neconyd | e64a2fe79e497e35f6da6e4fcb5259eabf1b051d9660ffbcf02ac66adaf8485a

Analysis

max time kernel
158s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
14-10-2023 11:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.d319dfc5c8659a7286c0af09d09ae631_JC.exe
Size

134KB
MD5

d319dfc5c8659a7286c0af09d09ae631
SHA1

224f945dac5d2bc26a862a68f7f8556c3ddde083
SHA256

e64a2fe79e497e35f6da6e4fcb5259eabf1b051d9660ffbcf02ac66adaf8485a
SHA512

c6baa47ba45ee75e1b9a728aea297b133aa84f3ebfbf40c293346312446cb8547fe9c9ecda4faa1abff9f8539bf7608b00c441a3c9fec3184da3bf3f0bd9068b
SSDEEP

1536:aDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCia:8iRTeH0iqAW6J6f1tqF6dngNmaZCia

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 6 IoCs

pid	Process
3764	omsecor.exe
2552	omsecor.exe
2940	omsecor.exe
5000	omsecor.exe
5052	omsecor.exe
5004	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4504 set thread context of 4024	4504	NEAS.d319dfc5c8659a7286c0af09d09ae631_JC.exe	87
PID 3764 set thread context of 2552	3764	omsecor.exe	91
PID 2940 set thread context of 5000	2940	omsecor.exe	106
PID 5052 set thread context of 5004	5052	omsecor.exe	110

Program crash 4 IoCs

pid	pid_target	Process	procid_target
4888	3764	WerFault.exe	92
1356	4504	WerFault.exe	16
2240	2940	WerFault.exe	105
1384	5052	WerFault.exe	109

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4504 wrote to memory of 4024	4504	NEAS.d319dfc5c8659a7286c0af09d09ae631_JC.exe	87
PID 4504 wrote to memory of 4024	4504	NEAS.d319dfc5c8659a7286c0af09d09ae631_JC.exe	87
PID 4504 wrote to memory of 4024	4504	NEAS.d319dfc5c8659a7286c0af09d09ae631_JC.exe	87
PID 4504 wrote to memory of 4024	4504	NEAS.d319dfc5c8659a7286c0af09d09ae631_JC.exe	87
PID 4504 wrote to memory of 4024	4504	NEAS.d319dfc5c8659a7286c0af09d09ae631_JC.exe	87
PID 4024 wrote to memory of 3764	4024	NEAS.d319dfc5c8659a7286c0af09d09ae631_JC.exe	92
PID 4024 wrote to memory of 3764	4024	NEAS.d319dfc5c8659a7286c0af09d09ae631_JC.exe	92
PID 4024 wrote to memory of 3764	4024	NEAS.d319dfc5c8659a7286c0af09d09ae631_JC.exe	92
PID 3764 wrote to memory of 2552	3764	omsecor.exe	91
PID 3764 wrote to memory of 2552	3764	omsecor.exe	91
PID 3764 wrote to memory of 2552	3764	omsecor.exe	91
PID 3764 wrote to memory of 2552	3764	omsecor.exe	91
PID 3764 wrote to memory of 2552	3764	omsecor.exe	91
PID 2552 wrote to memory of 2940	2552	omsecor.exe	105
PID 2552 wrote to memory of 2940	2552	omsecor.exe	105
PID 2552 wrote to memory of 2940	2552	omsecor.exe	105
PID 2940 wrote to memory of 5000	2940	omsecor.exe	106
PID 2940 wrote to memory of 5000	2940	omsecor.exe	106
PID 2940 wrote to memory of 5000	2940	omsecor.exe	106
PID 2940 wrote to memory of 5000	2940	omsecor.exe	106
PID 2940 wrote to memory of 5000	2940	omsecor.exe	106
PID 5000 wrote to memory of 5052	5000	omsecor.exe	109
PID 5000 wrote to memory of 5052	5000	omsecor.exe	109
PID 5000 wrote to memory of 5052	5000	omsecor.exe	109
PID 5052 wrote to memory of 5004	5052	omsecor.exe	110
PID 5052 wrote to memory of 5004	5052	omsecor.exe	110
PID 5052 wrote to memory of 5004	5052	omsecor.exe	110
PID 5052 wrote to memory of 5004	5052	omsecor.exe	110
PID 5052 wrote to memory of 5004	5052	omsecor.exe	110

C:\Users\Admin\AppData\Local\Temp\NEAS.d319dfc5c8659a7286c0af09d09ae631_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.d319dfc5c8659a7286c0af09d09ae631_JC.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4504
- C:\Users\Admin\AppData\Local\Temp\NEAS.d319dfc5c8659a7286c0af09d09ae631_JC.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.d319dfc5c8659a7286c0af09d09ae631_JC.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4024
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3764
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 300
      4⤵
      Program crash
      PID:4888
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 288
  2⤵
  - Program crash
  PID:1356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4504 -ip 4504
1⤵
PID:4672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3764 -ip 3764
1⤵
PID:1464

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Windows\SysWOW64\omsecor.exe
  C:\Windows\System32\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\SysWOW64\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5000
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:5052
    - - C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        5⤵
        Executes dropped EXE
        
        PID:5004
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 268
        5⤵
        Program crash
        
        PID:1384
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2940 -s 292
    3⤵
    - Program crash
    PID:2240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2940 -ip 2940
1⤵
PID:4468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5052 -ip 5052
1⤵
PID:2488

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
9897dec7b16f8093272514fe25604ba1

SHA1
ae8092f03cdfbf191e1abe4a41580726fee265ee

SHA256
1c8f285291518560ad4ee5e5b814a4a43d370bf068daaa016f8774fab57a3a03

SHA512
4fa019450661ea03ed41b658fdee0af45810a2a2405e60da7e76f31f7a26e78b41ff00a5ee21f9cf679c8677c90199d26ae89423bd8003da5fd94abfd223de4f

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
2e5fe506db628550ed08f0963203de94

SHA1
d665c6c3b19173c9e3b34ba3b30fafe503ee79a6

SHA256
eda4abf0f30bf0855e26bafccb1476fbd8ee70495befb75afe3d82de192002e3

SHA512
cbdf383eba657249aa01dcc4c53bf3485ab6be376d3133db2a11565f732a9f3e02496bd3608b7e3f2b72ae63d6d5cc00ee554fd3e90cc58456eb81649bd05f9e

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
2e5fe506db628550ed08f0963203de94

SHA1
d665c6c3b19173c9e3b34ba3b30fafe503ee79a6

SHA256
eda4abf0f30bf0855e26bafccb1476fbd8ee70495befb75afe3d82de192002e3

SHA512
cbdf383eba657249aa01dcc4c53bf3485ab6be376d3133db2a11565f732a9f3e02496bd3608b7e3f2b72ae63d6d5cc00ee554fd3e90cc58456eb81649bd05f9e

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
2e5fe506db628550ed08f0963203de94

SHA1
d665c6c3b19173c9e3b34ba3b30fafe503ee79a6

SHA256
eda4abf0f30bf0855e26bafccb1476fbd8ee70495befb75afe3d82de192002e3

SHA512
cbdf383eba657249aa01dcc4c53bf3485ab6be376d3133db2a11565f732a9f3e02496bd3608b7e3f2b72ae63d6d5cc00ee554fd3e90cc58456eb81649bd05f9e

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
9897dec7b16f8093272514fe25604ba1

SHA1
ae8092f03cdfbf191e1abe4a41580726fee265ee

SHA256
1c8f285291518560ad4ee5e5b814a4a43d370bf068daaa016f8774fab57a3a03

SHA512
4fa019450661ea03ed41b658fdee0af45810a2a2405e60da7e76f31f7a26e78b41ff00a5ee21f9cf679c8677c90199d26ae89423bd8003da5fd94abfd223de4f

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
9897dec7b16f8093272514fe25604ba1

SHA1
ae8092f03cdfbf191e1abe4a41580726fee265ee

SHA256
1c8f285291518560ad4ee5e5b814a4a43d370bf068daaa016f8774fab57a3a03

SHA512
4fa019450661ea03ed41b658fdee0af45810a2a2405e60da7e76f31f7a26e78b41ff00a5ee21f9cf679c8677c90199d26ae89423bd8003da5fd94abfd223de4f

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
8361d3ee0d4c94fe74fa0625b3c0f36a

SHA1
036a0a1347fc46d36a235d0bfbbf7d62f3aa4156

SHA256
8cc326756e7362624c1d340cf3c9f4fdeab3b096ac2ff178d7ee5f4626bbb7b1

SHA512
ec67c1455e7f9328d451f21e2e2ac8b9e07f26a106dc8c069afdb0579e9aa202f8809ca250a2571fc7a506005e03c24284e92289ec22639dc4fc19b970eafad9

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
8361d3ee0d4c94fe74fa0625b3c0f36a

SHA1
036a0a1347fc46d36a235d0bfbbf7d62f3aa4156

SHA256
8cc326756e7362624c1d340cf3c9f4fdeab3b096ac2ff178d7ee5f4626bbb7b1

SHA512
ec67c1455e7f9328d451f21e2e2ac8b9e07f26a106dc8c069afdb0579e9aa202f8809ca250a2571fc7a506005e03c24284e92289ec22639dc4fc19b970eafad9

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
8361d3ee0d4c94fe74fa0625b3c0f36a

SHA1
036a0a1347fc46d36a235d0bfbbf7d62f3aa4156

SHA256
8cc326756e7362624c1d340cf3c9f4fdeab3b096ac2ff178d7ee5f4626bbb7b1

SHA512
ec67c1455e7f9328d451f21e2e2ac8b9e07f26a106dc8c069afdb0579e9aa202f8809ca250a2571fc7a506005e03c24284e92289ec22639dc4fc19b970eafad9

Download Submit
memory/2552-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2552-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2552-28-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2552-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2552-17-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2552-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2552-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2940-30-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3764-7-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3764-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4024-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4024-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4024-13-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4024-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4504-15-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4504-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5000-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5000-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5000-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5004-46-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5004-47-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5004-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5004-51-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5052-41-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download