neconyd | c342c1663c2c908f241cc4dd8044e4845c10a4d3ce8ede32d38c31134748d35a

Analysis

max time kernel
128s
max time network
135s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10-05-2024 02:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c342c1663c2c908f241cc4dd8044e4845c10a4d3ce8ede32d38c31134748d35a.exe
Size

92KB
MD5

e6012da6fc525286ad91fc5b70b12581
SHA1

672eebaaff2276beb89208051db498418708b91f
SHA256

c342c1663c2c908f241cc4dd8044e4845c10a4d3ce8ede32d38c31134748d35a
SHA512

f620eec650d7550ddcba52a8acb9162e790cf59f6998b750583b59e57237e2edd3ca23e76a6901411dca6d4664e4b5be83f9d38c6da2e08ab981cb80a1521ba5
SSDEEP

1536:Td9dseIOcEr3bIvYvZEyF4EEOF6N4yS+AQmZTl/5:TdseIOyEZEyFjEOFqTiQm5l/5

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 3 IoCs

pid	Process
2076	omsecor.exe
2236	omsecor.exe
1960	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
1712	c342c1663c2c908f241cc4dd8044e4845c10a4d3ce8ede32d38c31134748d35a.exe
1712	c342c1663c2c908f241cc4dd8044e4845c10a4d3ce8ede32d38c31134748d35a.exe
2076	omsecor.exe
2076	omsecor.exe
2236	omsecor.exe
2236	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 2076	1712	c342c1663c2c908f241cc4dd8044e4845c10a4d3ce8ede32d38c31134748d35a.exe	28
PID 1712 wrote to memory of 2076	1712	c342c1663c2c908f241cc4dd8044e4845c10a4d3ce8ede32d38c31134748d35a.exe	28
PID 1712 wrote to memory of 2076	1712	c342c1663c2c908f241cc4dd8044e4845c10a4d3ce8ede32d38c31134748d35a.exe	28
PID 1712 wrote to memory of 2076	1712	c342c1663c2c908f241cc4dd8044e4845c10a4d3ce8ede32d38c31134748d35a.exe	28
PID 2076 wrote to memory of 2236	2076	omsecor.exe	32
PID 2076 wrote to memory of 2236	2076	omsecor.exe	32
PID 2076 wrote to memory of 2236	2076	omsecor.exe	32
PID 2076 wrote to memory of 2236	2076	omsecor.exe	32
PID 2236 wrote to memory of 1960	2236	omsecor.exe	33
PID 2236 wrote to memory of 1960	2236	omsecor.exe	33
PID 2236 wrote to memory of 1960	2236	omsecor.exe	33
PID 2236 wrote to memory of 1960	2236	omsecor.exe	33

C:\Users\Admin\AppData\Local\Temp\c342c1663c2c908f241cc4dd8044e4845c10a4d3ce8ede32d38c31134748d35a.exe
"C:\Users\Admin\AppData\Local\Temp\c342c1663c2c908f241cc4dd8044e4845c10a4d3ce8ede32d38c31134748d35a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2236
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      PID:1960

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
92KB

MD5
7dfdf3afdf2d38f728b436d1d2bafc33

SHA1
32f9384b70a0498684bf3c3dc55b4e996f772161

SHA256
b52acaddb5513d7e4bec6007292fe235f225a13454b22707d877df065f123754

SHA512
e24bbeccc2a5082849eb886468773d0b439034261237c82f8e62d8cbcd93fdce322516a7809608b98998a2bcbc8ffcf0df43074bdbbb8744dec634adeba89f05

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
92KB

MD5
aaba9e84a6e3645201bb753121bcec17

SHA1
95786474e846a7d6d155798d0d09bfe061bede6e

SHA256
d3e4a1a34b2370e963b8c2e49e9430f3f6a93c1011644d82dbe07b4032f2948c

SHA512
92b6d10af2041d75aa47f0e0cd8c0f65c35c8f02a285ce338e4eac36d3c9a5f3d55e9e5039b23850f85f978d7aa7508e0833fadc11a4e6810aa28f676587279b

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
92KB

MD5
c70b574a042323e283beaee5d680fc90

SHA1
7d06d1e058ba6dbeafd6704ed0d9d8e2fbafff73

SHA256
4a828e84624e4a389cf15ed6fb44cd186eb29b5553a04924884bd4743adb23dd

SHA512
fb981be85a400e9ab4a3110ca52196003b1e4b25f9f05a2e836c391f34f4fc68fd313ebbf65e2ec9561d5b7549f711890fda069843705d96c299a83bf45e5199

Download Submit
memory/1712-8-0x0000000000230000-0x000000000025B000-memory.dmp

Filesize
172KB

Download
memory/1712-1-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1712-9-0x0000000000230000-0x000000000025B000-memory.dmp

Filesize
172KB

Download
memory/1960-36-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1960-38-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2076-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2076-13-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2076-18-0x0000000000430000-0x000000000045B000-memory.dmp

Filesize
172KB

Download
memory/2076-24-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2236-34-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download