neconyd | 67be3fc4018b0aa2afae484458b320ce3d981f9f95928d057e0d893807f59299

Analysis

max time kernel
145s
max time network
147s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
28/05/2024, 22:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67be3fc4018b0aa2afae484458b320ce3d981f9f95928d057e0d893807f59299.exe
Size

90KB
MD5

5a11aab785c59ec05adf398478ffe464
SHA1

4153f9b93643947c61f63286c4ac8f78261b70e1
SHA256

67be3fc4018b0aa2afae484458b320ce3d981f9f95928d057e0d893807f59299
SHA512

68a705c481fb88221a7ccb863b93e68d08fd2e795adac06cf3346009bc35d8967def36e017292cf81da09eced38e96433d2337fa6db6b49dc5c51159a9c20d09
SSDEEP

768:FMEIYFGvoErlLFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:FbIYYvoE1FKF6N4yS+AQmZTl/5

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 3 IoCs

pid	Process
2028	omsecor.exe
908	omsecor.exe
1588	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
1172	67be3fc4018b0aa2afae484458b320ce3d981f9f95928d057e0d893807f59299.exe
1172	67be3fc4018b0aa2afae484458b320ce3d981f9f95928d057e0d893807f59299.exe
2028	omsecor.exe
2028	omsecor.exe
908	omsecor.exe
908	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1172 wrote to memory of 2028	1172	67be3fc4018b0aa2afae484458b320ce3d981f9f95928d057e0d893807f59299.exe	28
PID 1172 wrote to memory of 2028	1172	67be3fc4018b0aa2afae484458b320ce3d981f9f95928d057e0d893807f59299.exe	28
PID 1172 wrote to memory of 2028	1172	67be3fc4018b0aa2afae484458b320ce3d981f9f95928d057e0d893807f59299.exe	28
PID 1172 wrote to memory of 2028	1172	67be3fc4018b0aa2afae484458b320ce3d981f9f95928d057e0d893807f59299.exe	28
PID 2028 wrote to memory of 908	2028	omsecor.exe	32
PID 2028 wrote to memory of 908	2028	omsecor.exe	32
PID 2028 wrote to memory of 908	2028	omsecor.exe	32
PID 2028 wrote to memory of 908	2028	omsecor.exe	32
PID 908 wrote to memory of 1588	908	omsecor.exe	33
PID 908 wrote to memory of 1588	908	omsecor.exe	33
PID 908 wrote to memory of 1588	908	omsecor.exe	33
PID 908 wrote to memory of 1588	908	omsecor.exe	33

C:\Users\Admin\AppData\Local\Temp\67be3fc4018b0aa2afae484458b320ce3d981f9f95928d057e0d893807f59299.exe
"C:\Users\Admin\AppData\Local\Temp\67be3fc4018b0aa2afae484458b320ce3d981f9f95928d057e0d893807f59299.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1172
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:908
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      PID:1588

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
90KB

MD5
ca145b5952594a01b5d3139b0a77d204

SHA1
bc6e793b973ad0bfcfdfaca18abde730058bec8b

SHA256
b3f1bdff491bf611ad94ee318063f125d9dc2e75749d04da1f39f393a04b2252

SHA512
4b63108461d5fc817cbb20a347fca7d42d9e12e223b458d67d331ea269f3ef0f06165784287b9c77a23978f424b937a7381c997a632ef16ab12e29b09e46baab

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
90KB

MD5
81442828e5ece7bf0bf556b13dc9b2fe

SHA1
e399779b11506433179303c97acb545324e40dec

SHA256
a8342345b00e7ad8209818dafc7ab0349eff41bd586589c61421448e628dab6b

SHA512
0aee75b18d7f33dafd5c928f0014bba4ba0928f5c37fe03ef018152c0f5aa2a1a86a9209adc3f6a1d5499fed712fc9966cfd602d475deb832d6312eb1dbb8ccf

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
90KB

MD5
30272d6256d9d0944f45c6ca14412cc0

SHA1
d9f1f002ad525e490e2da2010dd215626df41b44

SHA256
225c29bebaa670c155c031ecaaec745b9af766ed7a9e0f619a74065eff38556b

SHA512
f7a11ef6fba7e0b9e64e385cd55d8ab4598032b608d1aca65a5a8e99386c8da233840921461de62791497c375be906edceacec56297a7eff3f4c0c9d7667deb2

Download Submit
memory/908-24-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/908-29-0x00000000002C0000-0x00000000002EB000-memory.dmp

Filesize
172KB

Download
memory/908-34-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1172-1-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1588-37-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2028-9-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2028-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2028-16-0x0000000000280000-0x00000000002AB000-memory.dmp

Filesize
172KB

Download
memory/2028-23-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download