neconyd | ec9155947db37b72246ddf8c524af7af4a11da307ecf9907669d34342809aa4e

Analysis

max time kernel
147s
max time network
151s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
22/10/2023, 17:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.dd9779b5c794c999c64e0b4dd1af04b0.exe
Size

128KB
MD5

dd9779b5c794c999c64e0b4dd1af04b0
SHA1

77e564649f5b6912f412a471e3b48d4d8dbabcda
SHA256

ec9155947db37b72246ddf8c524af7af4a11da307ecf9907669d34342809aa4e
SHA512

d902adec6f3297fac4f9cf6ff75d98a2a242a01d75bb3cbc7867888a91adce1e2482f169567cf3330b123ac00bf4d4e731545feb925602d2bae73475a1e4fd41
SSDEEP

1536:/DfDbhERTatPLTLLbC+8BMNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabau:riRTe3n8BMAW6J6f1tqF6dngNmaZrN

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 6 IoCs

pid	Process
2772	omsecor.exe
2644	omsecor.exe
2912	omsecor.exe
1484	omsecor.exe
488	omsecor.exe
2596	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2136	NEAS.dd9779b5c794c999c64e0b4dd1af04b0.exe
2136	NEAS.dd9779b5c794c999c64e0b4dd1af04b0.exe
2772	omsecor.exe
2644	omsecor.exe
2644	omsecor.exe
1484	omsecor.exe
1484	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2376 set thread context of 2136	2376	NEAS.dd9779b5c794c999c64e0b4dd1af04b0.exe	28
PID 2772 set thread context of 2644	2772	omsecor.exe	30
PID 2912 set thread context of 1484	2912	omsecor.exe	35
PID 488 set thread context of 2596	488	omsecor.exe	37

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 2136	2376	NEAS.dd9779b5c794c999c64e0b4dd1af04b0.exe	28
PID 2376 wrote to memory of 2136	2376	NEAS.dd9779b5c794c999c64e0b4dd1af04b0.exe	28
PID 2376 wrote to memory of 2136	2376	NEAS.dd9779b5c794c999c64e0b4dd1af04b0.exe	28
PID 2376 wrote to memory of 2136	2376	NEAS.dd9779b5c794c999c64e0b4dd1af04b0.exe	28
PID 2376 wrote to memory of 2136	2376	NEAS.dd9779b5c794c999c64e0b4dd1af04b0.exe	28
PID 2376 wrote to memory of 2136	2376	NEAS.dd9779b5c794c999c64e0b4dd1af04b0.exe	28
PID 2136 wrote to memory of 2772	2136	NEAS.dd9779b5c794c999c64e0b4dd1af04b0.exe	29
PID 2136 wrote to memory of 2772	2136	NEAS.dd9779b5c794c999c64e0b4dd1af04b0.exe	29
PID 2136 wrote to memory of 2772	2136	NEAS.dd9779b5c794c999c64e0b4dd1af04b0.exe	29
PID 2136 wrote to memory of 2772	2136	NEAS.dd9779b5c794c999c64e0b4dd1af04b0.exe	29
PID 2772 wrote to memory of 2644	2772	omsecor.exe	30
PID 2772 wrote to memory of 2644	2772	omsecor.exe	30
PID 2772 wrote to memory of 2644	2772	omsecor.exe	30
PID 2772 wrote to memory of 2644	2772	omsecor.exe	30
PID 2772 wrote to memory of 2644	2772	omsecor.exe	30
PID 2772 wrote to memory of 2644	2772	omsecor.exe	30
PID 2644 wrote to memory of 2912	2644	omsecor.exe	34
PID 2644 wrote to memory of 2912	2644	omsecor.exe	34
PID 2644 wrote to memory of 2912	2644	omsecor.exe	34
PID 2644 wrote to memory of 2912	2644	omsecor.exe	34
PID 2912 wrote to memory of 1484	2912	omsecor.exe	35
PID 2912 wrote to memory of 1484	2912	omsecor.exe	35
PID 2912 wrote to memory of 1484	2912	omsecor.exe	35
PID 2912 wrote to memory of 1484	2912	omsecor.exe	35
PID 2912 wrote to memory of 1484	2912	omsecor.exe	35
PID 2912 wrote to memory of 1484	2912	omsecor.exe	35
PID 1484 wrote to memory of 488	1484	omsecor.exe	36
PID 1484 wrote to memory of 488	1484	omsecor.exe	36
PID 1484 wrote to memory of 488	1484	omsecor.exe	36
PID 1484 wrote to memory of 488	1484	omsecor.exe	36
PID 488 wrote to memory of 2596	488	omsecor.exe	37
PID 488 wrote to memory of 2596	488	omsecor.exe	37
PID 488 wrote to memory of 2596	488	omsecor.exe	37
PID 488 wrote to memory of 2596	488	omsecor.exe	37
PID 488 wrote to memory of 2596	488	omsecor.exe	37
PID 488 wrote to memory of 2596	488	omsecor.exe	37

C:\Users\Admin\AppData\Local\Temp\NEAS.dd9779b5c794c999c64e0b4dd1af04b0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.dd9779b5c794c999c64e0b4dd1af04b0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Users\Admin\AppData\Local\Temp\NEAS.dd9779b5c794c999c64e0b4dd1af04b0.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.dd9779b5c794c999c64e0b4dd1af04b0.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2136
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2644
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2912
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:488
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        
        PID:2596

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
128KB

MD5
a19682ecd73a68019ceec7164a147944

SHA1
8df5cfdb13721b68e6063080709311062f5d6279

SHA256
37b1a2647e75039eec4a2552f0f9517296314cc48083d8e405b851c45a5da458

SHA512
06830043f40ab6b694d2e52804d9f409594ad44d0b3f6f4fa32a91701111786daa11e5ec3c9672b2d8e30e773626631cf9ab76a342dac2e4ebe8e97e6e05d54d

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
128KB

MD5
a19682ecd73a68019ceec7164a147944

SHA1
8df5cfdb13721b68e6063080709311062f5d6279

SHA256
37b1a2647e75039eec4a2552f0f9517296314cc48083d8e405b851c45a5da458

SHA512
06830043f40ab6b694d2e52804d9f409594ad44d0b3f6f4fa32a91701111786daa11e5ec3c9672b2d8e30e773626631cf9ab76a342dac2e4ebe8e97e6e05d54d

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
128KB

MD5
a19682ecd73a68019ceec7164a147944

SHA1
8df5cfdb13721b68e6063080709311062f5d6279

SHA256
37b1a2647e75039eec4a2552f0f9517296314cc48083d8e405b851c45a5da458

SHA512
06830043f40ab6b694d2e52804d9f409594ad44d0b3f6f4fa32a91701111786daa11e5ec3c9672b2d8e30e773626631cf9ab76a342dac2e4ebe8e97e6e05d54d

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
128KB

MD5
a19682ecd73a68019ceec7164a147944

SHA1
8df5cfdb13721b68e6063080709311062f5d6279

SHA256
37b1a2647e75039eec4a2552f0f9517296314cc48083d8e405b851c45a5da458

SHA512
06830043f40ab6b694d2e52804d9f409594ad44d0b3f6f4fa32a91701111786daa11e5ec3c9672b2d8e30e773626631cf9ab76a342dac2e4ebe8e97e6e05d54d

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
128KB

MD5
3cd1d7fc1ffbe6e8a0cfc2ecef7882b1

SHA1
5ade69e6247ab9951a2f542ea3f0fa74f1a8474d

SHA256
23140f032e59fb16ccae94a15e34c0a80dd4e5cc04caec9b7260806d45312d9b

SHA512
8a6ddddad02fb05ff5d97cbaf90403c3153a3b45525e79339383b5f39ede6532bc9ba6d4f966d1f45fba0e3cede2c21944b7e3766ff18ee920d6a77ba6882330

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
128KB

MD5
3cd1d7fc1ffbe6e8a0cfc2ecef7882b1

SHA1
5ade69e6247ab9951a2f542ea3f0fa74f1a8474d

SHA256
23140f032e59fb16ccae94a15e34c0a80dd4e5cc04caec9b7260806d45312d9b

SHA512
8a6ddddad02fb05ff5d97cbaf90403c3153a3b45525e79339383b5f39ede6532bc9ba6d4f966d1f45fba0e3cede2c21944b7e3766ff18ee920d6a77ba6882330

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
128KB

MD5
3cd1d7fc1ffbe6e8a0cfc2ecef7882b1

SHA1
5ade69e6247ab9951a2f542ea3f0fa74f1a8474d

SHA256
23140f032e59fb16ccae94a15e34c0a80dd4e5cc04caec9b7260806d45312d9b

SHA512
8a6ddddad02fb05ff5d97cbaf90403c3153a3b45525e79339383b5f39ede6532bc9ba6d4f966d1f45fba0e3cede2c21944b7e3766ff18ee920d6a77ba6882330

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
128KB

MD5
3cd1d7fc1ffbe6e8a0cfc2ecef7882b1

SHA1
5ade69e6247ab9951a2f542ea3f0fa74f1a8474d

SHA256
23140f032e59fb16ccae94a15e34c0a80dd4e5cc04caec9b7260806d45312d9b

SHA512
8a6ddddad02fb05ff5d97cbaf90403c3153a3b45525e79339383b5f39ede6532bc9ba6d4f966d1f45fba0e3cede2c21944b7e3766ff18ee920d6a77ba6882330

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
128KB

MD5
c130a27512e1f2dd92fface7278044d3

SHA1
dcef3877785d7de44fb163fd58aa938be4905eb7

SHA256
28546355ec267c2b45ede6d357aec6d64295786091fecfea8ca3ded3e178cb99

SHA512
069b6d921d876b894226f6f442d13f6da56d1d05ac39f455230e48d1de5790963ed7203d28dd70d4551487226631ba1e7b610f1c392bfeb445bae68478afc895

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
128KB

MD5
c130a27512e1f2dd92fface7278044d3

SHA1
dcef3877785d7de44fb163fd58aa938be4905eb7

SHA256
28546355ec267c2b45ede6d357aec6d64295786091fecfea8ca3ded3e178cb99

SHA512
069b6d921d876b894226f6f442d13f6da56d1d05ac39f455230e48d1de5790963ed7203d28dd70d4551487226631ba1e7b610f1c392bfeb445bae68478afc895

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
128KB

MD5
c130a27512e1f2dd92fface7278044d3

SHA1
dcef3877785d7de44fb163fd58aa938be4905eb7

SHA256
28546355ec267c2b45ede6d357aec6d64295786091fecfea8ca3ded3e178cb99

SHA512
069b6d921d876b894226f6f442d13f6da56d1d05ac39f455230e48d1de5790963ed7203d28dd70d4551487226631ba1e7b610f1c392bfeb445bae68478afc895

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
128KB

MD5
c130a27512e1f2dd92fface7278044d3

SHA1
dcef3877785d7de44fb163fd58aa938be4905eb7

SHA256
28546355ec267c2b45ede6d357aec6d64295786091fecfea8ca3ded3e178cb99

SHA512
069b6d921d876b894226f6f442d13f6da56d1d05ac39f455230e48d1de5790963ed7203d28dd70d4551487226631ba1e7b610f1c392bfeb445bae68478afc895

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
128KB

MD5
a19682ecd73a68019ceec7164a147944

SHA1
8df5cfdb13721b68e6063080709311062f5d6279

SHA256
37b1a2647e75039eec4a2552f0f9517296314cc48083d8e405b851c45a5da458

SHA512
06830043f40ab6b694d2e52804d9f409594ad44d0b3f6f4fa32a91701111786daa11e5ec3c9672b2d8e30e773626631cf9ab76a342dac2e4ebe8e97e6e05d54d

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
128KB

MD5
a19682ecd73a68019ceec7164a147944

SHA1
8df5cfdb13721b68e6063080709311062f5d6279

SHA256
37b1a2647e75039eec4a2552f0f9517296314cc48083d8e405b851c45a5da458

SHA512
06830043f40ab6b694d2e52804d9f409594ad44d0b3f6f4fa32a91701111786daa11e5ec3c9672b2d8e30e773626631cf9ab76a342dac2e4ebe8e97e6e05d54d

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
128KB

MD5
3cd1d7fc1ffbe6e8a0cfc2ecef7882b1

SHA1
5ade69e6247ab9951a2f542ea3f0fa74f1a8474d

SHA256
23140f032e59fb16ccae94a15e34c0a80dd4e5cc04caec9b7260806d45312d9b

SHA512
8a6ddddad02fb05ff5d97cbaf90403c3153a3b45525e79339383b5f39ede6532bc9ba6d4f966d1f45fba0e3cede2c21944b7e3766ff18ee920d6a77ba6882330

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
128KB

MD5
3cd1d7fc1ffbe6e8a0cfc2ecef7882b1

SHA1
5ade69e6247ab9951a2f542ea3f0fa74f1a8474d

SHA256
23140f032e59fb16ccae94a15e34c0a80dd4e5cc04caec9b7260806d45312d9b

SHA512
8a6ddddad02fb05ff5d97cbaf90403c3153a3b45525e79339383b5f39ede6532bc9ba6d4f966d1f45fba0e3cede2c21944b7e3766ff18ee920d6a77ba6882330

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
128KB

MD5
a19682ecd73a68019ceec7164a147944

SHA1
8df5cfdb13721b68e6063080709311062f5d6279

SHA256
37b1a2647e75039eec4a2552f0f9517296314cc48083d8e405b851c45a5da458

SHA512
06830043f40ab6b694d2e52804d9f409594ad44d0b3f6f4fa32a91701111786daa11e5ec3c9672b2d8e30e773626631cf9ab76a342dac2e4ebe8e97e6e05d54d

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
128KB

MD5
c130a27512e1f2dd92fface7278044d3

SHA1
dcef3877785d7de44fb163fd58aa938be4905eb7

SHA256
28546355ec267c2b45ede6d357aec6d64295786091fecfea8ca3ded3e178cb99

SHA512
069b6d921d876b894226f6f442d13f6da56d1d05ac39f455230e48d1de5790963ed7203d28dd70d4551487226631ba1e7b610f1c392bfeb445bae68478afc895

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
128KB

MD5
c130a27512e1f2dd92fface7278044d3

SHA1
dcef3877785d7de44fb163fd58aa938be4905eb7

SHA256
28546355ec267c2b45ede6d357aec6d64295786091fecfea8ca3ded3e178cb99

SHA512
069b6d921d876b894226f6f442d13f6da56d1d05ac39f455230e48d1de5790963ed7203d28dd70d4551487226631ba1e7b610f1c392bfeb445bae68478afc895

Download Submit
memory/2136-0-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2136-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2136-6-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2136-4-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2136-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2596-76-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2596-79-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2644-45-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2644-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2644-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2644-31-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2644-28-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download