neconyd | 0da4715048677de44929ad3dd1e19694259ea70a9ef8868ba6bdf8100592406d

Analysis

max time kernel
151s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 22:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a75e5599b28780fc91146d91b4050d02_JC.exe
Size

61KB
MD5

a75e5599b28780fc91146d91b4050d02
SHA1

c01f4189729e74cf8d682a66ed4c10225fe343b9
SHA256

0da4715048677de44929ad3dd1e19694259ea70a9ef8868ba6bdf8100592406d
SHA512

8c6946d6e66641e2414f7470fddc2f996650fc353bec9d16cea37ff4acf04087378d1a396571fbae53e136f019d9796a5a5aa4f941d96b401715e8fa898909dc
SSDEEP

768:8MEIvFGvZEr8LFK0ic46N47eSdYAHwmZ7Bp6JXXlaa5uA:8bIvYvZEyFKF6N4yS+AQmZIl/5

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 3 IoCs

pid	Process
640	omsecor.exe
1456	omsecor.exe
1556	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4964 wrote to memory of 640	4964	a75e5599b28780fc91146d91b4050d02_JC.exe	86
PID 4964 wrote to memory of 640	4964	a75e5599b28780fc91146d91b4050d02_JC.exe	86
PID 4964 wrote to memory of 640	4964	a75e5599b28780fc91146d91b4050d02_JC.exe	86
PID 640 wrote to memory of 1456	640	omsecor.exe	106
PID 640 wrote to memory of 1456	640	omsecor.exe	106
PID 640 wrote to memory of 1456	640	omsecor.exe	106
PID 1456 wrote to memory of 1556	1456	omsecor.exe	107
PID 1456 wrote to memory of 1556	1456	omsecor.exe	107
PID 1456 wrote to memory of 1556	1456	omsecor.exe	107

C:\Users\Admin\AppData\Local\Temp\a75e5599b28780fc91146d91b4050d02_JC.exe
"C:\Users\Admin\AppData\Local\Temp\a75e5599b28780fc91146d91b4050d02_JC.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4964
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:640
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1456
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      PID:1556

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
314948e59f8953c1a862430afc206918

SHA1
ccff2fdc489ed0d9dd47a9c9506f5525282f0271

SHA256
dedf32372b39a753beb6f4d709f97d7bea1c5a6c0646a70a8c891ae37c91eb4f

SHA512
8688f270bd60fcb9606cdb2e4e64a822ae97fcde0c8ee8d6b03eca18d251c67915a1d6c016ab2012f188e6ef317aacb01cfc6066a4e02360ea05ba90c08034f9

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
314948e59f8953c1a862430afc206918

SHA1
ccff2fdc489ed0d9dd47a9c9506f5525282f0271

SHA256
dedf32372b39a753beb6f4d709f97d7bea1c5a6c0646a70a8c891ae37c91eb4f

SHA512
8688f270bd60fcb9606cdb2e4e64a822ae97fcde0c8ee8d6b03eca18d251c67915a1d6c016ab2012f188e6ef317aacb01cfc6066a4e02360ea05ba90c08034f9

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
83bf10e4961da52eef111dfca01470e1

SHA1
10626d3fb078b77e065d2617e7a569365345aaa9

SHA256
3fd02073138da735fe604437434046437163433e5ad8fff3503482e769f586bb

SHA512
8f2fe65cfb5fc9354df861c96727b687acad96c56ea85d8b95fdebb0fe9b99f08a44a10f70ede7017b0b7ffb867d7466f6d9743f575c15154212773fbca30b42

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
83bf10e4961da52eef111dfca01470e1

SHA1
10626d3fb078b77e065d2617e7a569365345aaa9

SHA256
3fd02073138da735fe604437434046437163433e5ad8fff3503482e769f586bb

SHA512
8f2fe65cfb5fc9354df861c96727b687acad96c56ea85d8b95fdebb0fe9b99f08a44a10f70ede7017b0b7ffb867d7466f6d9743f575c15154212773fbca30b42

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
ff151232a1dd5747a8dfd9a55561cdff

SHA1
3ec52b595fe5f43f4d1da729ee2af84c0eb44ecf

SHA256
55e7558278f0187f31267a3dc2d15f33f8de79f545c43387e8e829ae35d634c5

SHA512
789026abb6a647990c4a1bce9e4f757323bba6f01ff3a750f5d89b36fe722639d156e28cf36f7b64d649d4cbc77c06371c8dde4dbf3ac6ffef1fa97e28b834c1

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
ff151232a1dd5747a8dfd9a55561cdff

SHA1
3ec52b595fe5f43f4d1da729ee2af84c0eb44ecf

SHA256
55e7558278f0187f31267a3dc2d15f33f8de79f545c43387e8e829ae35d634c5

SHA512
789026abb6a647990c4a1bce9e4f757323bba6f01ff3a750f5d89b36fe722639d156e28cf36f7b64d649d4cbc77c06371c8dde4dbf3ac6ffef1fa97e28b834c1

Download Submit