neconyd | 668488d8e53fe8c3e1fff8d0025024a1a4608782b126382f1d29041f7f97fa23

Analysis

max time kernel
120s
max time network
130s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19-05-2024 22:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

668488d8e53fe8c3e1fff8d0025024a1a4608782b126382f1d29041f7f97fa23.exe
Size

65KB
MD5

05a2c5419bb6147524a16d30fe6aafb1
SHA1

ee84a1d03382323ab247c3cb7d93a1646b0e4b44
SHA256

668488d8e53fe8c3e1fff8d0025024a1a4608782b126382f1d29041f7f97fa23
SHA512

a81d53fa400ad68f18de55055e32fd08ab656b9e2c9e4cc58dd6c8cd04df46a55a390b24a22a359cc37a054ce4df9f28a9d12de970d0f654e1aaba6a788230fb
SSDEEP

1536:wd9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZcl/5:wdseIO+EZEyFjEOFqTiQmOl/5

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 3 IoCs

pid	Process
2576	omsecor.exe
1016	omsecor.exe
2096	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
1912	668488d8e53fe8c3e1fff8d0025024a1a4608782b126382f1d29041f7f97fa23.exe
1912	668488d8e53fe8c3e1fff8d0025024a1a4608782b126382f1d29041f7f97fa23.exe
2576	omsecor.exe
2576	omsecor.exe
1016	omsecor.exe
1016	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1912 wrote to memory of 2576	1912	668488d8e53fe8c3e1fff8d0025024a1a4608782b126382f1d29041f7f97fa23.exe	28
PID 1912 wrote to memory of 2576	1912	668488d8e53fe8c3e1fff8d0025024a1a4608782b126382f1d29041f7f97fa23.exe	28
PID 1912 wrote to memory of 2576	1912	668488d8e53fe8c3e1fff8d0025024a1a4608782b126382f1d29041f7f97fa23.exe	28
PID 1912 wrote to memory of 2576	1912	668488d8e53fe8c3e1fff8d0025024a1a4608782b126382f1d29041f7f97fa23.exe	28
PID 2576 wrote to memory of 1016	2576	omsecor.exe	32
PID 2576 wrote to memory of 1016	2576	omsecor.exe	32
PID 2576 wrote to memory of 1016	2576	omsecor.exe	32
PID 2576 wrote to memory of 1016	2576	omsecor.exe	32
PID 1016 wrote to memory of 2096	1016	omsecor.exe	33
PID 1016 wrote to memory of 2096	1016	omsecor.exe	33
PID 1016 wrote to memory of 2096	1016	omsecor.exe	33
PID 1016 wrote to memory of 2096	1016	omsecor.exe	33

C:\Users\Admin\AppData\Local\Temp\668488d8e53fe8c3e1fff8d0025024a1a4608782b126382f1d29041f7f97fa23.exe
"C:\Users\Admin\AppData\Local\Temp\668488d8e53fe8c3e1fff8d0025024a1a4608782b126382f1d29041f7f97fa23.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1016
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      PID:2096

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
967fb98aba3fb7e9d8729fceee6ad210

SHA1
f29a856ec32285357ed5ccbeba1d03142a001825

SHA256
a65f620bd1fc4f28e92c585ef798b11e76d1bd4065a80e24fe5bd4e5b2ca3fbc

SHA512
c43ff7a0b146d9b96bc56aee82480486ffd7f31831098ac2b4db28ed45e64c2438f3a99e9ff7c93aff308fe9295f25aa04e68e4f843e4664ca8a6ebb6395d734

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
32dd0d6494acc78d4805d3c394eea867

SHA1
d835bc17f6b21162213f4a9c918d785abc4f9a93

SHA256
c15a0614489bb1eb9d118ed513cbca31edb689129bf59b370a2323350b6a8c65

SHA512
ff68caa595668793b6f1e6541f4db03167e4eb63cc5386a41e4d31eb4cafe7dd281be93d7026ba05951ea1aa1d20291a59b35e02c40481663427715fd0d5f9a0

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
65KB

MD5
c8609176c7cac557d0700c64044b2d57

SHA1
a3a83a154dcf8367c1ad5a6504ede8ada9ba60e1

SHA256
648a774740137c364c9dfbdd9ec57d15d11e9c9b975ef387860dccf9147c4d1d

SHA512
fe295d98a00445d905820ce518272db2f9a7b86f6b312e80ba624aef45a04159f4e0de5b820b3bfd1283a3c3ea8a0dcf9c2fa70ccafea436d3e89212505fe07c

Download Submit
memory/1016-31-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1912-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1912-8-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2096-33-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2096-35-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2576-10-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2576-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2576-21-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2576-15-0x0000000000280000-0x00000000002AA000-memory.dmp

Filesize
168KB

Download