neconyd | 17c155d38b7255f10a57d43f44014dd6d0b1c28201e62db9c08d39e10ef064c6

Analysis

max time kernel
160s
max time network
166s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 03:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01b36e0afa6cf15ee49ba2c56994f33f.exe
Size

128KB
MD5

01b36e0afa6cf15ee49ba2c56994f33f
SHA1

d3449d903ff8473fd6efd34808f7cb0802a7d3ef
SHA256

17c155d38b7255f10a57d43f44014dd6d0b1c28201e62db9c08d39e10ef064c6
SHA512

530b75c4052de6c7d1b5d6b0a34a4007a19efc31c52682625c079bd51847c97d1e200b9bdeadd923af3064a53c7ae365e4a32b124e60c42fd11682788293d9c2
SSDEEP

1536:GDfDbhERTatPLTLLbC+8BMNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabau:4iRTe3n8BMAW6J6f1tqF6dngNmaZrN

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 6 IoCs

pid	Process
2828	omsecor.exe
2128	omsecor.exe
524	omsecor.exe
880	omsecor.exe
1968	omsecor.exe
1720	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
1908	01b36e0afa6cf15ee49ba2c56994f33f.exe
1908	01b36e0afa6cf15ee49ba2c56994f33f.exe
2828	omsecor.exe
2128	omsecor.exe
2128	omsecor.exe
880	omsecor.exe
880	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2752 set thread context of 1908	2752	01b36e0afa6cf15ee49ba2c56994f33f.exe	28
PID 2828 set thread context of 2128	2828	omsecor.exe	30
PID 524 set thread context of 880	524	omsecor.exe	35
PID 1968 set thread context of 1720	1968	omsecor.exe	37

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2752 wrote to memory of 1908	2752	01b36e0afa6cf15ee49ba2c56994f33f.exe	28
PID 2752 wrote to memory of 1908	2752	01b36e0afa6cf15ee49ba2c56994f33f.exe	28
PID 2752 wrote to memory of 1908	2752	01b36e0afa6cf15ee49ba2c56994f33f.exe	28
PID 2752 wrote to memory of 1908	2752	01b36e0afa6cf15ee49ba2c56994f33f.exe	28
PID 2752 wrote to memory of 1908	2752	01b36e0afa6cf15ee49ba2c56994f33f.exe	28
PID 2752 wrote to memory of 1908	2752	01b36e0afa6cf15ee49ba2c56994f33f.exe	28
PID 1908 wrote to memory of 2828	1908	01b36e0afa6cf15ee49ba2c56994f33f.exe	29
PID 1908 wrote to memory of 2828	1908	01b36e0afa6cf15ee49ba2c56994f33f.exe	29
PID 1908 wrote to memory of 2828	1908	01b36e0afa6cf15ee49ba2c56994f33f.exe	29
PID 1908 wrote to memory of 2828	1908	01b36e0afa6cf15ee49ba2c56994f33f.exe	29
PID 2828 wrote to memory of 2128	2828	omsecor.exe	30
PID 2828 wrote to memory of 2128	2828	omsecor.exe	30
PID 2828 wrote to memory of 2128	2828	omsecor.exe	30
PID 2828 wrote to memory of 2128	2828	omsecor.exe	30
PID 2828 wrote to memory of 2128	2828	omsecor.exe	30
PID 2828 wrote to memory of 2128	2828	omsecor.exe	30
PID 2128 wrote to memory of 524	2128	omsecor.exe	34
PID 2128 wrote to memory of 524	2128	omsecor.exe	34
PID 2128 wrote to memory of 524	2128	omsecor.exe	34
PID 2128 wrote to memory of 524	2128	omsecor.exe	34
PID 524 wrote to memory of 880	524	omsecor.exe	35
PID 524 wrote to memory of 880	524	omsecor.exe	35
PID 524 wrote to memory of 880	524	omsecor.exe	35
PID 524 wrote to memory of 880	524	omsecor.exe	35
PID 524 wrote to memory of 880	524	omsecor.exe	35
PID 524 wrote to memory of 880	524	omsecor.exe	35
PID 880 wrote to memory of 1968	880	omsecor.exe	36
PID 880 wrote to memory of 1968	880	omsecor.exe	36
PID 880 wrote to memory of 1968	880	omsecor.exe	36
PID 880 wrote to memory of 1968	880	omsecor.exe	36
PID 1968 wrote to memory of 1720	1968	omsecor.exe	37
PID 1968 wrote to memory of 1720	1968	omsecor.exe	37
PID 1968 wrote to memory of 1720	1968	omsecor.exe	37
PID 1968 wrote to memory of 1720	1968	omsecor.exe	37
PID 1968 wrote to memory of 1720	1968	omsecor.exe	37
PID 1968 wrote to memory of 1720	1968	omsecor.exe	37

C:\Users\Admin\AppData\Local\Temp\01b36e0afa6cf15ee49ba2c56994f33f.exe
"C:\Users\Admin\AppData\Local\Temp\01b36e0afa6cf15ee49ba2c56994f33f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Users\Admin\AppData\Local\Temp\01b36e0afa6cf15ee49ba2c56994f33f.exe
  C:\Users\Admin\AppData\Local\Temp\01b36e0afa6cf15ee49ba2c56994f33f.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2828
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2128
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:524
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:880
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        
        PID:1720

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
e2fc01ce35c38dd0e9c20af61d52f1f9

SHA1
3a120795efa854287bedd2de0cebcbeda1997df5

SHA256
11ab290b606d893caaddc2e67ee6c770df261181e27a60b6b3612daf28250483

SHA512
7bb1b85484b8dc6279be76a6b491366da254b7aaaf44e22b29c8d9938cd0269bab78bd81f1feaf5af1ed3d0f155ee429513e68c5a61fe37027051200bb67dee1

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
128KB

MD5
11ebc7d4761e97b03135ce9e64857583

SHA1
1a2e701fe1979d98631c099cb257c1a7d6d614a3

SHA256
588009a93e0453ad0ee1e50aa7492bb23bb6b3be12b617f0761dff7c0d1ae6d6

SHA512
11342ca7cdb08793e0f25ab3c0c99c6509aceba56c31c3611d926ebc4c48438c2257f38446b7354d3eb808b4a5c84c5967ccc9f0697cf2a8784f0ddd711062fa

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
128KB

MD5
3defeeae711daf9a6d3cf2c344612392

SHA1
8edb83e3de0a7a35353b6385f7291d7813e71d7a

SHA256
2fac71169f4d7d0a00b5226b6b131a9a6bb85fcbde768debd0dce046511c7e63

SHA512
6f257bbe9ae4509e573bd2d7db5b7995fcb107f91c8231dedc8866f3f8e17cef546666915e06e2db399a145bfe4ce4235a46dd4473524f358bf6963008c72b1a

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
128KB

MD5
ccfa676c44e5908f908a562fc52f2501

SHA1
c6446efc1290670a5af497b265cd1f828f441fd1

SHA256
f1171ad30e94ff0f91ee10810a85866d5360b705b8b810b37396ccb0c6f8b9a1

SHA512
2aa8867fb7a8145e4c3869da2af929cb68fcc1a198568f4b6619f1be3817eec2e2fa0ccfeb616fb4f475e31b4cbe5473102b62626ba57556771e14285d67a2c7

Download Submit
memory/1720-77-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1720-76-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1720-73-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1908-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1908-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1908-6-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1908-0-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1908-4-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2128-30-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2128-31-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2128-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2128-28-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download