neconyd | 06a68b7098c5cb014aa3ad279abc256c6037e2a827f64ae184e5719010f0abce

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
02/05/2024, 18:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06a68b7098c5cb014aa3ad279abc256c6037e2a827f64ae184e5719010f0abce.exe
Size

134KB
MD5

28cea1d9184634d41849ecbfc7021883
SHA1

531e1918182b09088e1433c1f29b91c93181ef4a
SHA256

06a68b7098c5cb014aa3ad279abc256c6037e2a827f64ae184e5719010f0abce
SHA512

48f4171df816e51a37cd3567d914ceefcc1be8acd14825c988100d2af3803c9403732af04fbeea54d9c8b27702fce9d8b9874c0907e58cad3fdf85f0d8406121
SSDEEP

1536:cDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCia:CiRTeH0iqAW6J6f1tqF6dngNmaZCia

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Detects executables built or packed with MPress PE compressor 9 IoCs

resource	yara_rule
behavioral2/memory/1156-0-0x0000000000400000-0x0000000000424000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000c000000023b5f-10.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3728-11-0x0000000000400000-0x0000000000424000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1156-16-0x0000000000400000-0x0000000000424000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000f000000023bce-28.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3444-31-0x0000000000400000-0x0000000000424000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000c000000023b5f-40.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1532-41-0x0000000000400000-0x0000000000424000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3444-49-0x0000000000400000-0x0000000000424000-memory.dmp	INDICATOR_EXE_Packed_MPress

Executes dropped EXE 6 IoCs

pid	Process
3728	omsecor.exe
1468	omsecor.exe
3444	omsecor.exe
2340	omsecor.exe
1532	omsecor.exe
2176	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1156 set thread context of 388	1156	06a68b7098c5cb014aa3ad279abc256c6037e2a827f64ae184e5719010f0abce.exe	83
PID 3728 set thread context of 1468	3728	omsecor.exe	88
PID 3444 set thread context of 2340	3444	omsecor.exe	111
PID 1532 set thread context of 2176	1532	omsecor.exe	115

Program crash 4 IoCs

pid	pid_target	Process	procid_target
4732	1156	WerFault.exe	82
856	3728	WerFault.exe	85
1428	3444	WerFault.exe	110
4720	1532	WerFault.exe	113

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1156 wrote to memory of 388	1156	06a68b7098c5cb014aa3ad279abc256c6037e2a827f64ae184e5719010f0abce.exe	83
PID 1156 wrote to memory of 388	1156	06a68b7098c5cb014aa3ad279abc256c6037e2a827f64ae184e5719010f0abce.exe	83
PID 1156 wrote to memory of 388	1156	06a68b7098c5cb014aa3ad279abc256c6037e2a827f64ae184e5719010f0abce.exe	83
PID 1156 wrote to memory of 388	1156	06a68b7098c5cb014aa3ad279abc256c6037e2a827f64ae184e5719010f0abce.exe	83
PID 1156 wrote to memory of 388	1156	06a68b7098c5cb014aa3ad279abc256c6037e2a827f64ae184e5719010f0abce.exe	83
PID 388 wrote to memory of 3728	388	06a68b7098c5cb014aa3ad279abc256c6037e2a827f64ae184e5719010f0abce.exe	85
PID 388 wrote to memory of 3728	388	06a68b7098c5cb014aa3ad279abc256c6037e2a827f64ae184e5719010f0abce.exe	85
PID 388 wrote to memory of 3728	388	06a68b7098c5cb014aa3ad279abc256c6037e2a827f64ae184e5719010f0abce.exe	85
PID 3728 wrote to memory of 1468	3728	omsecor.exe	88
PID 3728 wrote to memory of 1468	3728	omsecor.exe	88
PID 3728 wrote to memory of 1468	3728	omsecor.exe	88
PID 3728 wrote to memory of 1468	3728	omsecor.exe	88
PID 3728 wrote to memory of 1468	3728	omsecor.exe	88
PID 1468 wrote to memory of 3444	1468	omsecor.exe	110
PID 1468 wrote to memory of 3444	1468	omsecor.exe	110
PID 1468 wrote to memory of 3444	1468	omsecor.exe	110
PID 3444 wrote to memory of 2340	3444	omsecor.exe	111
PID 3444 wrote to memory of 2340	3444	omsecor.exe	111
PID 3444 wrote to memory of 2340	3444	omsecor.exe	111
PID 3444 wrote to memory of 2340	3444	omsecor.exe	111
PID 3444 wrote to memory of 2340	3444	omsecor.exe	111
PID 2340 wrote to memory of 1532	2340	omsecor.exe	113
PID 2340 wrote to memory of 1532	2340	omsecor.exe	113
PID 2340 wrote to memory of 1532	2340	omsecor.exe	113
PID 1532 wrote to memory of 2176	1532	omsecor.exe	115
PID 1532 wrote to memory of 2176	1532	omsecor.exe	115
PID 1532 wrote to memory of 2176	1532	omsecor.exe	115
PID 1532 wrote to memory of 2176	1532	omsecor.exe	115
PID 1532 wrote to memory of 2176	1532	omsecor.exe	115

C:\Users\Admin\AppData\Local\Temp\06a68b7098c5cb014aa3ad279abc256c6037e2a827f64ae184e5719010f0abce.exe
"C:\Users\Admin\AppData\Local\Temp\06a68b7098c5cb014aa3ad279abc256c6037e2a827f64ae184e5719010f0abce.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1156
- C:\Users\Admin\AppData\Local\Temp\06a68b7098c5cb014aa3ad279abc256c6037e2a827f64ae184e5719010f0abce.exe
  C:\Users\Admin\AppData\Local\Temp\06a68b7098c5cb014aa3ad279abc256c6037e2a827f64ae184e5719010f0abce.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:388
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3728
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1468
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3444
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        
        PID:2176
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1532 -s 268
        8⤵
        Program crash
        
        PID:4720
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3444 -s 292
        6⤵
        Program crash
        
        PID:1428
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3728 -s 292
      4⤵
      Program crash
      PID:856
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 288
  2⤵
  - Program crash
  PID:4732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1156 -ip 1156
1⤵
PID:4692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3728 -ip 3728
1⤵
PID:1360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3444 -ip 3444
1⤵
PID:3700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1532 -ip 1532
1⤵
PID:5100

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
0f66386e6876ec047b7cc216b0a3b364

SHA1
a574cfa6991f7ba03ad822df7672843a4d8f5846

SHA256
f32c3b4bc9ee526134ca803852718a63e46e56b95c5084707e4d7cb04f1a4f27

SHA512
ecca793944bdb7b19503b1bf8934175415f1dc3beb49f76b3d3f4beee8ab527d2aff8973fccdf4613acbdc4d32ea2342c0ccff5ccf20428a9928a5e4443865ec

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
2f20ecb2c70eb7f301e577e8b66e6708

SHA1
f77ff9d3e112d1501c451fbfb1d15dd09ec707e5

SHA256
0111a85b30b1595ab2eb8e6302b6a9c65375e757319c3c317a4e4be761cbb766

SHA512
796f9fb45db5dda0f984954905f90bb2d96a96774ea2f747f64597de76dea6ea8c7d04dd2e4f034afe8edd74901c99961f6b94ad7e3062df1903176682fd7b9d

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
2b11a4501ccef31af1022a6efb0e8ca1

SHA1
12e3214c20c05f80d3ae2da5510866c000047043

SHA256
e4a973a88792a1cafa077570ed9be5bac967dd8a49d508397374dc35321a9415

SHA512
cb44b70fd2b057bacd38710c19df820da41417a031a4e29492935c0c0b55cf2826a58a310457c675a37bee1d3ffaa1f3d6bad800fc5ec2bc8f97ca2bcc9c919c

Download Submit
memory/388-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/388-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/388-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/388-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1156-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1156-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1468-17-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1468-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1468-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1468-27-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1468-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1468-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1532-41-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2176-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2176-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2176-46-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2176-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2340-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2340-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2340-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3444-49-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3444-31-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3728-11-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download