neconyd | 720fc24af0a1434e4cf7016841e4ce06ba3e3e317992fc14cce58173be57199a

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
02/11/2023, 09:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.3fdab96491d09b032acf294ae8bb3ba0_JC.exe
Size

134KB
MD5

3fdab96491d09b032acf294ae8bb3ba0
SHA1

cd46151c6d79f9bb0e717345a62ad8fee0eb26f3
SHA256

720fc24af0a1434e4cf7016841e4ce06ba3e3e317992fc14cce58173be57199a
SHA512

8423db1574166ba9c1d5c1e2ad6e0828f94ef8e81df4f9fd8b90c067eea12ca657383a8c9f538ff909aceb86613c84996338581b9a0f5cc043b71e1fccea987c
SSDEEP

1536:hDfDbhERTatPLTH0NqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwC7M:BiRTeH0NqAW6J6f1tqF6dngNmaZC7M

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 6 IoCs

pid	Process
2476	omsecor.exe
4292	omsecor.exe
4040	omsecor.exe
5024	omsecor.exe
3776	omsecor.exe
2900	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1768 set thread context of 2816	1768	NEAS.3fdab96491d09b032acf294ae8bb3ba0_JC.exe	84
PID 2476 set thread context of 4292	2476	omsecor.exe	89
PID 4040 set thread context of 5024	4040	omsecor.exe	112
PID 3776 set thread context of 2900	3776	omsecor.exe	116

Program crash 4 IoCs

pid	pid_target	Process	procid_target
180	1768	WerFault.exe	83
964	2476	WerFault.exe	87
4580	4040	WerFault.exe	111
3212	3776	WerFault.exe	115

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 2816	1768	NEAS.3fdab96491d09b032acf294ae8bb3ba0_JC.exe	84
PID 1768 wrote to memory of 2816	1768	NEAS.3fdab96491d09b032acf294ae8bb3ba0_JC.exe	84
PID 1768 wrote to memory of 2816	1768	NEAS.3fdab96491d09b032acf294ae8bb3ba0_JC.exe	84
PID 1768 wrote to memory of 2816	1768	NEAS.3fdab96491d09b032acf294ae8bb3ba0_JC.exe	84
PID 1768 wrote to memory of 2816	1768	NEAS.3fdab96491d09b032acf294ae8bb3ba0_JC.exe	84
PID 2816 wrote to memory of 2476	2816	NEAS.3fdab96491d09b032acf294ae8bb3ba0_JC.exe	87
PID 2816 wrote to memory of 2476	2816	NEAS.3fdab96491d09b032acf294ae8bb3ba0_JC.exe	87
PID 2816 wrote to memory of 2476	2816	NEAS.3fdab96491d09b032acf294ae8bb3ba0_JC.exe	87
PID 2476 wrote to memory of 4292	2476	omsecor.exe	89
PID 2476 wrote to memory of 4292	2476	omsecor.exe	89
PID 2476 wrote to memory of 4292	2476	omsecor.exe	89
PID 2476 wrote to memory of 4292	2476	omsecor.exe	89
PID 2476 wrote to memory of 4292	2476	omsecor.exe	89
PID 4292 wrote to memory of 4040	4292	omsecor.exe	111
PID 4292 wrote to memory of 4040	4292	omsecor.exe	111
PID 4292 wrote to memory of 4040	4292	omsecor.exe	111
PID 4040 wrote to memory of 5024	4040	omsecor.exe	112
PID 4040 wrote to memory of 5024	4040	omsecor.exe	112
PID 4040 wrote to memory of 5024	4040	omsecor.exe	112
PID 4040 wrote to memory of 5024	4040	omsecor.exe	112
PID 4040 wrote to memory of 5024	4040	omsecor.exe	112
PID 5024 wrote to memory of 3776	5024	omsecor.exe	115
PID 5024 wrote to memory of 3776	5024	omsecor.exe	115
PID 5024 wrote to memory of 3776	5024	omsecor.exe	115
PID 3776 wrote to memory of 2900	3776	omsecor.exe	116
PID 3776 wrote to memory of 2900	3776	omsecor.exe	116
PID 3776 wrote to memory of 2900	3776	omsecor.exe	116
PID 3776 wrote to memory of 2900	3776	omsecor.exe	116
PID 3776 wrote to memory of 2900	3776	omsecor.exe	116

C:\Users\Admin\AppData\Local\Temp\NEAS.3fdab96491d09b032acf294ae8bb3ba0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.3fdab96491d09b032acf294ae8bb3ba0_JC.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Users\Admin\AppData\Local\Temp\NEAS.3fdab96491d09b032acf294ae8bb3ba0_JC.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.3fdab96491d09b032acf294ae8bb3ba0_JC.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2476
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4292
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4040
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3776
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        
        PID:2900
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3776 -s 244
        8⤵
        Program crash
        
        PID:3212
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 292
        6⤵
        Program crash
        
        PID:4580
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2476 -s 288
      4⤵
      Program crash
      PID:964
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 300
  2⤵
  - Program crash
  PID:180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1768 -ip 1768
1⤵
PID:4796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2476 -ip 2476
1⤵
PID:1896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4040 -ip 4040
1⤵
PID:2668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3776 -ip 3776
1⤵
PID:3416

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
f7ede7db5e9ce293a554739a7c1afba1

SHA1
b1e279138d775ed6beaeb798a1c3a97b4fd0fd5b

SHA256
32f2db76342518b226c8de1ee35574b9bb8e9d20e45b8a19b335b067c18c25fd

SHA512
b5c6591179ecb6a516add5a0599eccf7b17bbc4aab44be63533335a082ca84715d6746ab8ed3d7710499a9d1de16145084e526fae7984ef1bb8b2ef2b194f074

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
62f21729e0154a6b7ef148111de8dd17

SHA1
a29661e5d66408fb137d6adbc625db047fafe449

SHA256
ad37ed1ad8d2a80f7ceb07a3db39db6230927b289e4886a42aade70da8b1d169

SHA512
16e56caa4fbccae837cb9e4a9ef492248293ad8d558e13947bad57b9264018c85470d0970cdf3cb1d5060cbbfedae1943fcd70cd72d3f7943ed2ef8392907dbe

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
62f21729e0154a6b7ef148111de8dd17

SHA1
a29661e5d66408fb137d6adbc625db047fafe449

SHA256
ad37ed1ad8d2a80f7ceb07a3db39db6230927b289e4886a42aade70da8b1d169

SHA512
16e56caa4fbccae837cb9e4a9ef492248293ad8d558e13947bad57b9264018c85470d0970cdf3cb1d5060cbbfedae1943fcd70cd72d3f7943ed2ef8392907dbe

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
62f21729e0154a6b7ef148111de8dd17

SHA1
a29661e5d66408fb137d6adbc625db047fafe449

SHA256
ad37ed1ad8d2a80f7ceb07a3db39db6230927b289e4886a42aade70da8b1d169

SHA512
16e56caa4fbccae837cb9e4a9ef492248293ad8d558e13947bad57b9264018c85470d0970cdf3cb1d5060cbbfedae1943fcd70cd72d3f7943ed2ef8392907dbe

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
f7ede7db5e9ce293a554739a7c1afba1

SHA1
b1e279138d775ed6beaeb798a1c3a97b4fd0fd5b

SHA256
32f2db76342518b226c8de1ee35574b9bb8e9d20e45b8a19b335b067c18c25fd

SHA512
b5c6591179ecb6a516add5a0599eccf7b17bbc4aab44be63533335a082ca84715d6746ab8ed3d7710499a9d1de16145084e526fae7984ef1bb8b2ef2b194f074

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
f7ede7db5e9ce293a554739a7c1afba1

SHA1
b1e279138d775ed6beaeb798a1c3a97b4fd0fd5b

SHA256
32f2db76342518b226c8de1ee35574b9bb8e9d20e45b8a19b335b067c18c25fd

SHA512
b5c6591179ecb6a516add5a0599eccf7b17bbc4aab44be63533335a082ca84715d6746ab8ed3d7710499a9d1de16145084e526fae7984ef1bb8b2ef2b194f074

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
fb09617fbcc6e8cdc11d6488660cfa61

SHA1
dcb3c699c04001947dd94c05d453411102f50308

SHA256
770313ac811d91cf68883f200b1e72aa52e277a4947885af94bc4d36cf805edd

SHA512
bc4b0098d06ffc10a88c3b7ecbfdaab8431a3a3bef475afe5f2dcaa0045939b118abc9a88b0c05c650604d0c40325ef6e50ca6740efac71b3e1095a13574055d

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
fb09617fbcc6e8cdc11d6488660cfa61

SHA1
dcb3c699c04001947dd94c05d453411102f50308

SHA256
770313ac811d91cf68883f200b1e72aa52e277a4947885af94bc4d36cf805edd

SHA512
bc4b0098d06ffc10a88c3b7ecbfdaab8431a3a3bef475afe5f2dcaa0045939b118abc9a88b0c05c650604d0c40325ef6e50ca6740efac71b3e1095a13574055d

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
fb09617fbcc6e8cdc11d6488660cfa61

SHA1
dcb3c699c04001947dd94c05d453411102f50308

SHA256
770313ac811d91cf68883f200b1e72aa52e277a4947885af94bc4d36cf805edd

SHA512
bc4b0098d06ffc10a88c3b7ecbfdaab8431a3a3bef475afe5f2dcaa0045939b118abc9a88b0c05c650604d0c40325ef6e50ca6740efac71b3e1095a13574055d

Download Submit
memory/1768-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1768-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2476-10-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2816-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2816-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2816-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2816-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2900-46-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2900-51-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2900-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2900-47-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3776-41-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4040-30-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4292-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4292-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4292-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4292-17-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4292-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4292-28-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4292-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5024-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5024-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5024-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download