neconyd | 546e557ff2abff1d115f210161e528e3804685304154a248adec6f9f6bb36b67

Analysis

max time kernel
147s
max time network
155s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18/04/2024, 21:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

546e557ff2abff1d115f210161e528e3804685304154a248adec6f9f6bb36b67.exe
Size

96KB
MD5

867aca449d60285205472cc8e044fc8d
SHA1

58cf7d1496ef9ba9b9f2b79c0f629be7db939388
SHA256

546e557ff2abff1d115f210161e528e3804685304154a248adec6f9f6bb36b67
SHA512

0a910808dbbffd351d81a6ad40ff2a5f099d33960074ab4ec3d47fbbc2f567fcc5a0ef4fdc10f2b8e1ca34cf26f5ca16fe8385695f3a154cadd05dbcf55a2298
SSDEEP

1536:znAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:zGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Detects executables built or packed with MPress PE compressor 14 IoCs

resource	yara_rule
behavioral1/memory/848-0-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/848-1-0x0000000000230000-0x0000000000253000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/848-7-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x0008000000012242-23.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2152-22-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2152-31-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x0005000000004ed7-46.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2592-47-0x0000000002140000-0x0000000002163000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1552-58-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1552-65-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x0008000000012242-69.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1232-79-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1232-88-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1476-71-0x0000000000230000-0x0000000000253000-memory.dmp	INDICATOR_EXE_Packed_MPress

Executes dropped EXE 6 IoCs

pid	Process
2152	omsecor.exe
2592	omsecor.exe
1552	omsecor.exe
1476	omsecor.exe
1232	omsecor.exe
2668	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2132	546e557ff2abff1d115f210161e528e3804685304154a248adec6f9f6bb36b67.exe
2132	546e557ff2abff1d115f210161e528e3804685304154a248adec6f9f6bb36b67.exe
2152	omsecor.exe
2592	omsecor.exe
2592	omsecor.exe
1476	omsecor.exe
1476	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 848 set thread context of 2132	848	546e557ff2abff1d115f210161e528e3804685304154a248adec6f9f6bb36b67.exe	28
PID 2152 set thread context of 2592	2152	omsecor.exe	30
PID 1552 set thread context of 1476	1552	omsecor.exe	35
PID 1232 set thread context of 2668	1232	omsecor.exe	37

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 848 wrote to memory of 2132	848	546e557ff2abff1d115f210161e528e3804685304154a248adec6f9f6bb36b67.exe	28
PID 848 wrote to memory of 2132	848	546e557ff2abff1d115f210161e528e3804685304154a248adec6f9f6bb36b67.exe	28
PID 848 wrote to memory of 2132	848	546e557ff2abff1d115f210161e528e3804685304154a248adec6f9f6bb36b67.exe	28
PID 848 wrote to memory of 2132	848	546e557ff2abff1d115f210161e528e3804685304154a248adec6f9f6bb36b67.exe	28
PID 848 wrote to memory of 2132	848	546e557ff2abff1d115f210161e528e3804685304154a248adec6f9f6bb36b67.exe	28
PID 848 wrote to memory of 2132	848	546e557ff2abff1d115f210161e528e3804685304154a248adec6f9f6bb36b67.exe	28
PID 2132 wrote to memory of 2152	2132	546e557ff2abff1d115f210161e528e3804685304154a248adec6f9f6bb36b67.exe	29
PID 2132 wrote to memory of 2152	2132	546e557ff2abff1d115f210161e528e3804685304154a248adec6f9f6bb36b67.exe	29
PID 2132 wrote to memory of 2152	2132	546e557ff2abff1d115f210161e528e3804685304154a248adec6f9f6bb36b67.exe	29
PID 2132 wrote to memory of 2152	2132	546e557ff2abff1d115f210161e528e3804685304154a248adec6f9f6bb36b67.exe	29
PID 2152 wrote to memory of 2592	2152	omsecor.exe	30
PID 2152 wrote to memory of 2592	2152	omsecor.exe	30
PID 2152 wrote to memory of 2592	2152	omsecor.exe	30
PID 2152 wrote to memory of 2592	2152	omsecor.exe	30
PID 2152 wrote to memory of 2592	2152	omsecor.exe	30
PID 2152 wrote to memory of 2592	2152	omsecor.exe	30
PID 2592 wrote to memory of 1552	2592	omsecor.exe	34
PID 2592 wrote to memory of 1552	2592	omsecor.exe	34
PID 2592 wrote to memory of 1552	2592	omsecor.exe	34
PID 2592 wrote to memory of 1552	2592	omsecor.exe	34
PID 1552 wrote to memory of 1476	1552	omsecor.exe	35
PID 1552 wrote to memory of 1476	1552	omsecor.exe	35
PID 1552 wrote to memory of 1476	1552	omsecor.exe	35
PID 1552 wrote to memory of 1476	1552	omsecor.exe	35
PID 1552 wrote to memory of 1476	1552	omsecor.exe	35
PID 1552 wrote to memory of 1476	1552	omsecor.exe	35
PID 1476 wrote to memory of 1232	1476	omsecor.exe	36
PID 1476 wrote to memory of 1232	1476	omsecor.exe	36
PID 1476 wrote to memory of 1232	1476	omsecor.exe	36
PID 1476 wrote to memory of 1232	1476	omsecor.exe	36
PID 1232 wrote to memory of 2668	1232	omsecor.exe	37
PID 1232 wrote to memory of 2668	1232	omsecor.exe	37
PID 1232 wrote to memory of 2668	1232	omsecor.exe	37
PID 1232 wrote to memory of 2668	1232	omsecor.exe	37
PID 1232 wrote to memory of 2668	1232	omsecor.exe	37
PID 1232 wrote to memory of 2668	1232	omsecor.exe	37

C:\Users\Admin\AppData\Local\Temp\546e557ff2abff1d115f210161e528e3804685304154a248adec6f9f6bb36b67.exe
"C:\Users\Admin\AppData\Local\Temp\546e557ff2abff1d115f210161e528e3804685304154a248adec6f9f6bb36b67.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:848
- C:\Users\Admin\AppData\Local\Temp\546e557ff2abff1d115f210161e528e3804685304154a248adec6f9f6bb36b67.exe
  C:\Users\Admin\AppData\Local\Temp\546e557ff2abff1d115f210161e528e3804685304154a248adec6f9f6bb36b67.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2152
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2592
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1552
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1476
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1232
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        
        PID:2668

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
00553daa6eb695c550d1a3cc1f98e764

SHA1
9ca956e8e9976da0a06eecba811f82d4da38bfe9

SHA256
5abd59b59aeea57c62c690d07aadc71697ec8006b722b9762a09d2ad04a1931a

SHA512
fe8a2e8dc839c487fce3b6a7e6398d61ca404b3e5f6f3dddaa119e1674202bba298b7739a31868b965d73c393759446b13b7a777478890fe98fe093e6983a408

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
af5baaa734a6b745e5575f270fbd084e

SHA1
81c8a0f8c35a13d231c2520078eedb78c3458baf

SHA256
4fed0dff002cd4c8f088d10eeacf9d5e13b9288f9e30f939e8fd67a9354573b3

SHA512
1a49c56fef83ed55c5c27370c2eb0ed956cf0619d55745e9407f9bc5245784304135760beacf9948574653abd025c24e9d9f52fb505d4e2db18440ce0af9bcda

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
81227c96319b390fe44213252274f43c

SHA1
93782e68046105ce14325e988a9f685bc3abeae4

SHA256
c7203c4fe5f67da4501e39ec8d27190f80fd19f43fa5e6bd8f67be4f3d2339d5

SHA512
d1ac22d6e0de4077776737cc3fd36095d25d2ecddf6c926d4b30aa4fa05a306ad71e4e7023dcddcc8bafcc1960a256696d438eb6e7da0778b6e813832c75ff68

Download Submit
memory/848-1-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/848-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/848-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1232-88-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1232-79-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1476-81-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/1476-71-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/1476-93-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/1552-65-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1552-58-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2132-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2132-21-0x00000000005C0000-0x00000000005E3000-memory.dmp

Filesize
140KB

Download
memory/2132-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2132-4-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2132-35-0x00000000005C0000-0x00000000005E3000-memory.dmp

Filesize
140KB

Download
memory/2132-6-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2132-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2152-31-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2152-22-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2592-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2592-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2592-55-0x0000000002140000-0x0000000002163000-memory.dmp

Filesize
140KB

Download
memory/2592-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2592-47-0x0000000002140000-0x0000000002163000-memory.dmp

Filesize
140KB

Download
memory/2592-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2592-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2668-91-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2668-95-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download