neconyd | 82b23e58689adf47787583b9ddda43feeb8ad389493e6fdfc3f648d94095f34d

General

Target

82b23e58689adf47787583b9ddda43feeb8ad389493e6fdfc3f648d94095f34d.exe
Size

134KB
MD5

7afd48e30c7a91408fa59dcf22247121
SHA1

099d21e401c05fbe7b0b98b5a01f768fcfa52cc7
SHA256

82b23e58689adf47787583b9ddda43feeb8ad389493e6fdfc3f648d94095f34d
SHA512

e1a23b08a4f8b72480d1a94eef3976f3ab9478792ceaab54a69fa810761efd37bbf8b00d57d454095074fdba12a398b924f4f10ec043ab4af904db8c78299533
SSDEEP

1536:sDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCia:SiRTeH0iqAW6J6f1tqF6dngNmaZCia

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 6 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exe

pid process

224 omsecor.exe
4328 omsecor.exe
1868 omsecor.exe
2160 omsecor.exe
3772 omsecor.exe
4672 omsecor.exe
Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

pid	process
224	omsecor.exe
4328	omsecor.exe
1868	omsecor.exe
2160	omsecor.exe
3772	omsecor.exe
4672	omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

82b23e58689adf47787583b9ddda43feeb8ad389493e6fdfc3f648d94095f34d.exeomsecor.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 2172 set thread context of 4660	2172	82b23e58689adf47787583b9ddda43feeb8ad389493e6fdfc3f648d94095f34d.exe	82b23e58689adf47787583b9ddda43feeb8ad389493e6fdfc3f648d94095f34d.exe
PID 224 set thread context of 4328	224	omsecor.exe	omsecor.exe
PID 1868 set thread context of 2160	1868	omsecor.exe	omsecor.exe
PID 3772 set thread context of 4672	3772	omsecor.exe	omsecor.exe

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2492	2172	WerFault.exe	82b23e58689adf47787583b9ddda43feeb8ad389493e6fdfc3f648d94095f34d.exe
1396	224	WerFault.exe	omsecor.exe
1956	1868	WerFault.exe	omsecor.exe
448	3772	WerFault.exe	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

82b23e58689adf47787583b9ddda43feeb8ad389493e6fdfc3f648d94095f34d.exe82b23e58689adf47787583b9ddda43feeb8ad389493e6fdfc3f648d94095f34d.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 2172 wrote to memory of 4660	2172	82b23e58689adf47787583b9ddda43feeb8ad389493e6fdfc3f648d94095f34d.exe	82b23e58689adf47787583b9ddda43feeb8ad389493e6fdfc3f648d94095f34d.exe
PID 2172 wrote to memory of 4660	2172	82b23e58689adf47787583b9ddda43feeb8ad389493e6fdfc3f648d94095f34d.exe	82b23e58689adf47787583b9ddda43feeb8ad389493e6fdfc3f648d94095f34d.exe
PID 2172 wrote to memory of 4660	2172	82b23e58689adf47787583b9ddda43feeb8ad389493e6fdfc3f648d94095f34d.exe	82b23e58689adf47787583b9ddda43feeb8ad389493e6fdfc3f648d94095f34d.exe
PID 2172 wrote to memory of 4660	2172	82b23e58689adf47787583b9ddda43feeb8ad389493e6fdfc3f648d94095f34d.exe	82b23e58689adf47787583b9ddda43feeb8ad389493e6fdfc3f648d94095f34d.exe
PID 2172 wrote to memory of 4660	2172	82b23e58689adf47787583b9ddda43feeb8ad389493e6fdfc3f648d94095f34d.exe	82b23e58689adf47787583b9ddda43feeb8ad389493e6fdfc3f648d94095f34d.exe
PID 4660 wrote to memory of 224	4660	82b23e58689adf47787583b9ddda43feeb8ad389493e6fdfc3f648d94095f34d.exe	omsecor.exe
PID 4660 wrote to memory of 224	4660	82b23e58689adf47787583b9ddda43feeb8ad389493e6fdfc3f648d94095f34d.exe	omsecor.exe
PID 4660 wrote to memory of 224	4660	82b23e58689adf47787583b9ddda43feeb8ad389493e6fdfc3f648d94095f34d.exe	omsecor.exe
PID 224 wrote to memory of 4328	224	omsecor.exe	omsecor.exe
PID 224 wrote to memory of 4328	224	omsecor.exe	omsecor.exe
PID 224 wrote to memory of 4328	224	omsecor.exe	omsecor.exe
PID 224 wrote to memory of 4328	224	omsecor.exe	omsecor.exe
PID 224 wrote to memory of 4328	224	omsecor.exe	omsecor.exe
PID 4328 wrote to memory of 1868	4328	omsecor.exe	omsecor.exe
PID 4328 wrote to memory of 1868	4328	omsecor.exe	omsecor.exe
PID 4328 wrote to memory of 1868	4328	omsecor.exe	omsecor.exe
PID 1868 wrote to memory of 2160	1868	omsecor.exe	omsecor.exe
PID 1868 wrote to memory of 2160	1868	omsecor.exe	omsecor.exe
PID 1868 wrote to memory of 2160	1868	omsecor.exe	omsecor.exe
PID 1868 wrote to memory of 2160	1868	omsecor.exe	omsecor.exe
PID 1868 wrote to memory of 2160	1868	omsecor.exe	omsecor.exe
PID 2160 wrote to memory of 3772	2160	omsecor.exe	omsecor.exe
PID 2160 wrote to memory of 3772	2160	omsecor.exe	omsecor.exe
PID 2160 wrote to memory of 3772	2160	omsecor.exe	omsecor.exe
PID 3772 wrote to memory of 4672	3772	omsecor.exe	omsecor.exe
PID 3772 wrote to memory of 4672	3772	omsecor.exe	omsecor.exe
PID 3772 wrote to memory of 4672	3772	omsecor.exe	omsecor.exe
PID 3772 wrote to memory of 4672	3772	omsecor.exe	omsecor.exe
PID 3772 wrote to memory of 4672	3772	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\82b23e58689adf47787583b9ddda43feeb8ad389493e6fdfc3f648d94095f34d.exe
"C:\Users\Admin\AppData\Local\Temp\82b23e58689adf47787583b9ddda43feeb8ad389493e6fdfc3f648d94095f34d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2172

C:\Users\Admin\AppData\Local\Temp\82b23e58689adf47787583b9ddda43feeb8ad389493e6fdfc3f648d94095f34d.exe
C:\Users\Admin\AppData\Local\Temp\82b23e58689adf47787583b9ddda43feeb8ad389493e6fdfc3f648d94095f34d.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:4660

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:224

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4328

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1868

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2160

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3772

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
8⤵
- Executes dropped EXE
PID:4672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3772 -s 256
8⤵
- Program crash
PID:448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 292
6⤵
- Program crash
PID:1956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 288
4⤵
- Program crash
PID:1396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2172 -s 288
2⤵
- Program crash
PID:2492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2172 -ip 2172
1⤵
PID:4900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 224 -ip 224
1⤵
PID:3284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1868 -ip 1868
1⤵
PID:1340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3772 -ip 3772
1⤵
PID:628

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
134KB

MD5
b0752284e6f57104273fa162c739738f

SHA1
defc30c206d12e8df2a4438bfa446da85dff3f62

SHA256
b36f7f64d91cc98d005f04664d52410e29eb8e673ecde1b51a58ca9c530b44d3

SHA512
2abe2913f6a4156d0bf9fd010212ebd00d794dea7fd2353997c7676f692582f1392e8cfeec228d08964d6c971b6a744495e5ab2cd710432bb9614e2e8eefbc52

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
134KB

MD5
7b4004bc07a209c2bc5d1237d7cc9209

SHA1
48ec69da5c988aa3248580abfa49cad4b32ee18b

SHA256
c5f27147d7cf6799d6f32cac068eeb2fc4d53e8c79b54aed39af552a8ed6f18b

SHA512
23b26e8dbc43c866b673a88818544bf06ca2ba87bfbfea49c659d162704dc4394341762da8f5a13dded2e982b07641e76c0196bd90a87ea368fb52d973995a33

Download Submit
C:\Windows\SysWOW64\omsecor.exe
Filesize
134KB

MD5
6202806cf82b1210046a11b15e19e346

SHA1
e30ac9501383c5d3ad8f01f54535c3b9dee2db8a

SHA256
8a990d1fe74483349e8c11b9d8c6e827ca22a2e017af92be0836fb079b214d3b

SHA512
91dfdaa5e6b87ee5f980eb74c3a5ee9dc03d4593d8f66f36df9007d13116d273ea058a3faa965b440e0eb4532d6dc8563638b5b533889693832fbdb7fa439dd6

Download Submit
memory/224-11-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1868-30-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2160-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2160-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2160-33-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2172-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2172-17-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3772-41-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4328-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4328-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4328-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4328-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4328-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4328-16-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4328-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4660-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4660-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4660-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4660-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4672-46-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4672-45-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4672-47-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4672-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4672-51-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4672-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads