8cae4fbe8c82533199cc8b30dc969a8b9e751a630c9d35691db27f8e10e02bc04db9deb204124cab24efccb1c1663506273d6d386c5789770

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
134KB

MD5
797b7b1fb417f7c0aaa894ef2a8a17e0

SHA1
33e26be7beddf15d0a745c13a7f03ebd5a2ac437

SHA256
19949127139a6f786cc601b578b6f9994f142e0e0bc050d71064473be17efc0f

SHA512
b01a5b42d63583689a7e4d3de219598b92ef7a66b2103d4caa45e3891eaa465f4affeee22df2411be1a2e9ba4539cdf02b7915732e8ed254e83545136228176b

Download Submit
\Windows\SysWOW64\omsecor.exe
Filesize
134KB

MD5
f279d2dca58828722dccc662d0ec798f

SHA1
4604816d0de17e90d6e54be7f8c6274baf668606

SHA256
2200907c6a0824cea6c3e298cd5eaff87c59a262da8dee5d9d34c6075e758580

SHA512
7d66ecf215aeaa84b11cf90b2b95eb2f6175cddad1b2ef62b99301cf3cecc1bf6e9ff2b174f45a70b73c650a46b7393f66cf2ba4aa4163a3652fdd3851a0deac

Download Submit
memory/1308-83-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1308-76-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2300-88-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2300-85-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2660-63-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2660-55-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2884-7-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2884-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2960-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2960-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2960-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2960-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2960-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2996-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2996-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2996-45-0x0000000001F50000-0x0000000001F74000-memory.dmp

Filesize
144KB

Download
memory/2996-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2996-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2996-32-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3008-20-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3008-29-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads