neconyd | 318425f6f71d53d6ada486a3633f478b00dc1ae3afaa41715d61d0bc74d8efa4

General

Target

318425f6f71d53d6ada486a3633f478b00dc1ae3afaa41715d61d0bc74d8efa4.exe
Size

96KB
MD5

725b10f17b61db60c8b21786a74d6b18
SHA1

3185eafb33cc4b84e6ce73e9292e0414a44ddd5f
SHA256

318425f6f71d53d6ada486a3633f478b00dc1ae3afaa41715d61d0bc74d8efa4
SHA512

a4f632110186547a76e54c269b06c0d94b0a8dba5e609cb20357caff89e15fe53a97dfd2220692fab39abbbf9ff9ba261c23e21539f102fe52e743b615781089
SSDEEP

1536:3nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:3Gs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Detects executables built or packed with MPress PE compressor 11 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2060-0-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_MPress
C:\Users\Admin\AppData\Roaming\omsecor.exe	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2060-8-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2992-21-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2992-30-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_MPress
\Windows\SysWOW64\omsecor.exe	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2864-46-0x0000000002380000-0x00000000023A3000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2152-65-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_MPress
\Users\Admin\AppData\Roaming\omsecor.exe	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1784-77-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1784-86-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_MPress

Executes dropped EXE 6 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exe

pid process

2992 omsecor.exe
2864 omsecor.exe
2152 omsecor.exe
2408 omsecor.exe
1784 omsecor.exe
2676 omsecor.exe

pid	process
2992	omsecor.exe
2864	omsecor.exe
2152	omsecor.exe
2408	omsecor.exe
1784	omsecor.exe
2676	omsecor.exe

Loads dropped DLL 7 IoCs

Processes:

318425f6f71d53d6ada486a3633f478b00dc1ae3afaa41715d61d0bc74d8efa4.exeomsecor.exeomsecor.exeomsecor.exe

pid	process
1832	318425f6f71d53d6ada486a3633f478b00dc1ae3afaa41715d61d0bc74d8efa4.exe
1832	318425f6f71d53d6ada486a3633f478b00dc1ae3afaa41715d61d0bc74d8efa4.exe
2992	omsecor.exe
2864	omsecor.exe
2864	omsecor.exe
2408	omsecor.exe
2408	omsecor.exe

Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

318425f6f71d53d6ada486a3633f478b00dc1ae3afaa41715d61d0bc74d8efa4.exeomsecor.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 2060 set thread context of 1832	2060	318425f6f71d53d6ada486a3633f478b00dc1ae3afaa41715d61d0bc74d8efa4.exe	318425f6f71d53d6ada486a3633f478b00dc1ae3afaa41715d61d0bc74d8efa4.exe
PID 2992 set thread context of 2864	2992	omsecor.exe	omsecor.exe
PID 2152 set thread context of 2408	2152	omsecor.exe	omsecor.exe
PID 1784 set thread context of 2676	1784	omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

318425f6f71d53d6ada486a3633f478b00dc1ae3afaa41715d61d0bc74d8efa4.exe318425f6f71d53d6ada486a3633f478b00dc1ae3afaa41715d61d0bc74d8efa4.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 2060 wrote to memory of 1832	2060	318425f6f71d53d6ada486a3633f478b00dc1ae3afaa41715d61d0bc74d8efa4.exe	318425f6f71d53d6ada486a3633f478b00dc1ae3afaa41715d61d0bc74d8efa4.exe
PID 2060 wrote to memory of 1832	2060	318425f6f71d53d6ada486a3633f478b00dc1ae3afaa41715d61d0bc74d8efa4.exe	318425f6f71d53d6ada486a3633f478b00dc1ae3afaa41715d61d0bc74d8efa4.exe
PID 2060 wrote to memory of 1832	2060	318425f6f71d53d6ada486a3633f478b00dc1ae3afaa41715d61d0bc74d8efa4.exe	318425f6f71d53d6ada486a3633f478b00dc1ae3afaa41715d61d0bc74d8efa4.exe
PID 2060 wrote to memory of 1832	2060	318425f6f71d53d6ada486a3633f478b00dc1ae3afaa41715d61d0bc74d8efa4.exe	318425f6f71d53d6ada486a3633f478b00dc1ae3afaa41715d61d0bc74d8efa4.exe
PID 2060 wrote to memory of 1832	2060	318425f6f71d53d6ada486a3633f478b00dc1ae3afaa41715d61d0bc74d8efa4.exe	318425f6f71d53d6ada486a3633f478b00dc1ae3afaa41715d61d0bc74d8efa4.exe
PID 2060 wrote to memory of 1832	2060	318425f6f71d53d6ada486a3633f478b00dc1ae3afaa41715d61d0bc74d8efa4.exe	318425f6f71d53d6ada486a3633f478b00dc1ae3afaa41715d61d0bc74d8efa4.exe
PID 1832 wrote to memory of 2992	1832	318425f6f71d53d6ada486a3633f478b00dc1ae3afaa41715d61d0bc74d8efa4.exe	omsecor.exe
PID 1832 wrote to memory of 2992	1832	318425f6f71d53d6ada486a3633f478b00dc1ae3afaa41715d61d0bc74d8efa4.exe	omsecor.exe
PID 1832 wrote to memory of 2992	1832	318425f6f71d53d6ada486a3633f478b00dc1ae3afaa41715d61d0bc74d8efa4.exe	omsecor.exe
PID 1832 wrote to memory of 2992	1832	318425f6f71d53d6ada486a3633f478b00dc1ae3afaa41715d61d0bc74d8efa4.exe	omsecor.exe
PID 2992 wrote to memory of 2864	2992	omsecor.exe	omsecor.exe
PID 2992 wrote to memory of 2864	2992	omsecor.exe	omsecor.exe
PID 2992 wrote to memory of 2864	2992	omsecor.exe	omsecor.exe
PID 2992 wrote to memory of 2864	2992	omsecor.exe	omsecor.exe
PID 2992 wrote to memory of 2864	2992	omsecor.exe	omsecor.exe
PID 2992 wrote to memory of 2864	2992	omsecor.exe	omsecor.exe
PID 2864 wrote to memory of 2152	2864	omsecor.exe	omsecor.exe
PID 2864 wrote to memory of 2152	2864	omsecor.exe	omsecor.exe
PID 2864 wrote to memory of 2152	2864	omsecor.exe	omsecor.exe
PID 2864 wrote to memory of 2152	2864	omsecor.exe	omsecor.exe
PID 2152 wrote to memory of 2408	2152	omsecor.exe	omsecor.exe
PID 2152 wrote to memory of 2408	2152	omsecor.exe	omsecor.exe
PID 2152 wrote to memory of 2408	2152	omsecor.exe	omsecor.exe
PID 2152 wrote to memory of 2408	2152	omsecor.exe	omsecor.exe
PID 2152 wrote to memory of 2408	2152	omsecor.exe	omsecor.exe
PID 2152 wrote to memory of 2408	2152	omsecor.exe	omsecor.exe
PID 2408 wrote to memory of 1784	2408	omsecor.exe	omsecor.exe
PID 2408 wrote to memory of 1784	2408	omsecor.exe	omsecor.exe
PID 2408 wrote to memory of 1784	2408	omsecor.exe	omsecor.exe
PID 2408 wrote to memory of 1784	2408	omsecor.exe	omsecor.exe
PID 1784 wrote to memory of 2676	1784	omsecor.exe	omsecor.exe
PID 1784 wrote to memory of 2676	1784	omsecor.exe	omsecor.exe
PID 1784 wrote to memory of 2676	1784	omsecor.exe	omsecor.exe
PID 1784 wrote to memory of 2676	1784	omsecor.exe	omsecor.exe
PID 1784 wrote to memory of 2676	1784	omsecor.exe	omsecor.exe
PID 1784 wrote to memory of 2676	1784	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\318425f6f71d53d6ada486a3633f478b00dc1ae3afaa41715d61d0bc74d8efa4.exe
"C:\Users\Admin\AppData\Local\Temp\318425f6f71d53d6ada486a3633f478b00dc1ae3afaa41715d61d0bc74d8efa4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2060

C:\Users\Admin\AppData\Local\Temp\318425f6f71d53d6ada486a3633f478b00dc1ae3afaa41715d61d0bc74d8efa4.exe
C:\Users\Admin\AppData\Local\Temp\318425f6f71d53d6ada486a3633f478b00dc1ae3afaa41715d61d0bc74d8efa4.exe
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1832

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2992

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2864

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2152

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2408

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1784

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
8⤵
- Executes dropped EXE
PID:2676

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
96KB

MD5
e35bb600828cee663c3bb749992d1102

SHA1
5de3a49213b3c31a5d2c70f5dd539bdd4e70d205

SHA256
3a3ab6e9b764f9af0b7d20450eec36ba7f76a364636febf391a282b784d8abac

SHA512
e3ee0bba8cc09ed0979670bad805c8a50f23b532c893c173950060c34f176e5f4ead4dacc290b32666f449703a0a95af9ce7064c7b0fa699290954be3d8340d8

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
96KB

MD5
bca1be289184fc047c342d24977cabfa

SHA1
b09453af9457f5888d4d3234e5dca6721380b934

SHA256
c39ee49b3421f8a3dadc72ee5d6175e7e7f4b9b2a2a6020e1bf0f8e2a65ad792

SHA512
0a016959e0cb37917cbe717e18d43a42971d48d139efbda949401849dd3326f3b48825e30aec352212fcf6068e0c09bac85bc2673f7bd5f0b8a0697b4f24507a

Download Submit
\Windows\SysWOW64\omsecor.exe
Filesize
96KB

MD5
355ec3b79d2335861872b2d31305546f

SHA1
d15cca7e4c32aaa70fbb1eed9edb3d58f4c65494

SHA256
374194762e6e90a7e3af2471f3fb0be8ccf110d1e572235812f99e9c49405188

SHA512
8020c5b28d54586ebc76a06ac87dd3c8ac4f29131d90259e913d3586e29d8eb90e1f637839b079523c2e821862822176387c45d61090800c2b5b24d69a9bb663

Download Submit
memory/1784-86-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1784-77-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1832-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1832-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1832-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1832-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1832-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2060-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2060-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2152-65-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2676-87-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2676-90-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2864-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2864-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2864-46-0x0000000002380000-0x00000000023A3000-memory.dmp

Filesize
140KB

Download
memory/2864-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2864-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2864-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2992-30-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2992-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads