neconyd | e64a2fe79e497e35f6da6e4fcb5259eabf1b051d9660ffbcf02ac66adaf8485a

Analysis

max time kernel
147s
max time network
154s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
14-10-2023 11:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.d319dfc5c8659a7286c0af09d09ae631_JC.exe
Size

134KB
MD5

d319dfc5c8659a7286c0af09d09ae631
SHA1

224f945dac5d2bc26a862a68f7f8556c3ddde083
SHA256

e64a2fe79e497e35f6da6e4fcb5259eabf1b051d9660ffbcf02ac66adaf8485a
SHA512

c6baa47ba45ee75e1b9a728aea297b133aa84f3ebfbf40c293346312446cb8547fe9c9ecda4faa1abff9f8539bf7608b00c441a3c9fec3184da3bf3f0bd9068b
SSDEEP

1536:aDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCia:8iRTeH0iqAW6J6f1tqF6dngNmaZCia

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 6 IoCs

pid	Process
2784	omsecor.exe
2716	omsecor.exe
808	omsecor.exe
2480	omsecor.exe
2792	omsecor.exe
1368	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
1604	NEAS.d319dfc5c8659a7286c0af09d09ae631_JC.exe
1604	NEAS.d319dfc5c8659a7286c0af09d09ae631_JC.exe
2716	omsecor.exe
2716	omsecor.exe
2480	omsecor.exe
2480	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2024 set thread context of 1604	2024	NEAS.d319dfc5c8659a7286c0af09d09ae631_JC.exe	20
PID 2784 set thread context of 2716	2784	omsecor.exe	18
PID 808 set thread context of 2480	808	omsecor.exe	35
PID 2792 set thread context of 1368	2792	omsecor.exe	37

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 1604	2024	NEAS.d319dfc5c8659a7286c0af09d09ae631_JC.exe	20
PID 2024 wrote to memory of 1604	2024	NEAS.d319dfc5c8659a7286c0af09d09ae631_JC.exe	20
PID 2024 wrote to memory of 1604	2024	NEAS.d319dfc5c8659a7286c0af09d09ae631_JC.exe	20
PID 2024 wrote to memory of 1604	2024	NEAS.d319dfc5c8659a7286c0af09d09ae631_JC.exe	20
PID 2024 wrote to memory of 1604	2024	NEAS.d319dfc5c8659a7286c0af09d09ae631_JC.exe	20
PID 2024 wrote to memory of 1604	2024	NEAS.d319dfc5c8659a7286c0af09d09ae631_JC.exe	20
PID 1604 wrote to memory of 2784	1604	NEAS.d319dfc5c8659a7286c0af09d09ae631_JC.exe	19
PID 1604 wrote to memory of 2784	1604	NEAS.d319dfc5c8659a7286c0af09d09ae631_JC.exe	19
PID 1604 wrote to memory of 2784	1604	NEAS.d319dfc5c8659a7286c0af09d09ae631_JC.exe	19
PID 1604 wrote to memory of 2784	1604	NEAS.d319dfc5c8659a7286c0af09d09ae631_JC.exe	19
PID 2784 wrote to memory of 2716	2784	omsecor.exe	18
PID 2784 wrote to memory of 2716	2784	omsecor.exe	18
PID 2784 wrote to memory of 2716	2784	omsecor.exe	18
PID 2784 wrote to memory of 2716	2784	omsecor.exe	18
PID 2784 wrote to memory of 2716	2784	omsecor.exe	18
PID 2784 wrote to memory of 2716	2784	omsecor.exe	18
PID 2716 wrote to memory of 808	2716	omsecor.exe	34
PID 2716 wrote to memory of 808	2716	omsecor.exe	34
PID 2716 wrote to memory of 808	2716	omsecor.exe	34
PID 2716 wrote to memory of 808	2716	omsecor.exe	34
PID 808 wrote to memory of 2480	808	omsecor.exe	35
PID 808 wrote to memory of 2480	808	omsecor.exe	35
PID 808 wrote to memory of 2480	808	omsecor.exe	35
PID 808 wrote to memory of 2480	808	omsecor.exe	35
PID 808 wrote to memory of 2480	808	omsecor.exe	35
PID 808 wrote to memory of 2480	808	omsecor.exe	35
PID 2480 wrote to memory of 2792	2480	omsecor.exe	36
PID 2480 wrote to memory of 2792	2480	omsecor.exe	36
PID 2480 wrote to memory of 2792	2480	omsecor.exe	36
PID 2480 wrote to memory of 2792	2480	omsecor.exe	36
PID 2792 wrote to memory of 1368	2792	omsecor.exe	37
PID 2792 wrote to memory of 1368	2792	omsecor.exe	37
PID 2792 wrote to memory of 1368	2792	omsecor.exe	37
PID 2792 wrote to memory of 1368	2792	omsecor.exe	37
PID 2792 wrote to memory of 1368	2792	omsecor.exe	37
PID 2792 wrote to memory of 1368	2792	omsecor.exe	37

C:\Users\Admin\AppData\Local\Temp\NEAS.d319dfc5c8659a7286c0af09d09ae631_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.d319dfc5c8659a7286c0af09d09ae631_JC.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Users\Admin\AppData\Local\Temp\NEAS.d319dfc5c8659a7286c0af09d09ae631_JC.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.d319dfc5c8659a7286c0af09d09ae631_JC.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1604

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Windows\SysWOW64\omsecor.exe
  C:\Windows\System32\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:808
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\SysWOW64\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2480
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2792
    - - C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        5⤵
        Executes dropped EXE
        
        PID:1368

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2784

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
9897dec7b16f8093272514fe25604ba1

SHA1
ae8092f03cdfbf191e1abe4a41580726fee265ee

SHA256
1c8f285291518560ad4ee5e5b814a4a43d370bf068daaa016f8774fab57a3a03

SHA512
4fa019450661ea03ed41b658fdee0af45810a2a2405e60da7e76f31f7a26e78b41ff00a5ee21f9cf679c8677c90199d26ae89423bd8003da5fd94abfd223de4f

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
9897dec7b16f8093272514fe25604ba1

SHA1
ae8092f03cdfbf191e1abe4a41580726fee265ee

SHA256
1c8f285291518560ad4ee5e5b814a4a43d370bf068daaa016f8774fab57a3a03

SHA512
4fa019450661ea03ed41b658fdee0af45810a2a2405e60da7e76f31f7a26e78b41ff00a5ee21f9cf679c8677c90199d26ae89423bd8003da5fd94abfd223de4f

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
9897dec7b16f8093272514fe25604ba1

SHA1
ae8092f03cdfbf191e1abe4a41580726fee265ee

SHA256
1c8f285291518560ad4ee5e5b814a4a43d370bf068daaa016f8774fab57a3a03

SHA512
4fa019450661ea03ed41b658fdee0af45810a2a2405e60da7e76f31f7a26e78b41ff00a5ee21f9cf679c8677c90199d26ae89423bd8003da5fd94abfd223de4f

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
9897dec7b16f8093272514fe25604ba1

SHA1
ae8092f03cdfbf191e1abe4a41580726fee265ee

SHA256
1c8f285291518560ad4ee5e5b814a4a43d370bf068daaa016f8774fab57a3a03

SHA512
4fa019450661ea03ed41b658fdee0af45810a2a2405e60da7e76f31f7a26e78b41ff00a5ee21f9cf679c8677c90199d26ae89423bd8003da5fd94abfd223de4f

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
8736b7775eff188871e32df13b94fb76

SHA1
d750bd9a434b6877a05507a01a977b3ed6be4639

SHA256
d82c8bef4cd9b524a5e5f957b0d50038b67c48452a2a657ea931692304427f70

SHA512
e6cd4dbe43dc517c2437e7836e2318137f0fc14afacbf1afb2dfb4913b09a3e138483a3e0dc4261221a39641d4bd0d4d9aeeaa52ac44bcb33fe7dc7099606c3c

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
8736b7775eff188871e32df13b94fb76

SHA1
d750bd9a434b6877a05507a01a977b3ed6be4639

SHA256
d82c8bef4cd9b524a5e5f957b0d50038b67c48452a2a657ea931692304427f70

SHA512
e6cd4dbe43dc517c2437e7836e2318137f0fc14afacbf1afb2dfb4913b09a3e138483a3e0dc4261221a39641d4bd0d4d9aeeaa52ac44bcb33fe7dc7099606c3c

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
8736b7775eff188871e32df13b94fb76

SHA1
d750bd9a434b6877a05507a01a977b3ed6be4639

SHA256
d82c8bef4cd9b524a5e5f957b0d50038b67c48452a2a657ea931692304427f70

SHA512
e6cd4dbe43dc517c2437e7836e2318137f0fc14afacbf1afb2dfb4913b09a3e138483a3e0dc4261221a39641d4bd0d4d9aeeaa52ac44bcb33fe7dc7099606c3c

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
8736b7775eff188871e32df13b94fb76

SHA1
d750bd9a434b6877a05507a01a977b3ed6be4639

SHA256
d82c8bef4cd9b524a5e5f957b0d50038b67c48452a2a657ea931692304427f70

SHA512
e6cd4dbe43dc517c2437e7836e2318137f0fc14afacbf1afb2dfb4913b09a3e138483a3e0dc4261221a39641d4bd0d4d9aeeaa52ac44bcb33fe7dc7099606c3c

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
928971c7558de2a99e9d00f7b4181be8

SHA1
5ce5d5fd26fdf7f0d288e77e4c7efc25bbf42500

SHA256
e33a62d15954445fd82ba0050dccd8e6405c1caab63fe919d737f4ba2f754c56

SHA512
24317df079c5c32d78a27e41b4d53f2f0aa62cad86726c6f29a51196cdaf0022dfb793fba996038801b38b1383c4856171fb7bf2e95d03e2343f874a89d71072

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
928971c7558de2a99e9d00f7b4181be8

SHA1
5ce5d5fd26fdf7f0d288e77e4c7efc25bbf42500

SHA256
e33a62d15954445fd82ba0050dccd8e6405c1caab63fe919d737f4ba2f754c56

SHA512
24317df079c5c32d78a27e41b4d53f2f0aa62cad86726c6f29a51196cdaf0022dfb793fba996038801b38b1383c4856171fb7bf2e95d03e2343f874a89d71072

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
928971c7558de2a99e9d00f7b4181be8

SHA1
5ce5d5fd26fdf7f0d288e77e4c7efc25bbf42500

SHA256
e33a62d15954445fd82ba0050dccd8e6405c1caab63fe919d737f4ba2f754c56

SHA512
24317df079c5c32d78a27e41b4d53f2f0aa62cad86726c6f29a51196cdaf0022dfb793fba996038801b38b1383c4856171fb7bf2e95d03e2343f874a89d71072

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
928971c7558de2a99e9d00f7b4181be8

SHA1
5ce5d5fd26fdf7f0d288e77e4c7efc25bbf42500

SHA256
e33a62d15954445fd82ba0050dccd8e6405c1caab63fe919d737f4ba2f754c56

SHA512
24317df079c5c32d78a27e41b4d53f2f0aa62cad86726c6f29a51196cdaf0022dfb793fba996038801b38b1383c4856171fb7bf2e95d03e2343f874a89d71072

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
9897dec7b16f8093272514fe25604ba1

SHA1
ae8092f03cdfbf191e1abe4a41580726fee265ee

SHA256
1c8f285291518560ad4ee5e5b814a4a43d370bf068daaa016f8774fab57a3a03

SHA512
4fa019450661ea03ed41b658fdee0af45810a2a2405e60da7e76f31f7a26e78b41ff00a5ee21f9cf679c8677c90199d26ae89423bd8003da5fd94abfd223de4f

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
9897dec7b16f8093272514fe25604ba1

SHA1
ae8092f03cdfbf191e1abe4a41580726fee265ee

SHA256
1c8f285291518560ad4ee5e5b814a4a43d370bf068daaa016f8774fab57a3a03

SHA512
4fa019450661ea03ed41b658fdee0af45810a2a2405e60da7e76f31f7a26e78b41ff00a5ee21f9cf679c8677c90199d26ae89423bd8003da5fd94abfd223de4f

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
8736b7775eff188871e32df13b94fb76

SHA1
d750bd9a434b6877a05507a01a977b3ed6be4639

SHA256
d82c8bef4cd9b524a5e5f957b0d50038b67c48452a2a657ea931692304427f70

SHA512
e6cd4dbe43dc517c2437e7836e2318137f0fc14afacbf1afb2dfb4913b09a3e138483a3e0dc4261221a39641d4bd0d4d9aeeaa52ac44bcb33fe7dc7099606c3c

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
8736b7775eff188871e32df13b94fb76

SHA1
d750bd9a434b6877a05507a01a977b3ed6be4639

SHA256
d82c8bef4cd9b524a5e5f957b0d50038b67c48452a2a657ea931692304427f70

SHA512
e6cd4dbe43dc517c2437e7836e2318137f0fc14afacbf1afb2dfb4913b09a3e138483a3e0dc4261221a39641d4bd0d4d9aeeaa52ac44bcb33fe7dc7099606c3c

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
928971c7558de2a99e9d00f7b4181be8

SHA1
5ce5d5fd26fdf7f0d288e77e4c7efc25bbf42500

SHA256
e33a62d15954445fd82ba0050dccd8e6405c1caab63fe919d737f4ba2f754c56

SHA512
24317df079c5c32d78a27e41b4d53f2f0aa62cad86726c6f29a51196cdaf0022dfb793fba996038801b38b1383c4856171fb7bf2e95d03e2343f874a89d71072

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
928971c7558de2a99e9d00f7b4181be8

SHA1
5ce5d5fd26fdf7f0d288e77e4c7efc25bbf42500

SHA256
e33a62d15954445fd82ba0050dccd8e6405c1caab63fe919d737f4ba2f754c56

SHA512
24317df079c5c32d78a27e41b4d53f2f0aa62cad86726c6f29a51196cdaf0022dfb793fba996038801b38b1383c4856171fb7bf2e95d03e2343f874a89d71072

Download Submit
memory/808-60-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/808-52-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1368-88-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1368-85-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1604-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1604-17-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1604-12-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/1604-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1604-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1604-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2024-6-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2024-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2480-66-0x00000000003D0000-0x00000000003F4000-memory.dmp

Filesize
144KB

Download
memory/2716-32-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2716-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2716-31-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2716-43-0x00000000028B0000-0x00000000028D4000-memory.dmp

Filesize
144KB

Download
memory/2716-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2716-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2784-29-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2784-20-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2792-73-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2792-82-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download