neconyd | 9e2f32e6a66f3f6a79928ba8b77e411b64dbe3377f27a264c7931e7f58d80bf0

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
31/10/2023, 23:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.541c7d11f0f3739d35437153c4329670.exe
Size

134KB
MD5

541c7d11f0f3739d35437153c4329670
SHA1

0046e4b6cb3b1f579d01df55877dcf5cf9ef59d4
SHA256

9e2f32e6a66f3f6a79928ba8b77e411b64dbe3377f27a264c7931e7f58d80bf0
SHA512

26a51dfe3ebdf96c217c1b80a3983f0dbfe8bbd891b14bf830226ff18842bc14357f776af3069cd17bf204f20829fe7f04fd00cbcd381ed41cb83f409b4048fe
SSDEEP

1536:hDfDbhERTatPLTH0NqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwC7M:BiRTeH0NqAW6J6f1tqF6dngNmaZC7M

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 6 IoCs

pid	Process
5040	omsecor.exe
968	omsecor.exe
100	omsecor.exe
4672	omsecor.exe
1340	omsecor.exe
2080	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1080 set thread context of 4372	1080	NEAS.541c7d11f0f3739d35437153c4329670.exe	90
PID 5040 set thread context of 968	5040	omsecor.exe	96
PID 100 set thread context of 4672	100	omsecor.exe	116
PID 1340 set thread context of 2080	1340	omsecor.exe	120

Program crash 4 IoCs

pid	pid_target	Process	procid_target
2736	1080	WerFault.exe	87
732	5040	WerFault.exe	94
3556	100	WerFault.exe	115
3388	1340	WerFault.exe	119

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1080 wrote to memory of 4372	1080	NEAS.541c7d11f0f3739d35437153c4329670.exe	90
PID 1080 wrote to memory of 4372	1080	NEAS.541c7d11f0f3739d35437153c4329670.exe	90
PID 1080 wrote to memory of 4372	1080	NEAS.541c7d11f0f3739d35437153c4329670.exe	90
PID 1080 wrote to memory of 4372	1080	NEAS.541c7d11f0f3739d35437153c4329670.exe	90
PID 1080 wrote to memory of 4372	1080	NEAS.541c7d11f0f3739d35437153c4329670.exe	90
PID 4372 wrote to memory of 5040	4372	NEAS.541c7d11f0f3739d35437153c4329670.exe	94
PID 4372 wrote to memory of 5040	4372	NEAS.541c7d11f0f3739d35437153c4329670.exe	94
PID 4372 wrote to memory of 5040	4372	NEAS.541c7d11f0f3739d35437153c4329670.exe	94
PID 5040 wrote to memory of 968	5040	omsecor.exe	96
PID 5040 wrote to memory of 968	5040	omsecor.exe	96
PID 5040 wrote to memory of 968	5040	omsecor.exe	96
PID 5040 wrote to memory of 968	5040	omsecor.exe	96
PID 5040 wrote to memory of 968	5040	omsecor.exe	96
PID 968 wrote to memory of 100	968	omsecor.exe	115
PID 968 wrote to memory of 100	968	omsecor.exe	115
PID 968 wrote to memory of 100	968	omsecor.exe	115
PID 100 wrote to memory of 4672	100	omsecor.exe	116
PID 100 wrote to memory of 4672	100	omsecor.exe	116
PID 100 wrote to memory of 4672	100	omsecor.exe	116
PID 100 wrote to memory of 4672	100	omsecor.exe	116
PID 100 wrote to memory of 4672	100	omsecor.exe	116
PID 4672 wrote to memory of 1340	4672	omsecor.exe	119
PID 4672 wrote to memory of 1340	4672	omsecor.exe	119
PID 4672 wrote to memory of 1340	4672	omsecor.exe	119
PID 1340 wrote to memory of 2080	1340	omsecor.exe	120
PID 1340 wrote to memory of 2080	1340	omsecor.exe	120
PID 1340 wrote to memory of 2080	1340	omsecor.exe	120
PID 1340 wrote to memory of 2080	1340	omsecor.exe	120
PID 1340 wrote to memory of 2080	1340	omsecor.exe	120

C:\Users\Admin\AppData\Local\Temp\NEAS.541c7d11f0f3739d35437153c4329670.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.541c7d11f0f3739d35437153c4329670.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Users\Admin\AppData\Local\Temp\NEAS.541c7d11f0f3739d35437153c4329670.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.541c7d11f0f3739d35437153c4329670.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4372
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:5040
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:968
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:100
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4672
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1340
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        
        PID:2080
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1340 -s 256
        8⤵
        Program crash
        
        PID:3388
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 100 -s 292
        6⤵
        Program crash
        
        PID:3556
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 288
      4⤵
      Program crash
      PID:732
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 300
  2⤵
  - Program crash
  PID:2736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1080 -ip 1080
1⤵
PID:840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5040 -ip 5040
1⤵
PID:3184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 100 -ip 100
1⤵
PID:2128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1340 -ip 1340
1⤵
PID:2156

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
482e015725fdd3ed898640f7874bfd62

SHA1
b0c010e35ff4340cf5ff0323b315fe1e07d2116b

SHA256
c2f8cae5af64eb33c1ad5d19fc7818e563c0c7b0dfd1be563271e4eba29742a4

SHA512
5811cab751bd2c5c0400bba50f3c23893f0554ece72f1a038ca221bd1b29c6e93edad7dcadbc5d77bf38bf380fff856c4451c0e2a9d1d801750133105c6bedc8

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
b419841152e95f3779e6e8cc8de4ded3

SHA1
0b4d09567d3c7e10bf24bc7d5858f4f51741a88e

SHA256
b441fbb5d1d882cea9f3ef7360d3730e061d95a8b9486c1292902c49070a5250

SHA512
c7dfec10c5e9f2864359c6eb9eb76b1269bfed9662a7394d36a29ba7d6200eedf818165cdaf86089a3cfffeee2e67b513eaf94f8cfe0ffe5016bda30ed1ffabf

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
b419841152e95f3779e6e8cc8de4ded3

SHA1
0b4d09567d3c7e10bf24bc7d5858f4f51741a88e

SHA256
b441fbb5d1d882cea9f3ef7360d3730e061d95a8b9486c1292902c49070a5250

SHA512
c7dfec10c5e9f2864359c6eb9eb76b1269bfed9662a7394d36a29ba7d6200eedf818165cdaf86089a3cfffeee2e67b513eaf94f8cfe0ffe5016bda30ed1ffabf

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
b419841152e95f3779e6e8cc8de4ded3

SHA1
0b4d09567d3c7e10bf24bc7d5858f4f51741a88e

SHA256
b441fbb5d1d882cea9f3ef7360d3730e061d95a8b9486c1292902c49070a5250

SHA512
c7dfec10c5e9f2864359c6eb9eb76b1269bfed9662a7394d36a29ba7d6200eedf818165cdaf86089a3cfffeee2e67b513eaf94f8cfe0ffe5016bda30ed1ffabf

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
482e015725fdd3ed898640f7874bfd62

SHA1
b0c010e35ff4340cf5ff0323b315fe1e07d2116b

SHA256
c2f8cae5af64eb33c1ad5d19fc7818e563c0c7b0dfd1be563271e4eba29742a4

SHA512
5811cab751bd2c5c0400bba50f3c23893f0554ece72f1a038ca221bd1b29c6e93edad7dcadbc5d77bf38bf380fff856c4451c0e2a9d1d801750133105c6bedc8

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
482e015725fdd3ed898640f7874bfd62

SHA1
b0c010e35ff4340cf5ff0323b315fe1e07d2116b

SHA256
c2f8cae5af64eb33c1ad5d19fc7818e563c0c7b0dfd1be563271e4eba29742a4

SHA512
5811cab751bd2c5c0400bba50f3c23893f0554ece72f1a038ca221bd1b29c6e93edad7dcadbc5d77bf38bf380fff856c4451c0e2a9d1d801750133105c6bedc8

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
34a88f804b7ff34506dccf9112fd116f

SHA1
a6110c50728ad94dfa5b64d67d037e2c3635f8ad

SHA256
c18ea3db0403f25a2417f0a7f25590874c6b2b36e10f5ad6ba7ad07a6885b08c

SHA512
24ca3131c4c12c44ed21b799059106d0d78f3ead53009f9cea6d5d79b1b7cc1882aff62e9a6cdf9d6a89e30279e078f74f6f2750f051429228427269a64b96c6

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
34a88f804b7ff34506dccf9112fd116f

SHA1
a6110c50728ad94dfa5b64d67d037e2c3635f8ad

SHA256
c18ea3db0403f25a2417f0a7f25590874c6b2b36e10f5ad6ba7ad07a6885b08c

SHA512
24ca3131c4c12c44ed21b799059106d0d78f3ead53009f9cea6d5d79b1b7cc1882aff62e9a6cdf9d6a89e30279e078f74f6f2750f051429228427269a64b96c6

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
34a88f804b7ff34506dccf9112fd116f

SHA1
a6110c50728ad94dfa5b64d67d037e2c3635f8ad

SHA256
c18ea3db0403f25a2417f0a7f25590874c6b2b36e10f5ad6ba7ad07a6885b08c

SHA512
24ca3131c4c12c44ed21b799059106d0d78f3ead53009f9cea6d5d79b1b7cc1882aff62e9a6cdf9d6a89e30279e078f74f6f2750f051429228427269a64b96c6

Download Submit
memory/100-30-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/968-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/968-28-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/968-13-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/968-17-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/968-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/968-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/968-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1080-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1080-15-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1340-40-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2080-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2080-47-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2080-46-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2080-45-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4372-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4372-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4372-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4372-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4672-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4672-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4672-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5040-7-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5040-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download