neconyd | 53c3c3af3cb60482541df652ca19ac39fc71025b45214610ad36d574351579f6

Analysis

max time kernel
149s
max time network
128s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
02-05-2024 21:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53c3c3af3cb60482541df652ca19ac39fc71025b45214610ad36d574351579f6.exe
Size

65KB
MD5

221dd1817eee478c9635e59b35851c9f
SHA1

121046c871be6da9cbfd36e9909602d496a17d86
SHA256

53c3c3af3cb60482541df652ca19ac39fc71025b45214610ad36d574351579f6
SHA512

61abd2aa901ee10cea590a3f956faefd965d63d5ec248a8a34e00d0801c6161506cb49055d8ac3017ce174791eebea6c0e8bcedd525f329881ba43d9126721e3
SSDEEP

1536:Vd9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZcl/5:ddseIO+EZEyFjEOFqTiQmOl/5

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 3 IoCs

pid	Process
2952	omsecor.exe
1572	omsecor.exe
2144	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2316	53c3c3af3cb60482541df652ca19ac39fc71025b45214610ad36d574351579f6.exe
2316	53c3c3af3cb60482541df652ca19ac39fc71025b45214610ad36d574351579f6.exe
2952	omsecor.exe
2952	omsecor.exe
1572	omsecor.exe
1572	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2952	2316	53c3c3af3cb60482541df652ca19ac39fc71025b45214610ad36d574351579f6.exe	28
PID 2316 wrote to memory of 2952	2316	53c3c3af3cb60482541df652ca19ac39fc71025b45214610ad36d574351579f6.exe	28
PID 2316 wrote to memory of 2952	2316	53c3c3af3cb60482541df652ca19ac39fc71025b45214610ad36d574351579f6.exe	28
PID 2316 wrote to memory of 2952	2316	53c3c3af3cb60482541df652ca19ac39fc71025b45214610ad36d574351579f6.exe	28
PID 2952 wrote to memory of 1572	2952	omsecor.exe	32
PID 2952 wrote to memory of 1572	2952	omsecor.exe	32
PID 2952 wrote to memory of 1572	2952	omsecor.exe	32
PID 2952 wrote to memory of 1572	2952	omsecor.exe	32
PID 1572 wrote to memory of 2144	1572	omsecor.exe	33
PID 1572 wrote to memory of 2144	1572	omsecor.exe	33
PID 1572 wrote to memory of 2144	1572	omsecor.exe	33
PID 1572 wrote to memory of 2144	1572	omsecor.exe	33

C:\Users\Admin\AppData\Local\Temp\53c3c3af3cb60482541df652ca19ac39fc71025b45214610ad36d574351579f6.exe
"C:\Users\Admin\AppData\Local\Temp\53c3c3af3cb60482541df652ca19ac39fc71025b45214610ad36d574351579f6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1572
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      PID:2144

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
3e702fc43a6c8bb87b5bd98d5bb685b7

SHA1
fcf8e730620bd02cb3a2a5bf4bc705b8aa727d8d

SHA256
02b2396aa0020ea700f30e86bbb0946106753e703cc3569e28e70ebe9bffc7ac

SHA512
bf8883929e4763427e31e142e916d0f39c89e67b660ef87e46d575c75260f0448465daba5e1f7b97d831f044a7c97465c5adfede2dfa6171c342f9468fa1746b

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
8e2e2069c3443e60e22fb051bcb59cb1

SHA1
5d1099a9e3073ae286f9dd6db7128a5b7575afcd

SHA256
33f1e332b9e2e43840235287c960aa2ccb4e5b90991b41a9b20c2c3e507229bb

SHA512
9b6fddbe792fc1d2dfda48fd56124c544d2a944f20d26990fc67ad9cb1dd33920eaf332e1303a964e939053c15694336e3a607e1c2680af4bda8c51116f0b12f

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
65KB

MD5
ee1fb5964d0412a381cdf71ac7c16cc2

SHA1
68cb2b26442b836be7424d4a21439cceb470f0da

SHA256
5b13ac92a8907e39242e6ddaebb09d0230cce07f462f3ab4f745deec50292d33

SHA512
0fc5c15754ed880e3c4f27a23c83d0c948da97a4b5d87641a19d48300e24ad37dead644a9c0e24b60b82c38868c71d74ae6e72c9490e4a5ea13d5c9a309db4d3

Download Submit
memory/1572-32-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2144-34-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2144-36-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2316-1-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2952-9-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2952-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2952-16-0x00000000005C0000-0x00000000005EA000-memory.dmp

Filesize
168KB

Download
memory/2952-22-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download