neconyd | 5270b96f3bf0d567f3a4a19cc45f75ed239b108e4ba6cda952129de514f53f94

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14-05-2024 21:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5270b96f3bf0d567f3a4a19cc45f75ed239b108e4ba6cda952129de514f53f94.exe
Size

92KB
MD5

50c04a020f5418b5ecf603c67de72c28
SHA1

05efffcdda520a5f8f4e26cf855bc6db3b401329
SHA256

5270b96f3bf0d567f3a4a19cc45f75ed239b108e4ba6cda952129de514f53f94
SHA512

fbafc8555109ded8a07cd133894f59656489cdaea4c0d8f83bc11fceeda87fcd4ca3f4265929e09ea951e2e81ba0b43541f61badcf19d533a1de0516aa2aee5f
SSDEEP

768:OMEIYFGvoErlLFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:ObIYYvoE1FKF6N4yS+AQmZTl/5

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 3 IoCs

pid	Process
512	omsecor.exe
4088	omsecor.exe
1908	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3288 wrote to memory of 512	3288	5270b96f3bf0d567f3a4a19cc45f75ed239b108e4ba6cda952129de514f53f94.exe	81
PID 3288 wrote to memory of 512	3288	5270b96f3bf0d567f3a4a19cc45f75ed239b108e4ba6cda952129de514f53f94.exe	81
PID 3288 wrote to memory of 512	3288	5270b96f3bf0d567f3a4a19cc45f75ed239b108e4ba6cda952129de514f53f94.exe	81
PID 512 wrote to memory of 4088	512	omsecor.exe	84
PID 512 wrote to memory of 4088	512	omsecor.exe	84
PID 512 wrote to memory of 4088	512	omsecor.exe	84
PID 4088 wrote to memory of 1908	4088	omsecor.exe	85
PID 4088 wrote to memory of 1908	4088	omsecor.exe	85
PID 4088 wrote to memory of 1908	4088	omsecor.exe	85

C:\Users\Admin\AppData\Local\Temp\5270b96f3bf0d567f3a4a19cc45f75ed239b108e4ba6cda952129de514f53f94.exe
"C:\Users\Admin\AppData\Local\Temp\5270b96f3bf0d567f3a4a19cc45f75ed239b108e4ba6cda952129de514f53f94.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3288
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:512
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4088
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      PID:1908

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
92KB

MD5
b03f9a0ae6977a0d1264929d8d2cec76

SHA1
72455bb55222641d90b25efcb7114eada3522f8a

SHA256
6abcd89d0e9e8276835013192710cf16fddb86d2119b18ac17ffbfcae1214ac1

SHA512
a1f2e870c8ac7c602952040cf178ca029c46baf754348b715238b033c57a05c5b7bb1fa5b1f536dad1d4b1656645eee8d7d2bb7e6f9f35aa614ef9e36f2d86c2

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
92KB

MD5
7706350b2685efa24810aba655802d6d

SHA1
9982e22c3e566556405449ff46851498a4bc70ad

SHA256
65e452fc0540712c619f084bc5734835f8df22045d4c32bd98ce2c63fac6d092

SHA512
5930d28a835fcc334dfd3ba980ab521e2dd27e6b4c66b7cbe0bfaa838f0ca542a52e7eb8044658fc99eb920482fd5e9523de3b142874032f6957ed923bbe2438

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
92KB

MD5
90baee2667e8c19b499bf560b14780be

SHA1
1476af36e99fce107c50344fb6155b0f50914adb

SHA256
544e78be2123031358fc4a55323b8c39e8f70584802d4e1d105f097b825914c3

SHA512
1c946f8745acba4a8e4abb0c1d77d19b38ad166682550231dcf019c6e9d410c86b5a7a281597a0798ca174c9c8bbfecef210fc56d628258ac435e0119d3cb51c

Download Submit
memory/512-4-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/512-7-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/512-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1908-17-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1908-20-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3288-1-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3288-6-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4088-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4088-18-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download