neconyd | a9bf143ee16f5dd45c317c816f23050cef162b6d80e3ea4b8b15b74c1618f95f

Resubmissions

04/11/2023, 09:23

231104-lcrg5agg82 10

Analysis

max time kernel
147s
max time network
151s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
04/11/2023, 09:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.081004dd1129376d07977b8b3970a6d0_JC.exe
Size

68KB
MD5

081004dd1129376d07977b8b3970a6d0
SHA1

2552ab24685c53f9292c1699d3d756e4e3c59051
SHA256

a9bf143ee16f5dd45c317c816f23050cef162b6d80e3ea4b8b15b74c1618f95f
SHA512

1ffeab79999ad6a8ce839a28ead732d107b89a8e0d944282a2c41d343fc1e8e3fc73ed392f8ecab7c5fe90bb5c10b29ccfbdf378c69357be29405c5f0e995937
SSDEEP

1536:jd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:DdseIOMEZEyFjEOFqTiQm5l/5

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 3 IoCs

pid	Process
2940	omsecor.exe
2580	omsecor.exe
3060	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2096	NEAS.081004dd1129376d07977b8b3970a6d0_JC.exe
2096	NEAS.081004dd1129376d07977b8b3970a6d0_JC.exe
2940	omsecor.exe
2940	omsecor.exe
2580	omsecor.exe
2580	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 2940	2096	NEAS.081004dd1129376d07977b8b3970a6d0_JC.exe	28
PID 2096 wrote to memory of 2940	2096	NEAS.081004dd1129376d07977b8b3970a6d0_JC.exe	28
PID 2096 wrote to memory of 2940	2096	NEAS.081004dd1129376d07977b8b3970a6d0_JC.exe	28
PID 2096 wrote to memory of 2940	2096	NEAS.081004dd1129376d07977b8b3970a6d0_JC.exe	28
PID 2940 wrote to memory of 2580	2940	omsecor.exe	32
PID 2940 wrote to memory of 2580	2940	omsecor.exe	32
PID 2940 wrote to memory of 2580	2940	omsecor.exe	32
PID 2940 wrote to memory of 2580	2940	omsecor.exe	32
PID 2580 wrote to memory of 3060	2580	omsecor.exe	33
PID 2580 wrote to memory of 3060	2580	omsecor.exe	33
PID 2580 wrote to memory of 3060	2580	omsecor.exe	33
PID 2580 wrote to memory of 3060	2580	omsecor.exe	33

C:\Users\Admin\AppData\Local\Temp\NEAS.081004dd1129376d07977b8b3970a6d0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.081004dd1129376d07977b8b3970a6d0_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2580
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      PID:3060

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
68KB

MD5
59497adebf730d817315eeb262e20b13

SHA1
be148303a77a5f656dc730b73febf7680df45979

SHA256
e0711e3a7a2f59078bf7cb2ff86a1d08a18624beea4617c6971422604ab1c03d

SHA512
1be719ccb42a5bab340dc5b88d48c14b83a17ff164a3e6a98b7c1275b5ee5b7f8d3c85a7ad6ee95db2552ddaa73cb4621c3ee4286641c16b20bb3d6c5308f05f

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
68KB

MD5
59497adebf730d817315eeb262e20b13

SHA1
be148303a77a5f656dc730b73febf7680df45979

SHA256
e0711e3a7a2f59078bf7cb2ff86a1d08a18624beea4617c6971422604ab1c03d

SHA512
1be719ccb42a5bab340dc5b88d48c14b83a17ff164a3e6a98b7c1275b5ee5b7f8d3c85a7ad6ee95db2552ddaa73cb4621c3ee4286641c16b20bb3d6c5308f05f

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
68KB

MD5
59497adebf730d817315eeb262e20b13

SHA1
be148303a77a5f656dc730b73febf7680df45979

SHA256
e0711e3a7a2f59078bf7cb2ff86a1d08a18624beea4617c6971422604ab1c03d

SHA512
1be719ccb42a5bab340dc5b88d48c14b83a17ff164a3e6a98b7c1275b5ee5b7f8d3c85a7ad6ee95db2552ddaa73cb4621c3ee4286641c16b20bb3d6c5308f05f

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
68KB

MD5
68c911a37fb10b4fad72e29aaba072b2

SHA1
a487969cfbeb9d25234cec55325c1771203b96a1

SHA256
d36b5388baddd5c520d7a59eaf99c4210845ce25bb1064a8ed999ad83d0713b4

SHA512
77098b5f51b49b80645789a3e33ffb72db0a9a0aaf1bc186ca86ca4978714f06ec7342bb1101c98df8f8945dd099dd3275903d89d3516ebd1260aa29a5b6f407

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
68KB

MD5
68c911a37fb10b4fad72e29aaba072b2

SHA1
a487969cfbeb9d25234cec55325c1771203b96a1

SHA256
d36b5388baddd5c520d7a59eaf99c4210845ce25bb1064a8ed999ad83d0713b4

SHA512
77098b5f51b49b80645789a3e33ffb72db0a9a0aaf1bc186ca86ca4978714f06ec7342bb1101c98df8f8945dd099dd3275903d89d3516ebd1260aa29a5b6f407

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
68KB

MD5
68c911a37fb10b4fad72e29aaba072b2

SHA1
a487969cfbeb9d25234cec55325c1771203b96a1

SHA256
d36b5388baddd5c520d7a59eaf99c4210845ce25bb1064a8ed999ad83d0713b4

SHA512
77098b5f51b49b80645789a3e33ffb72db0a9a0aaf1bc186ca86ca4978714f06ec7342bb1101c98df8f8945dd099dd3275903d89d3516ebd1260aa29a5b6f407

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
68KB

MD5
5bf1e4d689682fb486e89dd6e62833c6

SHA1
c54ba4ccaa7000dd9a9023b68bc3ca5e3ab21df4

SHA256
be5cf6c5631b200035aaed41bb06f696725ef65553d774a77113b33bcf4e37a7

SHA512
acead40fe19106636208dfc40d65ac0ebe9bd79003fa12470782434a9dac2670e074cb855f06ea43be800bbff487e921d8912e8342df1b75d322b3faa8f6bf6e

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
68KB

MD5
5bf1e4d689682fb486e89dd6e62833c6

SHA1
c54ba4ccaa7000dd9a9023b68bc3ca5e3ab21df4

SHA256
be5cf6c5631b200035aaed41bb06f696725ef65553d774a77113b33bcf4e37a7

SHA512
acead40fe19106636208dfc40d65ac0ebe9bd79003fa12470782434a9dac2670e074cb855f06ea43be800bbff487e921d8912e8342df1b75d322b3faa8f6bf6e

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
68KB

MD5
5bf1e4d689682fb486e89dd6e62833c6

SHA1
c54ba4ccaa7000dd9a9023b68bc3ca5e3ab21df4

SHA256
be5cf6c5631b200035aaed41bb06f696725ef65553d774a77113b33bcf4e37a7

SHA512
acead40fe19106636208dfc40d65ac0ebe9bd79003fa12470782434a9dac2670e074cb855f06ea43be800bbff487e921d8912e8342df1b75d322b3faa8f6bf6e

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
68KB

MD5
68c911a37fb10b4fad72e29aaba072b2

SHA1
a487969cfbeb9d25234cec55325c1771203b96a1

SHA256
d36b5388baddd5c520d7a59eaf99c4210845ce25bb1064a8ed999ad83d0713b4

SHA512
77098b5f51b49b80645789a3e33ffb72db0a9a0aaf1bc186ca86ca4978714f06ec7342bb1101c98df8f8945dd099dd3275903d89d3516ebd1260aa29a5b6f407

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
68KB

MD5
59497adebf730d817315eeb262e20b13

SHA1
be148303a77a5f656dc730b73febf7680df45979

SHA256
e0711e3a7a2f59078bf7cb2ff86a1d08a18624beea4617c6971422604ab1c03d

SHA512
1be719ccb42a5bab340dc5b88d48c14b83a17ff164a3e6a98b7c1275b5ee5b7f8d3c85a7ad6ee95db2552ddaa73cb4621c3ee4286641c16b20bb3d6c5308f05f

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
68KB

MD5
59497adebf730d817315eeb262e20b13

SHA1
be148303a77a5f656dc730b73febf7680df45979

SHA256
e0711e3a7a2f59078bf7cb2ff86a1d08a18624beea4617c6971422604ab1c03d

SHA512
1be719ccb42a5bab340dc5b88d48c14b83a17ff164a3e6a98b7c1275b5ee5b7f8d3c85a7ad6ee95db2552ddaa73cb4621c3ee4286641c16b20bb3d6c5308f05f

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
68KB

MD5
68c911a37fb10b4fad72e29aaba072b2

SHA1
a487969cfbeb9d25234cec55325c1771203b96a1

SHA256
d36b5388baddd5c520d7a59eaf99c4210845ce25bb1064a8ed999ad83d0713b4

SHA512
77098b5f51b49b80645789a3e33ffb72db0a9a0aaf1bc186ca86ca4978714f06ec7342bb1101c98df8f8945dd099dd3275903d89d3516ebd1260aa29a5b6f407

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
68KB

MD5
5bf1e4d689682fb486e89dd6e62833c6

SHA1
c54ba4ccaa7000dd9a9023b68bc3ca5e3ab21df4

SHA256
be5cf6c5631b200035aaed41bb06f696725ef65553d774a77113b33bcf4e37a7

SHA512
acead40fe19106636208dfc40d65ac0ebe9bd79003fa12470782434a9dac2670e074cb855f06ea43be800bbff487e921d8912e8342df1b75d322b3faa8f6bf6e

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
68KB

MD5
5bf1e4d689682fb486e89dd6e62833c6

SHA1
c54ba4ccaa7000dd9a9023b68bc3ca5e3ab21df4

SHA256
be5cf6c5631b200035aaed41bb06f696725ef65553d774a77113b33bcf4e37a7

SHA512
acead40fe19106636208dfc40d65ac0ebe9bd79003fa12470782434a9dac2670e074cb855f06ea43be800bbff487e921d8912e8342df1b75d322b3faa8f6bf6e

Download Submit