neconyd | 6ef1e83d0cc167082b4fef057bfa63f64e8098386048526fa32e15cba7a91cd8

Analysis

max time kernel
147s
max time network
151s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
03/11/2023, 14:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.9a618c0cd4cf0ae8840b7bd7762e9900.exe
Size

61KB
MD5

9a618c0cd4cf0ae8840b7bd7762e9900
SHA1

bdea786f9e2d34e7eb1c13dbe01fb23166fe96c6
SHA256

6ef1e83d0cc167082b4fef057bfa63f64e8098386048526fa32e15cba7a91cd8
SHA512

d37a386115f9d3abf0921c6db77c9b731147cbb74098a0f2b17a432c255007078f0391f51daa71dee2c0dfe762991da1ec648da3e82c98abaff5b857e0989c0f
SSDEEP

768:VMEIvFGvZEr8LFK0ic46N47eSdYAHwmZOp6JXXlaa5uA:VbIvYvZEyFKF6N4yS+AQmZrl/5

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 3 IoCs

pid	Process
2192	omsecor.exe
2752	omsecor.exe
2612	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
1980	NEAS.9a618c0cd4cf0ae8840b7bd7762e9900.exe
1980	NEAS.9a618c0cd4cf0ae8840b7bd7762e9900.exe
2192	omsecor.exe
2192	omsecor.exe
2752	omsecor.exe
2752	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 2192	1980	NEAS.9a618c0cd4cf0ae8840b7bd7762e9900.exe	28
PID 1980 wrote to memory of 2192	1980	NEAS.9a618c0cd4cf0ae8840b7bd7762e9900.exe	28
PID 1980 wrote to memory of 2192	1980	NEAS.9a618c0cd4cf0ae8840b7bd7762e9900.exe	28
PID 1980 wrote to memory of 2192	1980	NEAS.9a618c0cd4cf0ae8840b7bd7762e9900.exe	28
PID 2192 wrote to memory of 2752	2192	omsecor.exe	32
PID 2192 wrote to memory of 2752	2192	omsecor.exe	32
PID 2192 wrote to memory of 2752	2192	omsecor.exe	32
PID 2192 wrote to memory of 2752	2192	omsecor.exe	32
PID 2752 wrote to memory of 2612	2752	omsecor.exe	33
PID 2752 wrote to memory of 2612	2752	omsecor.exe	33
PID 2752 wrote to memory of 2612	2752	omsecor.exe	33
PID 2752 wrote to memory of 2612	2752	omsecor.exe	33

C:\Users\Admin\AppData\Local\Temp\NEAS.9a618c0cd4cf0ae8840b7bd7762e9900.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.9a618c0cd4cf0ae8840b7bd7762e9900.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      PID:2612

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
4de41bb11185c5ba693763c751ce5d46

SHA1
e488bc8ae04f8be61b3d218ffa1190d7e7a54326

SHA256
2173c38fd72ffa8a768dbd8520f35a2a931e5fe2a5d029cdb1b0ef058fbea205

SHA512
b9a51a5fef398c2f224536ccf64e8cc29acbca1d08baade9649ed12ffa2085ba69b11eca352026b39d6c310af74f47b0205ed81169ffaf2be758062c0cfacdf1

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
4de41bb11185c5ba693763c751ce5d46

SHA1
e488bc8ae04f8be61b3d218ffa1190d7e7a54326

SHA256
2173c38fd72ffa8a768dbd8520f35a2a931e5fe2a5d029cdb1b0ef058fbea205

SHA512
b9a51a5fef398c2f224536ccf64e8cc29acbca1d08baade9649ed12ffa2085ba69b11eca352026b39d6c310af74f47b0205ed81169ffaf2be758062c0cfacdf1

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
4de41bb11185c5ba693763c751ce5d46

SHA1
e488bc8ae04f8be61b3d218ffa1190d7e7a54326

SHA256
2173c38fd72ffa8a768dbd8520f35a2a931e5fe2a5d029cdb1b0ef058fbea205

SHA512
b9a51a5fef398c2f224536ccf64e8cc29acbca1d08baade9649ed12ffa2085ba69b11eca352026b39d6c310af74f47b0205ed81169ffaf2be758062c0cfacdf1

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
7b3f4ef34bfcd6ff57c80bb21e529414

SHA1
d88628704da53a43a91cbd14c9cb0571ea6de882

SHA256
8fffc6587a93bc9c811b2848893ed9427223912f6c7b46e69dcfdee8f42a9796

SHA512
0083c151b4d6e337809619771602e5562a2441e57a5a1f8dd1cedff3a9534da718f71e2d97e3094d10794c3b4cd129fc6faa843639586e1044e455f120722995

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
7b3f4ef34bfcd6ff57c80bb21e529414

SHA1
d88628704da53a43a91cbd14c9cb0571ea6de882

SHA256
8fffc6587a93bc9c811b2848893ed9427223912f6c7b46e69dcfdee8f42a9796

SHA512
0083c151b4d6e337809619771602e5562a2441e57a5a1f8dd1cedff3a9534da718f71e2d97e3094d10794c3b4cd129fc6faa843639586e1044e455f120722995

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
7b3f4ef34bfcd6ff57c80bb21e529414

SHA1
d88628704da53a43a91cbd14c9cb0571ea6de882

SHA256
8fffc6587a93bc9c811b2848893ed9427223912f6c7b46e69dcfdee8f42a9796

SHA512
0083c151b4d6e337809619771602e5562a2441e57a5a1f8dd1cedff3a9534da718f71e2d97e3094d10794c3b4cd129fc6faa843639586e1044e455f120722995

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
9a7dd01a7842acd9fc4949206e2dddf8

SHA1
2e85fce680b1a7ef9715ab26354ead01b99a0caa

SHA256
1771d1e8bda33154070865d2586c2562c9b944d9641d4ea484ae48ef1f867775

SHA512
40b5811b5f32200c79a80879ca88b7676d292b0aac25256201f7fcf0a88b87fcdb8161ca2bb921184cc0c8a96587615388b4ac6710b210ffab823c83e2bff667

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
9a7dd01a7842acd9fc4949206e2dddf8

SHA1
2e85fce680b1a7ef9715ab26354ead01b99a0caa

SHA256
1771d1e8bda33154070865d2586c2562c9b944d9641d4ea484ae48ef1f867775

SHA512
40b5811b5f32200c79a80879ca88b7676d292b0aac25256201f7fcf0a88b87fcdb8161ca2bb921184cc0c8a96587615388b4ac6710b210ffab823c83e2bff667

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
9a7dd01a7842acd9fc4949206e2dddf8

SHA1
2e85fce680b1a7ef9715ab26354ead01b99a0caa

SHA256
1771d1e8bda33154070865d2586c2562c9b944d9641d4ea484ae48ef1f867775

SHA512
40b5811b5f32200c79a80879ca88b7676d292b0aac25256201f7fcf0a88b87fcdb8161ca2bb921184cc0c8a96587615388b4ac6710b210ffab823c83e2bff667

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
7b3f4ef34bfcd6ff57c80bb21e529414

SHA1
d88628704da53a43a91cbd14c9cb0571ea6de882

SHA256
8fffc6587a93bc9c811b2848893ed9427223912f6c7b46e69dcfdee8f42a9796

SHA512
0083c151b4d6e337809619771602e5562a2441e57a5a1f8dd1cedff3a9534da718f71e2d97e3094d10794c3b4cd129fc6faa843639586e1044e455f120722995

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
4de41bb11185c5ba693763c751ce5d46

SHA1
e488bc8ae04f8be61b3d218ffa1190d7e7a54326

SHA256
2173c38fd72ffa8a768dbd8520f35a2a931e5fe2a5d029cdb1b0ef058fbea205

SHA512
b9a51a5fef398c2f224536ccf64e8cc29acbca1d08baade9649ed12ffa2085ba69b11eca352026b39d6c310af74f47b0205ed81169ffaf2be758062c0cfacdf1

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
4de41bb11185c5ba693763c751ce5d46

SHA1
e488bc8ae04f8be61b3d218ffa1190d7e7a54326

SHA256
2173c38fd72ffa8a768dbd8520f35a2a931e5fe2a5d029cdb1b0ef058fbea205

SHA512
b9a51a5fef398c2f224536ccf64e8cc29acbca1d08baade9649ed12ffa2085ba69b11eca352026b39d6c310af74f47b0205ed81169ffaf2be758062c0cfacdf1

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
7b3f4ef34bfcd6ff57c80bb21e529414

SHA1
d88628704da53a43a91cbd14c9cb0571ea6de882

SHA256
8fffc6587a93bc9c811b2848893ed9427223912f6c7b46e69dcfdee8f42a9796

SHA512
0083c151b4d6e337809619771602e5562a2441e57a5a1f8dd1cedff3a9534da718f71e2d97e3094d10794c3b4cd129fc6faa843639586e1044e455f120722995

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
9a7dd01a7842acd9fc4949206e2dddf8

SHA1
2e85fce680b1a7ef9715ab26354ead01b99a0caa

SHA256
1771d1e8bda33154070865d2586c2562c9b944d9641d4ea484ae48ef1f867775

SHA512
40b5811b5f32200c79a80879ca88b7676d292b0aac25256201f7fcf0a88b87fcdb8161ca2bb921184cc0c8a96587615388b4ac6710b210ffab823c83e2bff667

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
9a7dd01a7842acd9fc4949206e2dddf8

SHA1
2e85fce680b1a7ef9715ab26354ead01b99a0caa

SHA256
1771d1e8bda33154070865d2586c2562c9b944d9641d4ea484ae48ef1f867775

SHA512
40b5811b5f32200c79a80879ca88b7676d292b0aac25256201f7fcf0a88b87fcdb8161ca2bb921184cc0c8a96587615388b4ac6710b210ffab823c83e2bff667

Download Submit