neconyd | 17c155d38b7255f10a57d43f44014dd6d0b1c28201e62db9c08d39e10ef064c6

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 03:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01b36e0afa6cf15ee49ba2c56994f33f.exe
Size

128KB
MD5

01b36e0afa6cf15ee49ba2c56994f33f
SHA1

d3449d903ff8473fd6efd34808f7cb0802a7d3ef
SHA256

17c155d38b7255f10a57d43f44014dd6d0b1c28201e62db9c08d39e10ef064c6
SHA512

530b75c4052de6c7d1b5d6b0a34a4007a19efc31c52682625c079bd51847c97d1e200b9bdeadd923af3064a53c7ae365e4a32b124e60c42fd11682788293d9c2
SSDEEP

1536:GDfDbhERTatPLTLLbC+8BMNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabau:4iRTe3n8BMAW6J6f1tqF6dngNmaZrN

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 9 IoCs

pid	Process
4488	omsecor.exe
3532	omsecor.exe
3428	omsecor.exe
2832	omsecor.exe
3616	omsecor.exe
3196	omsecor.exe
2508	omsecor.exe
3504	omsecor.exe
540	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 2544 set thread context of 4196	2544	01b36e0afa6cf15ee49ba2c56994f33f.exe	89
PID 4488 set thread context of 3532	4488	omsecor.exe	93
PID 3428 set thread context of 2832	3428	omsecor.exe	113
PID 3616 set thread context of 3196	3616	omsecor.exe	117
PID 2508 set thread context of 3504	2508	omsecor.exe	133

Program crash 5 IoCs

pid	pid_target	Process	procid_target
5044	2544	WerFault.exe	57
3440	4488	WerFault.exe	92
4368	3428	WerFault.exe	112
1476	3616	WerFault.exe	116
4364	2508	WerFault.exe	132

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 4196	2544	01b36e0afa6cf15ee49ba2c56994f33f.exe	89
PID 2544 wrote to memory of 4196	2544	01b36e0afa6cf15ee49ba2c56994f33f.exe	89
PID 2544 wrote to memory of 4196	2544	01b36e0afa6cf15ee49ba2c56994f33f.exe	89
PID 2544 wrote to memory of 4196	2544	01b36e0afa6cf15ee49ba2c56994f33f.exe	89
PID 2544 wrote to memory of 4196	2544	01b36e0afa6cf15ee49ba2c56994f33f.exe	89
PID 4196 wrote to memory of 4488	4196	01b36e0afa6cf15ee49ba2c56994f33f.exe	92
PID 4196 wrote to memory of 4488	4196	01b36e0afa6cf15ee49ba2c56994f33f.exe	92
PID 4196 wrote to memory of 4488	4196	01b36e0afa6cf15ee49ba2c56994f33f.exe	92
PID 4488 wrote to memory of 3532	4488	omsecor.exe	93
PID 4488 wrote to memory of 3532	4488	omsecor.exe	93
PID 4488 wrote to memory of 3532	4488	omsecor.exe	93
PID 4488 wrote to memory of 3532	4488	omsecor.exe	93
PID 4488 wrote to memory of 3532	4488	omsecor.exe	93
PID 3532 wrote to memory of 3428	3532	omsecor.exe	112
PID 3532 wrote to memory of 3428	3532	omsecor.exe	112
PID 3532 wrote to memory of 3428	3532	omsecor.exe	112
PID 3428 wrote to memory of 2832	3428	omsecor.exe	113
PID 3428 wrote to memory of 2832	3428	omsecor.exe	113
PID 3428 wrote to memory of 2832	3428	omsecor.exe	113
PID 3428 wrote to memory of 2832	3428	omsecor.exe	113
PID 3428 wrote to memory of 2832	3428	omsecor.exe	113
PID 2832 wrote to memory of 3616	2832	omsecor.exe	116
PID 2832 wrote to memory of 3616	2832	omsecor.exe	116
PID 2832 wrote to memory of 3616	2832	omsecor.exe	116
PID 3616 wrote to memory of 3196	3616	omsecor.exe	117
PID 3616 wrote to memory of 3196	3616	omsecor.exe	117
PID 3616 wrote to memory of 3196	3616	omsecor.exe	117
PID 3616 wrote to memory of 3196	3616	omsecor.exe	117
PID 3616 wrote to memory of 3196	3616	omsecor.exe	117
PID 3196 wrote to memory of 2508	3196	omsecor.exe	132
PID 3196 wrote to memory of 2508	3196	omsecor.exe	132
PID 3196 wrote to memory of 2508	3196	omsecor.exe	132
PID 2508 wrote to memory of 3504	2508	omsecor.exe	133
PID 2508 wrote to memory of 3504	2508	omsecor.exe	133
PID 2508 wrote to memory of 3504	2508	omsecor.exe	133
PID 2508 wrote to memory of 3504	2508	omsecor.exe	133
PID 2508 wrote to memory of 3504	2508	omsecor.exe	133
PID 3504 wrote to memory of 540	3504	omsecor.exe	136
PID 3504 wrote to memory of 540	3504	omsecor.exe	136
PID 3504 wrote to memory of 540	3504	omsecor.exe	136

C:\Users\Admin\AppData\Local\Temp\01b36e0afa6cf15ee49ba2c56994f33f.exe
"C:\Users\Admin\AppData\Local\Temp\01b36e0afa6cf15ee49ba2c56994f33f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Users\Admin\AppData\Local\Temp\01b36e0afa6cf15ee49ba2c56994f33f.exe
  C:\Users\Admin\AppData\Local\Temp\01b36e0afa6cf15ee49ba2c56994f33f.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4196
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4488
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3532
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3428
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3616
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3196
        
        C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3504
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        11⤵
        Executes dropped EXE
        
        PID:540
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2508 -s 256
        10⤵
        Program crash
        
        PID:4364
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3616 -s 268
        8⤵
        Program crash
        
        PID:1476
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3428 -s 292
        6⤵
        Program crash
        
        PID:4368
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 296
      4⤵
      Program crash
      PID:3440
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 288
  2⤵
  - Program crash
  PID:5044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2544 -ip 2544
1⤵
PID:208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4488 -ip 4488
1⤵
PID:1688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3428 -ip 3428
1⤵
PID:3504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3616 -ip 3616
1⤵
PID:624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2508 -ip 2508
1⤵
PID:1924

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
128KB

MD5
648648d4279c0432f2e1122baa8c8e1f

SHA1
b738e2f572dfddef2fa0a3b4898fe12e1966f461

SHA256
0fede21db3e472b00e40659b6fea671e498144ea722666b49a0b92481669eace

SHA512
8b6b22ee0889c0eb3f4c29f07cca9107e165a06f18eea355a94f0f2225572b40669996f22f7690b212a6a6ad2c77336a8c7983f8db15773518a87f511fcf4436

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
128KB

MD5
3defeeae711daf9a6d3cf2c344612392

SHA1
8edb83e3de0a7a35353b6385f7291d7813e71d7a

SHA256
2fac71169f4d7d0a00b5226b6b131a9a6bb85fcbde768debd0dce046511c7e63

SHA512
6f257bbe9ae4509e573bd2d7db5b7995fcb107f91c8231dedc8866f3f8e17cef546666915e06e2db399a145bfe4ce4235a46dd4473524f358bf6963008c72b1a

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
128KB

MD5
a58070486e3259fbe165050c268270fa

SHA1
f6144043396f6885dd762321aaf85e8d58424824

SHA256
acb0fa6fff2022e74cb7a49a4495f3619db736ae42ff0475b219f7d634e948a0

SHA512
a0cba3cd7ee3cb0f97403f22285a1a95a8d4e3a677101be15dcc0d68e984c16793ba16a4f380c9fcd26a86d875b0ee797c2a661f2c9564c401c5cefb70dd325d

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
64KB

MD5
b7d66ae81673157b04a751f533ad2deb

SHA1
e9fc8a9f417aa67158fa4aa27bb6a1dbf81c1ff4

SHA256
6d169da37b409f4cf133aa51947385a1154d1ab97cc3c1ae98492d59d7e5e5b2

SHA512
5974db1f9f5423c6874e4cb0f2b1084e83ddbeee227d364a5d5fd8d73a0b205fc22074f7651cd1915241b9fa3543a2a075348d78f504b745f1790674fcd0827b

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
39KB

MD5
9340042be096507dec5eca2f01805229

SHA1
90d03f1fadcf990a7a5730ff33b9151265928b1e

SHA256
438d22fd98a23b824fd4db32e66fc4f9d692bf8e95786a2efda9ab69e433e6b8

SHA512
546cfc75ac9f4d0f81accae20123cbaed62d87f739c5e5fcbf6645c5bd5f9130427281d41386813a7aadeb7c22bf9d4b338bb6baec35247688738544a1e79f5d

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
128KB

MD5
7daa9cdadd623b014a9df0b8eba07554

SHA1
23dbd2c9c5365746290c6982f92bb94760689b0c

SHA256
c226b2629befb4370a089c9a883cb7d47022ba97aeb99793a17ed13d14ff0d83

SHA512
ee238a85466e91832c5fb5e555835d49ba49feb917d1f999831bacb917f758fd9a159d56d9a32aeca06df11c8d7a770deba811860580a5ff74d632f75efb2b24

Download Submit
memory/2832-31-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2832-29-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2832-28-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3196-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3196-47-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3196-51-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3196-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3196-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3196-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3196-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3504-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3504-58-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3532-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3532-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3532-17-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3532-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3532-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3532-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3532-13-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4196-0-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4196-6-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4196-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4196-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download