neconyd | 42c09d781e55f83e2cd6979ff449bf87f4bd6d2b6aeec29212d1e489fe91557e

Analysis

max time kernel
127s
max time network
136s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
02-05-2024 20:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

42c09d781e55f83e2cd6979ff449bf87f4bd6d2b6aeec29212d1e489fe91557e.exe
Size

92KB
MD5

adee8bd111501c0932e89d63a416f356
SHA1

c70b83dcccfb3f57f12ff6565948a9093149503c
SHA256

42c09d781e55f83e2cd6979ff449bf87f4bd6d2b6aeec29212d1e489fe91557e
SHA512

287998f849390b0a4a6a40afab20dcb16f11396bce22c2db6d9d73fa9b2a02c30927e2cb8759b2072705be475121d0b801ed6bfc143283d6b0b028506150e671
SSDEEP

1536:5d9dseIOcEr3bIvYvZEyF4EEOF6N4yS+AQmZTl/5:ZdseIOyEZEyFjEOFqTiQm5l/5

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 3 IoCs

pid	Process
3016	omsecor.exe
1440	omsecor.exe
340	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2924	42c09d781e55f83e2cd6979ff449bf87f4bd6d2b6aeec29212d1e489fe91557e.exe
2924	42c09d781e55f83e2cd6979ff449bf87f4bd6d2b6aeec29212d1e489fe91557e.exe
3016	omsecor.exe
3016	omsecor.exe
1440	omsecor.exe
1440	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 3016	2924	42c09d781e55f83e2cd6979ff449bf87f4bd6d2b6aeec29212d1e489fe91557e.exe	28
PID 2924 wrote to memory of 3016	2924	42c09d781e55f83e2cd6979ff449bf87f4bd6d2b6aeec29212d1e489fe91557e.exe	28
PID 2924 wrote to memory of 3016	2924	42c09d781e55f83e2cd6979ff449bf87f4bd6d2b6aeec29212d1e489fe91557e.exe	28
PID 2924 wrote to memory of 3016	2924	42c09d781e55f83e2cd6979ff449bf87f4bd6d2b6aeec29212d1e489fe91557e.exe	28
PID 3016 wrote to memory of 1440	3016	omsecor.exe	32
PID 3016 wrote to memory of 1440	3016	omsecor.exe	32
PID 3016 wrote to memory of 1440	3016	omsecor.exe	32
PID 3016 wrote to memory of 1440	3016	omsecor.exe	32
PID 1440 wrote to memory of 340	1440	omsecor.exe	33
PID 1440 wrote to memory of 340	1440	omsecor.exe	33
PID 1440 wrote to memory of 340	1440	omsecor.exe	33
PID 1440 wrote to memory of 340	1440	omsecor.exe	33

C:\Users\Admin\AppData\Local\Temp\42c09d781e55f83e2cd6979ff449bf87f4bd6d2b6aeec29212d1e489fe91557e.exe
"C:\Users\Admin\AppData\Local\Temp\42c09d781e55f83e2cd6979ff449bf87f4bd6d2b6aeec29212d1e489fe91557e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1440
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      PID:340

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
92KB

MD5
d1bb8f9220160058bc83c3dd2d0782b0

SHA1
c087f608b34ff7eb06962d1d82770b6655409d7d

SHA256
519f28c97038df9ff9260599ef03f33af228e84799601590836e2281f0a90810

SHA512
7e1e8cad980a7dbb2277c81af1f7be0808cf1557a8628bc6026a57e7ecce7137cb249f4f77ecf02059237d657b132f6c8f2d497bb66910052f90ea84ec9ffab8

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
92KB

MD5
56394ad24d3838d3499e13009a92f2d8

SHA1
025d64b2fb46f3c4f6fa0f746232445bc07afbf3

SHA256
3b718aa3dad8cceb3c47754f8c3dc6518b7dd0096931e9246c0c434647181dcb

SHA512
430574113ca7bbbedf342a68ecdc8245766bd9f774af48f19dd25651ae41efb524296cd3d3c6e5aa5d46b020baf446900d931fe1ae81b0fd30c8588e1ad5fe6f

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
92KB

MD5
31ad182c2b40259c9aa2d41f0c381080

SHA1
38756fd32f816471944a94316e25b4cd650f15cf

SHA256
fd21e71e26f4f5ff22ca861ef427be26a11cbe7902997598863376e8ca2a9d4e

SHA512
9143b8991fa73487f0febda87b54fa2ae77d125191c70c78a4c98a65366024964354692c0e724f139f831493554bf966652ada2af428a247e9852805ae47a627

Download Submit
memory/340-39-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/340-37-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1440-27-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1440-35-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2924-9-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2924-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2924-4-0x0000000000230000-0x000000000025B000-memory.dmp

Filesize
172KB

Download
memory/3016-18-0x0000000000390000-0x00000000003BB000-memory.dmp

Filesize
172KB

Download
memory/3016-24-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3016-13-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3016-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download