neconyd | 82b23e58689adf47787583b9ddda43feeb8ad389493e6fdfc3f648d94095f34d

General

Target

82b23e58689adf47787583b9ddda43feeb8ad389493e6fdfc3f648d94095f34d.exe
Size

134KB
MD5

7afd48e30c7a91408fa59dcf22247121
SHA1

099d21e401c05fbe7b0b98b5a01f768fcfa52cc7
SHA256

82b23e58689adf47787583b9ddda43feeb8ad389493e6fdfc3f648d94095f34d
SHA512

e1a23b08a4f8b72480d1a94eef3976f3ab9478792ceaab54a69fa810761efd37bbf8b00d57d454095074fdba12a398b924f4f10ec043ab4af904db8c78299533
SSDEEP

1536:sDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCia:SiRTeH0iqAW6J6f1tqF6dngNmaZCia

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 6 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exe

pid process

3012 omsecor.exe
2520 omsecor.exe
624 omsecor.exe
776 omsecor.exe
1236 omsecor.exe
1172 omsecor.exe

pid	process
3012	omsecor.exe
2520	omsecor.exe
624	omsecor.exe
776	omsecor.exe
1236	omsecor.exe
1172	omsecor.exe

Loads dropped DLL 7 IoCs

Processes:

82b23e58689adf47787583b9ddda43feeb8ad389493e6fdfc3f648d94095f34d.exeomsecor.exeomsecor.exeomsecor.exe

pid	process
2972	82b23e58689adf47787583b9ddda43feeb8ad389493e6fdfc3f648d94095f34d.exe
2972	82b23e58689adf47787583b9ddda43feeb8ad389493e6fdfc3f648d94095f34d.exe
3012	omsecor.exe
2520	omsecor.exe
2520	omsecor.exe
776	omsecor.exe
776	omsecor.exe

Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

82b23e58689adf47787583b9ddda43feeb8ad389493e6fdfc3f648d94095f34d.exeomsecor.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 2860 set thread context of 2972	2860	82b23e58689adf47787583b9ddda43feeb8ad389493e6fdfc3f648d94095f34d.exe	82b23e58689adf47787583b9ddda43feeb8ad389493e6fdfc3f648d94095f34d.exe
PID 3012 set thread context of 2520	3012	omsecor.exe	omsecor.exe
PID 624 set thread context of 776	624	omsecor.exe	omsecor.exe
PID 1236 set thread context of 1172	1236	omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

82b23e58689adf47787583b9ddda43feeb8ad389493e6fdfc3f648d94095f34d.exe82b23e58689adf47787583b9ddda43feeb8ad389493e6fdfc3f648d94095f34d.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 2860 wrote to memory of 2972	2860	82b23e58689adf47787583b9ddda43feeb8ad389493e6fdfc3f648d94095f34d.exe	82b23e58689adf47787583b9ddda43feeb8ad389493e6fdfc3f648d94095f34d.exe
PID 2860 wrote to memory of 2972	2860	82b23e58689adf47787583b9ddda43feeb8ad389493e6fdfc3f648d94095f34d.exe	82b23e58689adf47787583b9ddda43feeb8ad389493e6fdfc3f648d94095f34d.exe
PID 2860 wrote to memory of 2972	2860	82b23e58689adf47787583b9ddda43feeb8ad389493e6fdfc3f648d94095f34d.exe	82b23e58689adf47787583b9ddda43feeb8ad389493e6fdfc3f648d94095f34d.exe
PID 2860 wrote to memory of 2972	2860	82b23e58689adf47787583b9ddda43feeb8ad389493e6fdfc3f648d94095f34d.exe	82b23e58689adf47787583b9ddda43feeb8ad389493e6fdfc3f648d94095f34d.exe
PID 2860 wrote to memory of 2972	2860	82b23e58689adf47787583b9ddda43feeb8ad389493e6fdfc3f648d94095f34d.exe	82b23e58689adf47787583b9ddda43feeb8ad389493e6fdfc3f648d94095f34d.exe
PID 2860 wrote to memory of 2972	2860	82b23e58689adf47787583b9ddda43feeb8ad389493e6fdfc3f648d94095f34d.exe	82b23e58689adf47787583b9ddda43feeb8ad389493e6fdfc3f648d94095f34d.exe
PID 2972 wrote to memory of 3012	2972	82b23e58689adf47787583b9ddda43feeb8ad389493e6fdfc3f648d94095f34d.exe	omsecor.exe
PID 2972 wrote to memory of 3012	2972	82b23e58689adf47787583b9ddda43feeb8ad389493e6fdfc3f648d94095f34d.exe	omsecor.exe
PID 2972 wrote to memory of 3012	2972	82b23e58689adf47787583b9ddda43feeb8ad389493e6fdfc3f648d94095f34d.exe	omsecor.exe
PID 2972 wrote to memory of 3012	2972	82b23e58689adf47787583b9ddda43feeb8ad389493e6fdfc3f648d94095f34d.exe	omsecor.exe
PID 3012 wrote to memory of 2520	3012	omsecor.exe	omsecor.exe
PID 3012 wrote to memory of 2520	3012	omsecor.exe	omsecor.exe
PID 3012 wrote to memory of 2520	3012	omsecor.exe	omsecor.exe
PID 3012 wrote to memory of 2520	3012	omsecor.exe	omsecor.exe
PID 3012 wrote to memory of 2520	3012	omsecor.exe	omsecor.exe
PID 3012 wrote to memory of 2520	3012	omsecor.exe	omsecor.exe
PID 2520 wrote to memory of 624	2520	omsecor.exe	omsecor.exe
PID 2520 wrote to memory of 624	2520	omsecor.exe	omsecor.exe
PID 2520 wrote to memory of 624	2520	omsecor.exe	omsecor.exe
PID 2520 wrote to memory of 624	2520	omsecor.exe	omsecor.exe
PID 624 wrote to memory of 776	624	omsecor.exe	omsecor.exe
PID 624 wrote to memory of 776	624	omsecor.exe	omsecor.exe
PID 624 wrote to memory of 776	624	omsecor.exe	omsecor.exe
PID 624 wrote to memory of 776	624	omsecor.exe	omsecor.exe
PID 624 wrote to memory of 776	624	omsecor.exe	omsecor.exe
PID 624 wrote to memory of 776	624	omsecor.exe	omsecor.exe
PID 776 wrote to memory of 1236	776	omsecor.exe	omsecor.exe
PID 776 wrote to memory of 1236	776	omsecor.exe	omsecor.exe
PID 776 wrote to memory of 1236	776	omsecor.exe	omsecor.exe
PID 776 wrote to memory of 1236	776	omsecor.exe	omsecor.exe
PID 1236 wrote to memory of 1172	1236	omsecor.exe	omsecor.exe
PID 1236 wrote to memory of 1172	1236	omsecor.exe	omsecor.exe
PID 1236 wrote to memory of 1172	1236	omsecor.exe	omsecor.exe
PID 1236 wrote to memory of 1172	1236	omsecor.exe	omsecor.exe
PID 1236 wrote to memory of 1172	1236	omsecor.exe	omsecor.exe
PID 1236 wrote to memory of 1172	1236	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\82b23e58689adf47787583b9ddda43feeb8ad389493e6fdfc3f648d94095f34d.exe
"C:\Users\Admin\AppData\Local\Temp\82b23e58689adf47787583b9ddda43feeb8ad389493e6fdfc3f648d94095f34d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2860

C:\Users\Admin\AppData\Local\Temp\82b23e58689adf47787583b9ddda43feeb8ad389493e6fdfc3f648d94095f34d.exe
C:\Users\Admin\AppData\Local\Temp\82b23e58689adf47787583b9ddda43feeb8ad389493e6fdfc3f648d94095f34d.exe
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2972

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3012

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2520

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:624

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:776

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1236

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
8⤵
- Executes dropped EXE
PID:1172

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
134KB

MD5
037917d51161a5f26ab47410bef49659

SHA1
8a171534c53348e4ddb92476faf01581d1d50000

SHA256
fac016b753f681c109a782f64fdacf3b2effde1e6697b1154a2eda7a95695540

SHA512
802d33a9ed79ddfafe3f7caa33120482e91e9c69372dffd0c6784c89017e75647b27403c02b7912efd88d73bf11acd945acdfa706b0f71c48d5daa761f372bb1

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
134KB

MD5
7b4004bc07a209c2bc5d1237d7cc9209

SHA1
48ec69da5c988aa3248580abfa49cad4b32ee18b

SHA256
c5f27147d7cf6799d6f32cac068eeb2fc4d53e8c79b54aed39af552a8ed6f18b

SHA512
23b26e8dbc43c866b673a88818544bf06ca2ba87bfbfea49c659d162704dc4394341762da8f5a13dded2e982b07641e76c0196bd90a87ea368fb52d973995a33

Download Submit
\Windows\SysWOW64\omsecor.exe
Filesize
134KB

MD5
fb226a5685ffb946b854e2b392d1e008

SHA1
76ee4f8f434f67194f52449664657cbdc490ea85

SHA256
8bc946ea2fa4f2e3ce0d0acecb92ad2e8312955d68d4ae2233d3218259d0cf34

SHA512
579cc51b9f0036d3afee47738b83e07c65802f6684a2978951bfd128cd8c46b0ada4465f6df0991484abeba00b8ae216d6b45ecd01379b3d38a2a281852cf3de

Download Submit
memory/624-63-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/624-55-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1172-88-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1172-85-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1236-83-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1236-76-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2520-32-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2520-33-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2520-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2520-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2520-45-0x0000000002150000-0x0000000002174000-memory.dmp

Filesize
144KB

Download
memory/2520-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2860-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2860-6-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2972-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2972-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2972-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2972-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2972-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3012-20-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3012-28-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads