neconyd | 363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796

General

Target

363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe
Size

134KB
MD5

4b9ebb020ec10103e5f0781604e4a3c8
SHA1

dd1466d8ca8c1e25851980a47598ea33a2745e6e
SHA256

363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796
SHA512

a94f701e5d0721a2feda003c7df09c82e4bef6ead2268f27cfab73b4687a60632f7f0d228830d68b5a463921c521665a0094d737398a7755e62f9171bb2439f8
SSDEEP

1536:0DfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCia:KiRTeH0iqAW6J6f1tqF6dngNmaZCia

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Detects executables built or packed with MPress PE compressor 8 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3316-0-0x0000000000400000-0x0000000000424000-memory.dmp	INDICATOR_EXE_Packed_MPress
C:\Users\Admin\AppData\Roaming\omsecor.exe	INDICATOR_EXE_Packed_MPress
behavioral2/memory/692-10-0x0000000000400000-0x0000000000424000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3316-16-0x0000000000400000-0x0000000000424000-memory.dmp	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\omsecor.exe	INDICATOR_EXE_Packed_MPress
behavioral2/memory/2736-31-0x0000000000400000-0x0000000000424000-memory.dmp	INDICATOR_EXE_Packed_MPress
C:\Users\Admin\AppData\Roaming\omsecor.exe	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1272-41-0x0000000000400000-0x0000000000424000-memory.dmp	INDICATOR_EXE_Packed_MPress

Executes dropped EXE 6 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exe

pid process

692 omsecor.exe
2660 omsecor.exe
2736 omsecor.exe
4216 omsecor.exe
1272 omsecor.exe
384 omsecor.exe
Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

pid	process
692	omsecor.exe
2660	omsecor.exe
2736	omsecor.exe
4216	omsecor.exe
1272	omsecor.exe
384	omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exeomsecor.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 3316 set thread context of 4420	3316	363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe	363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe
PID 692 set thread context of 2660	692	omsecor.exe	omsecor.exe
PID 2736 set thread context of 4216	2736	omsecor.exe	omsecor.exe
PID 1272 set thread context of 384	1272	omsecor.exe	omsecor.exe

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4996	692	WerFault.exe	omsecor.exe
880	3316	WerFault.exe	363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe
2416	1272	WerFault.exe	omsecor.exe
4916	2736	WerFault.exe	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 3316 wrote to memory of 4420	3316	363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe	363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe
PID 3316 wrote to memory of 4420	3316	363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe	363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe
PID 3316 wrote to memory of 4420	3316	363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe	363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe
PID 3316 wrote to memory of 4420	3316	363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe	363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe
PID 3316 wrote to memory of 4420	3316	363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe	363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe
PID 4420 wrote to memory of 692	4420	363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe	omsecor.exe
PID 4420 wrote to memory of 692	4420	363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe	omsecor.exe
PID 4420 wrote to memory of 692	4420	363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe	omsecor.exe
PID 692 wrote to memory of 2660	692	omsecor.exe	omsecor.exe
PID 692 wrote to memory of 2660	692	omsecor.exe	omsecor.exe
PID 692 wrote to memory of 2660	692	omsecor.exe	omsecor.exe
PID 692 wrote to memory of 2660	692	omsecor.exe	omsecor.exe
PID 692 wrote to memory of 2660	692	omsecor.exe	omsecor.exe
PID 2660 wrote to memory of 2736	2660	omsecor.exe	omsecor.exe
PID 2660 wrote to memory of 2736	2660	omsecor.exe	omsecor.exe
PID 2660 wrote to memory of 2736	2660	omsecor.exe	omsecor.exe
PID 2736 wrote to memory of 4216	2736	omsecor.exe	omsecor.exe
PID 2736 wrote to memory of 4216	2736	omsecor.exe	omsecor.exe
PID 2736 wrote to memory of 4216	2736	omsecor.exe	omsecor.exe
PID 2736 wrote to memory of 4216	2736	omsecor.exe	omsecor.exe
PID 2736 wrote to memory of 4216	2736	omsecor.exe	omsecor.exe
PID 4216 wrote to memory of 1272	4216	omsecor.exe	omsecor.exe
PID 4216 wrote to memory of 1272	4216	omsecor.exe	omsecor.exe
PID 4216 wrote to memory of 1272	4216	omsecor.exe	omsecor.exe
PID 1272 wrote to memory of 384	1272	omsecor.exe	omsecor.exe
PID 1272 wrote to memory of 384	1272	omsecor.exe	omsecor.exe
PID 1272 wrote to memory of 384	1272	omsecor.exe	omsecor.exe
PID 1272 wrote to memory of 384	1272	omsecor.exe	omsecor.exe
PID 1272 wrote to memory of 384	1272	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe
"C:\Users\Admin\AppData\Local\Temp\363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3316

C:\Users\Admin\AppData\Local\Temp\363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe
C:\Users\Admin\AppData\Local\Temp\363701b7eaccb48c959bc291cbe481c563dbfdcf0570bfa1e17489474f5ab796.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:4420

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:692

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2660

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2736

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4216

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1272

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
8⤵
- Executes dropped EXE
PID:384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1272 -s 256
8⤵
- Program crash
PID:2416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 292
6⤵
- Program crash
PID:4916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 692 -s 288
4⤵
- Program crash
PID:4996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3316 -s 288
2⤵
- Program crash
PID:880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 692 -ip 692
1⤵
PID:4608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3316 -ip 3316
1⤵
PID:3708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4196,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=3884 /prefetch:8
1⤵
PID:2908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2736 -ip 2736
1⤵
PID:944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1272 -ip 1272
1⤵
PID:3996

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
134KB

MD5
7fa31b000f38dd31429b1a6115d8cba6

SHA1
7a406db4790d04968c57d61bdbd63faecc2203e8

SHA256
9d632d5741a15b7cd9cafc94563c64500c7a99a9bb15e8d0468e64a2a9831c3f

SHA512
1687e0fb2d420e9e90a236f37b3c8a65cabe0d515208941f8ec4304ddcecdad78d150a15e32efbce7c56c187af9751763034f36103c8843959388d0c3f5d3775

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
134KB

MD5
6edf1945c3296c6f87680e8bb518f7f5

SHA1
7f7414a27b3a2774a90219f9c3dd40d13fffb0db

SHA256
e36bddcb580a9183a39b202060b32f699aa4a7c30149716c7e7b9f73da2013bc

SHA512
df41dd39b797ffc8cae4fbe8c82533199cc8b30dc969a8b9e751a630c9d35691db27f8e10e02bc04db9deb204124cab24efccb1c1663506273d6d386c5789770

Download Submit
C:\Windows\SysWOW64\omsecor.exe
Filesize
134KB

MD5
6f853d3cb397b3798a21287e82e7a28c

SHA1
d1b8ae141a55d91d0278aafb3c3befef703c6c67

SHA256
eacb955f9557e25e57511fe29d713eea27c8155eef95730ef9225e1ffb8ca19d

SHA512
66dce3ca0eda533647370c8144585dc826176faf9be156db1e88d23cafebd0d3251a29bdff8b0a93f41be68014e4c6230178da389874201db4029404f8f0ddc7

Download Submit
memory/384-51-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/384-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/384-46-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/384-47-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/692-10-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1272-41-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2660-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2660-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2660-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2660-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2660-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2660-17-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2660-28-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2736-31-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3316-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3316-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4216-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4216-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4216-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4420-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4420-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4420-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4420-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads