neconyd | ec9155947db37b72246ddf8c524af7af4a11da307ecf9907669d34342809aa4e

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
22/10/2023, 17:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.dd9779b5c794c999c64e0b4dd1af04b0.exe
Size

128KB
MD5

dd9779b5c794c999c64e0b4dd1af04b0
SHA1

77e564649f5b6912f412a471e3b48d4d8dbabcda
SHA256

ec9155947db37b72246ddf8c524af7af4a11da307ecf9907669d34342809aa4e
SHA512

d902adec6f3297fac4f9cf6ff75d98a2a242a01d75bb3cbc7867888a91adce1e2482f169567cf3330b123ac00bf4d4e731545feb925602d2bae73475a1e4fd41
SSDEEP

1536:/DfDbhERTatPLTLLbC+8BMNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabau:riRTe3n8BMAW6J6f1tqF6dngNmaZrN

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 6 IoCs

pid	Process
4112	omsecor.exe
4032	omsecor.exe
1616	omsecor.exe
4496	omsecor.exe
4748	omsecor.exe
5020	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3616 set thread context of 3984	3616	NEAS.dd9779b5c794c999c64e0b4dd1af04b0.exe	88
PID 4112 set thread context of 4032	4112	omsecor.exe	93
PID 1616 set thread context of 4496	1616	omsecor.exe	101
PID 4748 set thread context of 5020	4748	omsecor.exe	105

Program crash 4 IoCs

pid	pid_target	Process	procid_target
2560	3616	WerFault.exe	72
1592	4112	WerFault.exe	91
3488	1616	WerFault.exe	100
2540	4748	WerFault.exe	104

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 3616 wrote to memory of 3984	3616	NEAS.dd9779b5c794c999c64e0b4dd1af04b0.exe	88
PID 3616 wrote to memory of 3984	3616	NEAS.dd9779b5c794c999c64e0b4dd1af04b0.exe	88
PID 3616 wrote to memory of 3984	3616	NEAS.dd9779b5c794c999c64e0b4dd1af04b0.exe	88
PID 3616 wrote to memory of 3984	3616	NEAS.dd9779b5c794c999c64e0b4dd1af04b0.exe	88
PID 3616 wrote to memory of 3984	3616	NEAS.dd9779b5c794c999c64e0b4dd1af04b0.exe	88
PID 3984 wrote to memory of 4112	3984	NEAS.dd9779b5c794c999c64e0b4dd1af04b0.exe	91
PID 3984 wrote to memory of 4112	3984	NEAS.dd9779b5c794c999c64e0b4dd1af04b0.exe	91
PID 3984 wrote to memory of 4112	3984	NEAS.dd9779b5c794c999c64e0b4dd1af04b0.exe	91
PID 4112 wrote to memory of 4032	4112	omsecor.exe	93
PID 4112 wrote to memory of 4032	4112	omsecor.exe	93
PID 4112 wrote to memory of 4032	4112	omsecor.exe	93
PID 4112 wrote to memory of 4032	4112	omsecor.exe	93
PID 4112 wrote to memory of 4032	4112	omsecor.exe	93
PID 4032 wrote to memory of 1616	4032	omsecor.exe	100
PID 4032 wrote to memory of 1616	4032	omsecor.exe	100
PID 4032 wrote to memory of 1616	4032	omsecor.exe	100
PID 1616 wrote to memory of 4496	1616	omsecor.exe	101
PID 1616 wrote to memory of 4496	1616	omsecor.exe	101
PID 1616 wrote to memory of 4496	1616	omsecor.exe	101
PID 1616 wrote to memory of 4496	1616	omsecor.exe	101
PID 1616 wrote to memory of 4496	1616	omsecor.exe	101
PID 4496 wrote to memory of 4748	4496	omsecor.exe	104
PID 4496 wrote to memory of 4748	4496	omsecor.exe	104
PID 4496 wrote to memory of 4748	4496	omsecor.exe	104
PID 4748 wrote to memory of 5020	4748	omsecor.exe	105
PID 4748 wrote to memory of 5020	4748	omsecor.exe	105
PID 4748 wrote to memory of 5020	4748	omsecor.exe	105
PID 4748 wrote to memory of 5020	4748	omsecor.exe	105
PID 4748 wrote to memory of 5020	4748	omsecor.exe	105

C:\Users\Admin\AppData\Local\Temp\NEAS.dd9779b5c794c999c64e0b4dd1af04b0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.dd9779b5c794c999c64e0b4dd1af04b0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3616
- C:\Users\Admin\AppData\Local\Temp\NEAS.dd9779b5c794c999c64e0b4dd1af04b0.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.dd9779b5c794c999c64e0b4dd1af04b0.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3984
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4112
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4032
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1616
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4496
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4748
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        
        PID:5020
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4748 -s 256
        8⤵
        Program crash
        
        PID:2540
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 292
        6⤵
        Program crash
        
        PID:3488
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 288
      4⤵
      Program crash
      PID:1592
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3616 -s 300
  2⤵
  - Program crash
  PID:2560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3616 -ip 3616
1⤵
PID:320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4112 -ip 4112
1⤵
PID:884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1616 -ip 1616
1⤵
PID:3240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4748 -ip 4748
1⤵
PID:904

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
128KB

MD5
a19682ecd73a68019ceec7164a147944

SHA1
8df5cfdb13721b68e6063080709311062f5d6279

SHA256
37b1a2647e75039eec4a2552f0f9517296314cc48083d8e405b851c45a5da458

SHA512
06830043f40ab6b694d2e52804d9f409594ad44d0b3f6f4fa32a91701111786daa11e5ec3c9672b2d8e30e773626631cf9ab76a342dac2e4ebe8e97e6e05d54d

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
128KB

MD5
b9d0ccf33f9c83f5a8734a7389ed473d

SHA1
214fef65cc3b4d4b820eaaf883298234a05911c9

SHA256
5ced74a38670347911194b3be31992c8c959fb8f696ac2cad760fc524c83e88d

SHA512
8447f2e44923f30d700ef7a51b1176812e2c6c9d73393dba8d0edbb8e7b8f179ce9572232c50ffdb449bd4a187a905d2b6346ac5226a995308cca325b5501430

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
128KB

MD5
b9d0ccf33f9c83f5a8734a7389ed473d

SHA1
214fef65cc3b4d4b820eaaf883298234a05911c9

SHA256
5ced74a38670347911194b3be31992c8c959fb8f696ac2cad760fc524c83e88d

SHA512
8447f2e44923f30d700ef7a51b1176812e2c6c9d73393dba8d0edbb8e7b8f179ce9572232c50ffdb449bd4a187a905d2b6346ac5226a995308cca325b5501430

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
128KB

MD5
b9d0ccf33f9c83f5a8734a7389ed473d

SHA1
214fef65cc3b4d4b820eaaf883298234a05911c9

SHA256
5ced74a38670347911194b3be31992c8c959fb8f696ac2cad760fc524c83e88d

SHA512
8447f2e44923f30d700ef7a51b1176812e2c6c9d73393dba8d0edbb8e7b8f179ce9572232c50ffdb449bd4a187a905d2b6346ac5226a995308cca325b5501430

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
128KB

MD5
a19682ecd73a68019ceec7164a147944

SHA1
8df5cfdb13721b68e6063080709311062f5d6279

SHA256
37b1a2647e75039eec4a2552f0f9517296314cc48083d8e405b851c45a5da458

SHA512
06830043f40ab6b694d2e52804d9f409594ad44d0b3f6f4fa32a91701111786daa11e5ec3c9672b2d8e30e773626631cf9ab76a342dac2e4ebe8e97e6e05d54d

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
128KB

MD5
a19682ecd73a68019ceec7164a147944

SHA1
8df5cfdb13721b68e6063080709311062f5d6279

SHA256
37b1a2647e75039eec4a2552f0f9517296314cc48083d8e405b851c45a5da458

SHA512
06830043f40ab6b694d2e52804d9f409594ad44d0b3f6f4fa32a91701111786daa11e5ec3c9672b2d8e30e773626631cf9ab76a342dac2e4ebe8e97e6e05d54d

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
128KB

MD5
0a32f97dea4c7e45046f4e73a1c61f3c

SHA1
c59948051b586d93326f74dfbd817c557c2014df

SHA256
f33d44c5068053acc333d30fc1f7cdc13e3fdf5f8ef13fc2171838a60ca343d3

SHA512
9f500ecb894617733700ddaa74178acdbaa6d27f9bc43e3e37e51a4cfacc193eee4ab6be72577b3c27490d8c786343e775dca5fb282a3872ea90d4ee01fcda05

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
128KB

MD5
0a32f97dea4c7e45046f4e73a1c61f3c

SHA1
c59948051b586d93326f74dfbd817c557c2014df

SHA256
f33d44c5068053acc333d30fc1f7cdc13e3fdf5f8ef13fc2171838a60ca343d3

SHA512
9f500ecb894617733700ddaa74178acdbaa6d27f9bc43e3e37e51a4cfacc193eee4ab6be72577b3c27490d8c786343e775dca5fb282a3872ea90d4ee01fcda05

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
128KB

MD5
0a32f97dea4c7e45046f4e73a1c61f3c

SHA1
c59948051b586d93326f74dfbd817c557c2014df

SHA256
f33d44c5068053acc333d30fc1f7cdc13e3fdf5f8ef13fc2171838a60ca343d3

SHA512
9f500ecb894617733700ddaa74178acdbaa6d27f9bc43e3e37e51a4cfacc193eee4ab6be72577b3c27490d8c786343e775dca5fb282a3872ea90d4ee01fcda05

Download Submit
memory/3984-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3984-4-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3984-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3984-0-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4032-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4032-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4032-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4032-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4032-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4032-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4032-13-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4496-30-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4496-33-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4496-31-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5020-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5020-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5020-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5020-46-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download