neconyd | fda238575d9bb4b30bce6fb14eb7c4762aa1edd3a8b19faad3b3cd216ae96fd7

Analysis

max time kernel
148s
max time network
158s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
31/10/2023, 08:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.ee29d72cef5c9bdf8544ba520bb30f01.exe
Size

84KB
MD5

ee29d72cef5c9bdf8544ba520bb30f01
SHA1

6a74572b187eb9db8118e43cb243f20388201fea
SHA256

fda238575d9bb4b30bce6fb14eb7c4762aa1edd3a8b19faad3b3cd216ae96fd7
SHA512

8d00997e2806aedcc6aa4dea59fb41217cbe4aa6a4dfb075d5b0fd4ea1b4926e8d9e0eecf82e4396cc22105ccf995a729c257e940430a93277107ca5d3827b9b
SSDEEP

1536:Ad9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:gdseIOMEZEyFjEOFqTiQm5l/5

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 3 IoCs

pid	Process
2148	omsecor.exe
3008	omsecor.exe
2504	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2136	NEAS.ee29d72cef5c9bdf8544ba520bb30f01.exe
2136	NEAS.ee29d72cef5c9bdf8544ba520bb30f01.exe
2148	omsecor.exe
2148	omsecor.exe
3008	omsecor.exe
3008	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 2148	2136	NEAS.ee29d72cef5c9bdf8544ba520bb30f01.exe	28
PID 2136 wrote to memory of 2148	2136	NEAS.ee29d72cef5c9bdf8544ba520bb30f01.exe	28
PID 2136 wrote to memory of 2148	2136	NEAS.ee29d72cef5c9bdf8544ba520bb30f01.exe	28
PID 2136 wrote to memory of 2148	2136	NEAS.ee29d72cef5c9bdf8544ba520bb30f01.exe	28
PID 2148 wrote to memory of 3008	2148	omsecor.exe	32
PID 2148 wrote to memory of 3008	2148	omsecor.exe	32
PID 2148 wrote to memory of 3008	2148	omsecor.exe	32
PID 2148 wrote to memory of 3008	2148	omsecor.exe	32
PID 3008 wrote to memory of 2504	3008	omsecor.exe	33
PID 3008 wrote to memory of 2504	3008	omsecor.exe	33
PID 3008 wrote to memory of 2504	3008	omsecor.exe	33
PID 3008 wrote to memory of 2504	3008	omsecor.exe	33

C:\Users\Admin\AppData\Local\Temp\NEAS.ee29d72cef5c9bdf8544ba520bb30f01.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.ee29d72cef5c9bdf8544ba520bb30f01.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3008
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      PID:2504

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
84KB

MD5
69400fbddc0cc27dcb80ae0c0c319f90

SHA1
b4ca0108f4ec5113bd02faef052760c798972a2d

SHA256
971be1611c2e93448695acfe175bc2206ed7dcb00261e8c67452fda8dec212fc

SHA512
99e69c3225f0a31c2ae5109cba240d55f236b5bc704c7092efb8e08a674633e3e41fc04f6746738f131988de768b621b737848487f1185853d16c1488ecea43e

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
84KB

MD5
69400fbddc0cc27dcb80ae0c0c319f90

SHA1
b4ca0108f4ec5113bd02faef052760c798972a2d

SHA256
971be1611c2e93448695acfe175bc2206ed7dcb00261e8c67452fda8dec212fc

SHA512
99e69c3225f0a31c2ae5109cba240d55f236b5bc704c7092efb8e08a674633e3e41fc04f6746738f131988de768b621b737848487f1185853d16c1488ecea43e

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
84KB

MD5
69400fbddc0cc27dcb80ae0c0c319f90

SHA1
b4ca0108f4ec5113bd02faef052760c798972a2d

SHA256
971be1611c2e93448695acfe175bc2206ed7dcb00261e8c67452fda8dec212fc

SHA512
99e69c3225f0a31c2ae5109cba240d55f236b5bc704c7092efb8e08a674633e3e41fc04f6746738f131988de768b621b737848487f1185853d16c1488ecea43e

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
84KB

MD5
ac499f69c9d63f35b44db022f8040ee1

SHA1
12874409e81f536e14bb96b0118dab8693638a4d

SHA256
9f21426501f39469309b1fbab864e4f6224019d82c53fc9542bb704464b6d359

SHA512
59c73ea08ecd705dadfeafc83795a6ede254ac6255a758f4c5a7f7cf0617946e01138a0fddcb1d1fc9c62d5b87608f794d9214d0395805ba88c29a80228d6e7e

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
84KB

MD5
ac499f69c9d63f35b44db022f8040ee1

SHA1
12874409e81f536e14bb96b0118dab8693638a4d

SHA256
9f21426501f39469309b1fbab864e4f6224019d82c53fc9542bb704464b6d359

SHA512
59c73ea08ecd705dadfeafc83795a6ede254ac6255a758f4c5a7f7cf0617946e01138a0fddcb1d1fc9c62d5b87608f794d9214d0395805ba88c29a80228d6e7e

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
84KB

MD5
ac499f69c9d63f35b44db022f8040ee1

SHA1
12874409e81f536e14bb96b0118dab8693638a4d

SHA256
9f21426501f39469309b1fbab864e4f6224019d82c53fc9542bb704464b6d359

SHA512
59c73ea08ecd705dadfeafc83795a6ede254ac6255a758f4c5a7f7cf0617946e01138a0fddcb1d1fc9c62d5b87608f794d9214d0395805ba88c29a80228d6e7e

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
84KB

MD5
1cd394db2f068e63d61ef68b60e4c2a1

SHA1
93f9fcab6ed76e389b2529ec6ed22c085e9d77ab

SHA256
b8b54a9089faa84fd21961dd1d3d66b084e134948ba0befe22583fb6831c171d

SHA512
9dd70f0d9eeb1a3e63a45352749b88673e15f5bf4091cf7c48e50922871fa8695c2ff052c72b218d536060b2585265e615fd8741ec7b345daeede3fe066d57f2

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
84KB

MD5
1cd394db2f068e63d61ef68b60e4c2a1

SHA1
93f9fcab6ed76e389b2529ec6ed22c085e9d77ab

SHA256
b8b54a9089faa84fd21961dd1d3d66b084e134948ba0befe22583fb6831c171d

SHA512
9dd70f0d9eeb1a3e63a45352749b88673e15f5bf4091cf7c48e50922871fa8695c2ff052c72b218d536060b2585265e615fd8741ec7b345daeede3fe066d57f2

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
84KB

MD5
1cd394db2f068e63d61ef68b60e4c2a1

SHA1
93f9fcab6ed76e389b2529ec6ed22c085e9d77ab

SHA256
b8b54a9089faa84fd21961dd1d3d66b084e134948ba0befe22583fb6831c171d

SHA512
9dd70f0d9eeb1a3e63a45352749b88673e15f5bf4091cf7c48e50922871fa8695c2ff052c72b218d536060b2585265e615fd8741ec7b345daeede3fe066d57f2

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
84KB

MD5
ac499f69c9d63f35b44db022f8040ee1

SHA1
12874409e81f536e14bb96b0118dab8693638a4d

SHA256
9f21426501f39469309b1fbab864e4f6224019d82c53fc9542bb704464b6d359

SHA512
59c73ea08ecd705dadfeafc83795a6ede254ac6255a758f4c5a7f7cf0617946e01138a0fddcb1d1fc9c62d5b87608f794d9214d0395805ba88c29a80228d6e7e

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
84KB

MD5
69400fbddc0cc27dcb80ae0c0c319f90

SHA1
b4ca0108f4ec5113bd02faef052760c798972a2d

SHA256
971be1611c2e93448695acfe175bc2206ed7dcb00261e8c67452fda8dec212fc

SHA512
99e69c3225f0a31c2ae5109cba240d55f236b5bc704c7092efb8e08a674633e3e41fc04f6746738f131988de768b621b737848487f1185853d16c1488ecea43e

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
84KB

MD5
69400fbddc0cc27dcb80ae0c0c319f90

SHA1
b4ca0108f4ec5113bd02faef052760c798972a2d

SHA256
971be1611c2e93448695acfe175bc2206ed7dcb00261e8c67452fda8dec212fc

SHA512
99e69c3225f0a31c2ae5109cba240d55f236b5bc704c7092efb8e08a674633e3e41fc04f6746738f131988de768b621b737848487f1185853d16c1488ecea43e

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
84KB

MD5
ac499f69c9d63f35b44db022f8040ee1

SHA1
12874409e81f536e14bb96b0118dab8693638a4d

SHA256
9f21426501f39469309b1fbab864e4f6224019d82c53fc9542bb704464b6d359

SHA512
59c73ea08ecd705dadfeafc83795a6ede254ac6255a758f4c5a7f7cf0617946e01138a0fddcb1d1fc9c62d5b87608f794d9214d0395805ba88c29a80228d6e7e

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
84KB

MD5
1cd394db2f068e63d61ef68b60e4c2a1

SHA1
93f9fcab6ed76e389b2529ec6ed22c085e9d77ab

SHA256
b8b54a9089faa84fd21961dd1d3d66b084e134948ba0befe22583fb6831c171d

SHA512
9dd70f0d9eeb1a3e63a45352749b88673e15f5bf4091cf7c48e50922871fa8695c2ff052c72b218d536060b2585265e615fd8741ec7b345daeede3fe066d57f2

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
84KB

MD5
1cd394db2f068e63d61ef68b60e4c2a1

SHA1
93f9fcab6ed76e389b2529ec6ed22c085e9d77ab

SHA256
b8b54a9089faa84fd21961dd1d3d66b084e134948ba0befe22583fb6831c171d

SHA512
9dd70f0d9eeb1a3e63a45352749b88673e15f5bf4091cf7c48e50922871fa8695c2ff052c72b218d536060b2585265e615fd8741ec7b345daeede3fe066d57f2

Download Submit