neconyd | 318425f6f71d53d6ada486a3633f478b00dc1ae3afaa41715d61d0bc74d8efa4

General

Target

318425f6f71d53d6ada486a3633f478b00dc1ae3afaa41715d61d0bc74d8efa4.exe
Size

96KB
MD5

725b10f17b61db60c8b21786a74d6b18
SHA1

3185eafb33cc4b84e6ce73e9292e0414a44ddd5f
SHA256

318425f6f71d53d6ada486a3633f478b00dc1ae3afaa41715d61d0bc74d8efa4
SHA512

a4f632110186547a76e54c269b06c0d94b0a8dba5e609cb20357caff89e15fe53a97dfd2220692fab39abbbf9ff9ba261c23e21539f102fe52e743b615781089
SSDEEP

1536:3nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:3Gs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Detects executables built or packed with MPress PE compressor 9 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3912-0-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_MPress
C:\Users\Admin\AppData\Roaming\omsecor.exe	INDICATOR_EXE_Packed_MPress
behavioral2/memory/4392-11-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3912-18-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\omsecor.exe	INDICATOR_EXE_Packed_MPress
behavioral2/memory/4156-30-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/936-42-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_MPress
C:\Users\Admin\AppData\Roaming\omsecor.exe	INDICATOR_EXE_Packed_MPress
behavioral2/memory/4156-51-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_MPress

Executes dropped EXE 6 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exe

pid process

4392 omsecor.exe
1804 omsecor.exe
4156 omsecor.exe
340 omsecor.exe
936 omsecor.exe
1028 omsecor.exe
Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

pid	process
4392	omsecor.exe
1804	omsecor.exe
4156	omsecor.exe
340	omsecor.exe
936	omsecor.exe
1028	omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

318425f6f71d53d6ada486a3633f478b00dc1ae3afaa41715d61d0bc74d8efa4.exeomsecor.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 3912 set thread context of 5068	3912	318425f6f71d53d6ada486a3633f478b00dc1ae3afaa41715d61d0bc74d8efa4.exe	318425f6f71d53d6ada486a3633f478b00dc1ae3afaa41715d61d0bc74d8efa4.exe
PID 4392 set thread context of 1804	4392	omsecor.exe	omsecor.exe
PID 4156 set thread context of 340	4156	omsecor.exe	omsecor.exe
PID 936 set thread context of 1028	936	omsecor.exe	omsecor.exe

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
756	3912	WerFault.exe	318425f6f71d53d6ada486a3633f478b00dc1ae3afaa41715d61d0bc74d8efa4.exe
3040	4392	WerFault.exe	omsecor.exe
4720	4156	WerFault.exe	omsecor.exe
2740	936	WerFault.exe	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

318425f6f71d53d6ada486a3633f478b00dc1ae3afaa41715d61d0bc74d8efa4.exe318425f6f71d53d6ada486a3633f478b00dc1ae3afaa41715d61d0bc74d8efa4.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 3912 wrote to memory of 5068	3912	318425f6f71d53d6ada486a3633f478b00dc1ae3afaa41715d61d0bc74d8efa4.exe	318425f6f71d53d6ada486a3633f478b00dc1ae3afaa41715d61d0bc74d8efa4.exe
PID 3912 wrote to memory of 5068	3912	318425f6f71d53d6ada486a3633f478b00dc1ae3afaa41715d61d0bc74d8efa4.exe	318425f6f71d53d6ada486a3633f478b00dc1ae3afaa41715d61d0bc74d8efa4.exe
PID 3912 wrote to memory of 5068	3912	318425f6f71d53d6ada486a3633f478b00dc1ae3afaa41715d61d0bc74d8efa4.exe	318425f6f71d53d6ada486a3633f478b00dc1ae3afaa41715d61d0bc74d8efa4.exe
PID 3912 wrote to memory of 5068	3912	318425f6f71d53d6ada486a3633f478b00dc1ae3afaa41715d61d0bc74d8efa4.exe	318425f6f71d53d6ada486a3633f478b00dc1ae3afaa41715d61d0bc74d8efa4.exe
PID 3912 wrote to memory of 5068	3912	318425f6f71d53d6ada486a3633f478b00dc1ae3afaa41715d61d0bc74d8efa4.exe	318425f6f71d53d6ada486a3633f478b00dc1ae3afaa41715d61d0bc74d8efa4.exe
PID 5068 wrote to memory of 4392	5068	318425f6f71d53d6ada486a3633f478b00dc1ae3afaa41715d61d0bc74d8efa4.exe	omsecor.exe
PID 5068 wrote to memory of 4392	5068	318425f6f71d53d6ada486a3633f478b00dc1ae3afaa41715d61d0bc74d8efa4.exe	omsecor.exe
PID 5068 wrote to memory of 4392	5068	318425f6f71d53d6ada486a3633f478b00dc1ae3afaa41715d61d0bc74d8efa4.exe	omsecor.exe
PID 4392 wrote to memory of 1804	4392	omsecor.exe	omsecor.exe
PID 4392 wrote to memory of 1804	4392	omsecor.exe	omsecor.exe
PID 4392 wrote to memory of 1804	4392	omsecor.exe	omsecor.exe
PID 4392 wrote to memory of 1804	4392	omsecor.exe	omsecor.exe
PID 4392 wrote to memory of 1804	4392	omsecor.exe	omsecor.exe
PID 1804 wrote to memory of 4156	1804	omsecor.exe	omsecor.exe
PID 1804 wrote to memory of 4156	1804	omsecor.exe	omsecor.exe
PID 1804 wrote to memory of 4156	1804	omsecor.exe	omsecor.exe
PID 4156 wrote to memory of 340	4156	omsecor.exe	omsecor.exe
PID 4156 wrote to memory of 340	4156	omsecor.exe	omsecor.exe
PID 4156 wrote to memory of 340	4156	omsecor.exe	omsecor.exe
PID 4156 wrote to memory of 340	4156	omsecor.exe	omsecor.exe
PID 4156 wrote to memory of 340	4156	omsecor.exe	omsecor.exe
PID 340 wrote to memory of 936	340	omsecor.exe	omsecor.exe
PID 340 wrote to memory of 936	340	omsecor.exe	omsecor.exe
PID 340 wrote to memory of 936	340	omsecor.exe	omsecor.exe
PID 936 wrote to memory of 1028	936	omsecor.exe	omsecor.exe
PID 936 wrote to memory of 1028	936	omsecor.exe	omsecor.exe
PID 936 wrote to memory of 1028	936	omsecor.exe	omsecor.exe
PID 936 wrote to memory of 1028	936	omsecor.exe	omsecor.exe
PID 936 wrote to memory of 1028	936	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\318425f6f71d53d6ada486a3633f478b00dc1ae3afaa41715d61d0bc74d8efa4.exe
"C:\Users\Admin\AppData\Local\Temp\318425f6f71d53d6ada486a3633f478b00dc1ae3afaa41715d61d0bc74d8efa4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3912

C:\Users\Admin\AppData\Local\Temp\318425f6f71d53d6ada486a3633f478b00dc1ae3afaa41715d61d0bc74d8efa4.exe
C:\Users\Admin\AppData\Local\Temp\318425f6f71d53d6ada486a3633f478b00dc1ae3afaa41715d61d0bc74d8efa4.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:5068

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4392

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1804

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4156

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:340

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:936

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
8⤵
- Executes dropped EXE
PID:1028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 936 -s 256
8⤵
- Program crash
PID:2740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4156 -s 292
6⤵
- Program crash
PID:4720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 288
4⤵
- Program crash
PID:3040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3912 -s 288
2⤵
- Program crash
PID:756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3912 -ip 3912
1⤵
PID:2576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4392 -ip 4392
1⤵
PID:3432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4156 -ip 4156
1⤵
PID:3800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 936 -ip 936
1⤵
PID:3752

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
96KB

MD5
e35bb600828cee663c3bb749992d1102

SHA1
5de3a49213b3c31a5d2c70f5dd539bdd4e70d205

SHA256
3a3ab6e9b764f9af0b7d20450eec36ba7f76a364636febf391a282b784d8abac

SHA512
e3ee0bba8cc09ed0979670bad805c8a50f23b532c893c173950060c34f176e5f4ead4dacc290b32666f449703a0a95af9ce7064c7b0fa699290954be3d8340d8

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
96KB

MD5
78b6a890fb36e243465eb24cf5bcd5a9

SHA1
a0a7e7da723d2223f62df1219c58a5c9b33311bb

SHA256
0af5a94bdc966f99ddf22d3f6ec986e913e555316651e93ff52a86658ef2e66d

SHA512
ed3ee56d333216cde10523a91e0e79f6aff751792b60bddca2a64ae19e0b356d2cb7f8dfbab214f5a5d0ecf6f3eeed5831d950b50d8add3c11040dc70920325e

Download Submit
C:\Windows\SysWOW64\omsecor.exe
Filesize
96KB

MD5
e736fa01e66064658b21b3be17ab9f78

SHA1
a9f2e81cbe12cd0a61121abfeb452d07285be762

SHA256
273878ebc470ba1818a231a86d3e473a90e550cc082f9f763858ee325c4b7c8f

SHA512
1160f9ed9b62f3cd73a564847ff9143b9f767de6a5fcc9c59dfa927ce4f63c561bd44abc501e433f9af960b931b7a6bf463ef9f2347025b900598db346130c43

Download Submit
memory/340-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/340-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/340-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/936-42-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1028-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1028-46-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1028-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1028-52-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1028-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1028-58-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1804-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1804-27-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1804-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1804-16-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1804-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1804-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1804-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3912-18-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3912-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4156-30-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4156-51-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4392-11-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5068-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5068-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5068-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5068-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads