neconyd | 9e2f32e6a66f3f6a79928ba8b77e411b64dbe3377f27a264c7931e7f58d80bf0

Analysis

max time kernel
148s
max time network
153s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
31-10-2023 23:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.541c7d11f0f3739d35437153c4329670.exe
Size

134KB
MD5

541c7d11f0f3739d35437153c4329670
SHA1

0046e4b6cb3b1f579d01df55877dcf5cf9ef59d4
SHA256

9e2f32e6a66f3f6a79928ba8b77e411b64dbe3377f27a264c7931e7f58d80bf0
SHA512

26a51dfe3ebdf96c217c1b80a3983f0dbfe8bbd891b14bf830226ff18842bc14357f776af3069cd17bf204f20829fe7f04fd00cbcd381ed41cb83f409b4048fe
SSDEEP

1536:hDfDbhERTatPLTH0NqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwC7M:BiRTeH0NqAW6J6f1tqF6dngNmaZC7M

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 6 IoCs

pid	Process
1708	omsecor.exe
2340	omsecor.exe
2968	omsecor.exe
768	omsecor.exe
3008	omsecor.exe
2076	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2148	NEAS.541c7d11f0f3739d35437153c4329670.exe
2148	NEAS.541c7d11f0f3739d35437153c4329670.exe
1708	omsecor.exe
2340	omsecor.exe
2340	omsecor.exe
768	omsecor.exe
768	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1408 set thread context of 2148	1408	NEAS.541c7d11f0f3739d35437153c4329670.exe	28
PID 1708 set thread context of 2340	1708	omsecor.exe	30
PID 2968 set thread context of 768	2968	omsecor.exe	35
PID 3008 set thread context of 2076	3008	omsecor.exe	37

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1408 wrote to memory of 2148	1408	NEAS.541c7d11f0f3739d35437153c4329670.exe	28
PID 1408 wrote to memory of 2148	1408	NEAS.541c7d11f0f3739d35437153c4329670.exe	28
PID 1408 wrote to memory of 2148	1408	NEAS.541c7d11f0f3739d35437153c4329670.exe	28
PID 1408 wrote to memory of 2148	1408	NEAS.541c7d11f0f3739d35437153c4329670.exe	28
PID 1408 wrote to memory of 2148	1408	NEAS.541c7d11f0f3739d35437153c4329670.exe	28
PID 1408 wrote to memory of 2148	1408	NEAS.541c7d11f0f3739d35437153c4329670.exe	28
PID 2148 wrote to memory of 1708	2148	NEAS.541c7d11f0f3739d35437153c4329670.exe	29
PID 2148 wrote to memory of 1708	2148	NEAS.541c7d11f0f3739d35437153c4329670.exe	29
PID 2148 wrote to memory of 1708	2148	NEAS.541c7d11f0f3739d35437153c4329670.exe	29
PID 2148 wrote to memory of 1708	2148	NEAS.541c7d11f0f3739d35437153c4329670.exe	29
PID 1708 wrote to memory of 2340	1708	omsecor.exe	30
PID 1708 wrote to memory of 2340	1708	omsecor.exe	30
PID 1708 wrote to memory of 2340	1708	omsecor.exe	30
PID 1708 wrote to memory of 2340	1708	omsecor.exe	30
PID 1708 wrote to memory of 2340	1708	omsecor.exe	30
PID 1708 wrote to memory of 2340	1708	omsecor.exe	30
PID 2340 wrote to memory of 2968	2340	omsecor.exe	34
PID 2340 wrote to memory of 2968	2340	omsecor.exe	34
PID 2340 wrote to memory of 2968	2340	omsecor.exe	34
PID 2340 wrote to memory of 2968	2340	omsecor.exe	34
PID 2968 wrote to memory of 768	2968	omsecor.exe	35
PID 2968 wrote to memory of 768	2968	omsecor.exe	35
PID 2968 wrote to memory of 768	2968	omsecor.exe	35
PID 2968 wrote to memory of 768	2968	omsecor.exe	35
PID 2968 wrote to memory of 768	2968	omsecor.exe	35
PID 2968 wrote to memory of 768	2968	omsecor.exe	35
PID 768 wrote to memory of 3008	768	omsecor.exe	36
PID 768 wrote to memory of 3008	768	omsecor.exe	36
PID 768 wrote to memory of 3008	768	omsecor.exe	36
PID 768 wrote to memory of 3008	768	omsecor.exe	36
PID 3008 wrote to memory of 2076	3008	omsecor.exe	37
PID 3008 wrote to memory of 2076	3008	omsecor.exe	37
PID 3008 wrote to memory of 2076	3008	omsecor.exe	37
PID 3008 wrote to memory of 2076	3008	omsecor.exe	37
PID 3008 wrote to memory of 2076	3008	omsecor.exe	37
PID 3008 wrote to memory of 2076	3008	omsecor.exe	37

C:\Users\Admin\AppData\Local\Temp\NEAS.541c7d11f0f3739d35437153c4329670.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.541c7d11f0f3739d35437153c4329670.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1408
- C:\Users\Admin\AppData\Local\Temp\NEAS.541c7d11f0f3739d35437153c4329670.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.541c7d11f0f3739d35437153c4329670.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1708
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2340
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2968
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        
        PID:2076

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
482e015725fdd3ed898640f7874bfd62

SHA1
b0c010e35ff4340cf5ff0323b315fe1e07d2116b

SHA256
c2f8cae5af64eb33c1ad5d19fc7818e563c0c7b0dfd1be563271e4eba29742a4

SHA512
5811cab751bd2c5c0400bba50f3c23893f0554ece72f1a038ca221bd1b29c6e93edad7dcadbc5d77bf38bf380fff856c4451c0e2a9d1d801750133105c6bedc8

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
482e015725fdd3ed898640f7874bfd62

SHA1
b0c010e35ff4340cf5ff0323b315fe1e07d2116b

SHA256
c2f8cae5af64eb33c1ad5d19fc7818e563c0c7b0dfd1be563271e4eba29742a4

SHA512
5811cab751bd2c5c0400bba50f3c23893f0554ece72f1a038ca221bd1b29c6e93edad7dcadbc5d77bf38bf380fff856c4451c0e2a9d1d801750133105c6bedc8

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
482e015725fdd3ed898640f7874bfd62

SHA1
b0c010e35ff4340cf5ff0323b315fe1e07d2116b

SHA256
c2f8cae5af64eb33c1ad5d19fc7818e563c0c7b0dfd1be563271e4eba29742a4

SHA512
5811cab751bd2c5c0400bba50f3c23893f0554ece72f1a038ca221bd1b29c6e93edad7dcadbc5d77bf38bf380fff856c4451c0e2a9d1d801750133105c6bedc8

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
482e015725fdd3ed898640f7874bfd62

SHA1
b0c010e35ff4340cf5ff0323b315fe1e07d2116b

SHA256
c2f8cae5af64eb33c1ad5d19fc7818e563c0c7b0dfd1be563271e4eba29742a4

SHA512
5811cab751bd2c5c0400bba50f3c23893f0554ece72f1a038ca221bd1b29c6e93edad7dcadbc5d77bf38bf380fff856c4451c0e2a9d1d801750133105c6bedc8

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
84c567a05314172a6538600bbfc9de48

SHA1
fa80a22324f609dc45f670fda587b20a11a6bf54

SHA256
06c19827d266900848b40e41de096ff987bf5f1922760001f823acd4389cb911

SHA512
3c34e280c51c065a4f38c09a7e7025aa17c69d02e4c6ccc85d5dd61f7321b53f6bd5c2a50ea80c88b629647c23e5a16cb0e65c5db27e7b83cf0d8147e7155fca

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
84c567a05314172a6538600bbfc9de48

SHA1
fa80a22324f609dc45f670fda587b20a11a6bf54

SHA256
06c19827d266900848b40e41de096ff987bf5f1922760001f823acd4389cb911

SHA512
3c34e280c51c065a4f38c09a7e7025aa17c69d02e4c6ccc85d5dd61f7321b53f6bd5c2a50ea80c88b629647c23e5a16cb0e65c5db27e7b83cf0d8147e7155fca

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
84c567a05314172a6538600bbfc9de48

SHA1
fa80a22324f609dc45f670fda587b20a11a6bf54

SHA256
06c19827d266900848b40e41de096ff987bf5f1922760001f823acd4389cb911

SHA512
3c34e280c51c065a4f38c09a7e7025aa17c69d02e4c6ccc85d5dd61f7321b53f6bd5c2a50ea80c88b629647c23e5a16cb0e65c5db27e7b83cf0d8147e7155fca

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
84c567a05314172a6538600bbfc9de48

SHA1
fa80a22324f609dc45f670fda587b20a11a6bf54

SHA256
06c19827d266900848b40e41de096ff987bf5f1922760001f823acd4389cb911

SHA512
3c34e280c51c065a4f38c09a7e7025aa17c69d02e4c6ccc85d5dd61f7321b53f6bd5c2a50ea80c88b629647c23e5a16cb0e65c5db27e7b83cf0d8147e7155fca

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
7f5cdf436d9c88aabdf278acf2789b5d

SHA1
944dbc55835b6cfd5ea4f245d995faff2ce11b40

SHA256
8c79836b0e0f4b810c9048258e15e3deb9258f6900b0def2e1ae6aa9a4c01fc1

SHA512
9bdb6f68dc8982a8c0a007181c287c866a9b432a07b874c2fd0e8356b30505646f56d7bc8721ab64d32e5d3bd714c9a68a1aa60dee0af73d88aabf4c00c56cd6

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
7f5cdf436d9c88aabdf278acf2789b5d

SHA1
944dbc55835b6cfd5ea4f245d995faff2ce11b40

SHA256
8c79836b0e0f4b810c9048258e15e3deb9258f6900b0def2e1ae6aa9a4c01fc1

SHA512
9bdb6f68dc8982a8c0a007181c287c866a9b432a07b874c2fd0e8356b30505646f56d7bc8721ab64d32e5d3bd714c9a68a1aa60dee0af73d88aabf4c00c56cd6

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
7f5cdf436d9c88aabdf278acf2789b5d

SHA1
944dbc55835b6cfd5ea4f245d995faff2ce11b40

SHA256
8c79836b0e0f4b810c9048258e15e3deb9258f6900b0def2e1ae6aa9a4c01fc1

SHA512
9bdb6f68dc8982a8c0a007181c287c866a9b432a07b874c2fd0e8356b30505646f56d7bc8721ab64d32e5d3bd714c9a68a1aa60dee0af73d88aabf4c00c56cd6

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
7f5cdf436d9c88aabdf278acf2789b5d

SHA1
944dbc55835b6cfd5ea4f245d995faff2ce11b40

SHA256
8c79836b0e0f4b810c9048258e15e3deb9258f6900b0def2e1ae6aa9a4c01fc1

SHA512
9bdb6f68dc8982a8c0a007181c287c866a9b432a07b874c2fd0e8356b30505646f56d7bc8721ab64d32e5d3bd714c9a68a1aa60dee0af73d88aabf4c00c56cd6

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
482e015725fdd3ed898640f7874bfd62

SHA1
b0c010e35ff4340cf5ff0323b315fe1e07d2116b

SHA256
c2f8cae5af64eb33c1ad5d19fc7818e563c0c7b0dfd1be563271e4eba29742a4

SHA512
5811cab751bd2c5c0400bba50f3c23893f0554ece72f1a038ca221bd1b29c6e93edad7dcadbc5d77bf38bf380fff856c4451c0e2a9d1d801750133105c6bedc8

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
482e015725fdd3ed898640f7874bfd62

SHA1
b0c010e35ff4340cf5ff0323b315fe1e07d2116b

SHA256
c2f8cae5af64eb33c1ad5d19fc7818e563c0c7b0dfd1be563271e4eba29742a4

SHA512
5811cab751bd2c5c0400bba50f3c23893f0554ece72f1a038ca221bd1b29c6e93edad7dcadbc5d77bf38bf380fff856c4451c0e2a9d1d801750133105c6bedc8

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
482e015725fdd3ed898640f7874bfd62

SHA1
b0c010e35ff4340cf5ff0323b315fe1e07d2116b

SHA256
c2f8cae5af64eb33c1ad5d19fc7818e563c0c7b0dfd1be563271e4eba29742a4

SHA512
5811cab751bd2c5c0400bba50f3c23893f0554ece72f1a038ca221bd1b29c6e93edad7dcadbc5d77bf38bf380fff856c4451c0e2a9d1d801750133105c6bedc8

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
84c567a05314172a6538600bbfc9de48

SHA1
fa80a22324f609dc45f670fda587b20a11a6bf54

SHA256
06c19827d266900848b40e41de096ff987bf5f1922760001f823acd4389cb911

SHA512
3c34e280c51c065a4f38c09a7e7025aa17c69d02e4c6ccc85d5dd61f7321b53f6bd5c2a50ea80c88b629647c23e5a16cb0e65c5db27e7b83cf0d8147e7155fca

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
84c567a05314172a6538600bbfc9de48

SHA1
fa80a22324f609dc45f670fda587b20a11a6bf54

SHA256
06c19827d266900848b40e41de096ff987bf5f1922760001f823acd4389cb911

SHA512
3c34e280c51c065a4f38c09a7e7025aa17c69d02e4c6ccc85d5dd61f7321b53f6bd5c2a50ea80c88b629647c23e5a16cb0e65c5db27e7b83cf0d8147e7155fca

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
7f5cdf436d9c88aabdf278acf2789b5d

SHA1
944dbc55835b6cfd5ea4f245d995faff2ce11b40

SHA256
8c79836b0e0f4b810c9048258e15e3deb9258f6900b0def2e1ae6aa9a4c01fc1

SHA512
9bdb6f68dc8982a8c0a007181c287c866a9b432a07b874c2fd0e8356b30505646f56d7bc8721ab64d32e5d3bd714c9a68a1aa60dee0af73d88aabf4c00c56cd6

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
7f5cdf436d9c88aabdf278acf2789b5d

SHA1
944dbc55835b6cfd5ea4f245d995faff2ce11b40

SHA256
8c79836b0e0f4b810c9048258e15e3deb9258f6900b0def2e1ae6aa9a4c01fc1

SHA512
9bdb6f68dc8982a8c0a007181c287c866a9b432a07b874c2fd0e8356b30505646f56d7bc8721ab64d32e5d3bd714c9a68a1aa60dee0af73d88aabf4c00c56cd6

Download Submit
memory/768-88-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/768-76-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/768-69-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/1408-6-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1408-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1708-30-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1708-23-0x00000000002F0000-0x0000000000314000-memory.dmp

Filesize
144KB

Download
memory/1708-20-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2076-92-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2076-89-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2148-18-0x00000000003C0000-0x00000000003E4000-memory.dmp

Filesize
144KB

Download
memory/2148-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2148-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2148-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2148-16-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2148-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2340-45-0x00000000007D0000-0x00000000007F4000-memory.dmp

Filesize
144KB

Download
memory/2340-52-0x00000000007D0000-0x00000000007F4000-memory.dmp

Filesize
144KB

Download
memory/2340-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2340-51-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2340-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2340-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2340-33-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2968-55-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2968-63-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3008-85-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download