neconyd | 9bccb2034b9a3fb750f186a47df5857072d0a19065a0706fcfa020824600854e

Analysis

max time kernel
146s
max time network
147s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
28/05/2024, 01:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9bccb2034b9a3fb750f186a47df5857072d0a19065a0706fcfa020824600854e.exe
Size

96KB
MD5

7d239cae3426f32529ce5330b6571809
SHA1

779811f8258bde00a1e1cf47047791eb68efd4a7
SHA256

9bccb2034b9a3fb750f186a47df5857072d0a19065a0706fcfa020824600854e
SHA512

1fed931a826546957a1f1cb5feaef156f285c6cb7f924795e627402dd73d67924022935d5c63220467845f785f94808d388ac2d75235115a6ec5f1beff6f9809
SSDEEP

1536:knAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:kGs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Detects executables built or packed with MPress PE compressor 12 IoCs

resource	yara_rule
behavioral1/memory/2196-0-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2196-7-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x000c000000015cb1-18.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2088-14-0x00000000001C0000-0x00000000001E3000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2936-31-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x0005000000004ed7-45.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2540-46-0x0000000002330000-0x0000000002353000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1600-56-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1600-65-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x000c000000015cb1-74.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2012-78-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2012-85-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_MPress

Executes dropped EXE 6 IoCs

pid	Process
2936	omsecor.exe
2540	omsecor.exe
1600	omsecor.exe
2032	omsecor.exe
2012	omsecor.exe
2756	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2088	9bccb2034b9a3fb750f186a47df5857072d0a19065a0706fcfa020824600854e.exe
2088	9bccb2034b9a3fb750f186a47df5857072d0a19065a0706fcfa020824600854e.exe
2936	omsecor.exe
2540	omsecor.exe
2540	omsecor.exe
2032	omsecor.exe
2032	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2196 set thread context of 2088	2196	9bccb2034b9a3fb750f186a47df5857072d0a19065a0706fcfa020824600854e.exe	28
PID 2936 set thread context of 2540	2936	omsecor.exe	30
PID 1600 set thread context of 2032	1600	omsecor.exe	35
PID 2012 set thread context of 2756	2012	omsecor.exe	37

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 2088	2196	9bccb2034b9a3fb750f186a47df5857072d0a19065a0706fcfa020824600854e.exe	28
PID 2196 wrote to memory of 2088	2196	9bccb2034b9a3fb750f186a47df5857072d0a19065a0706fcfa020824600854e.exe	28
PID 2196 wrote to memory of 2088	2196	9bccb2034b9a3fb750f186a47df5857072d0a19065a0706fcfa020824600854e.exe	28
PID 2196 wrote to memory of 2088	2196	9bccb2034b9a3fb750f186a47df5857072d0a19065a0706fcfa020824600854e.exe	28
PID 2196 wrote to memory of 2088	2196	9bccb2034b9a3fb750f186a47df5857072d0a19065a0706fcfa020824600854e.exe	28
PID 2196 wrote to memory of 2088	2196	9bccb2034b9a3fb750f186a47df5857072d0a19065a0706fcfa020824600854e.exe	28
PID 2088 wrote to memory of 2936	2088	9bccb2034b9a3fb750f186a47df5857072d0a19065a0706fcfa020824600854e.exe	29
PID 2088 wrote to memory of 2936	2088	9bccb2034b9a3fb750f186a47df5857072d0a19065a0706fcfa020824600854e.exe	29
PID 2088 wrote to memory of 2936	2088	9bccb2034b9a3fb750f186a47df5857072d0a19065a0706fcfa020824600854e.exe	29
PID 2088 wrote to memory of 2936	2088	9bccb2034b9a3fb750f186a47df5857072d0a19065a0706fcfa020824600854e.exe	29
PID 2936 wrote to memory of 2540	2936	omsecor.exe	30
PID 2936 wrote to memory of 2540	2936	omsecor.exe	30
PID 2936 wrote to memory of 2540	2936	omsecor.exe	30
PID 2936 wrote to memory of 2540	2936	omsecor.exe	30
PID 2936 wrote to memory of 2540	2936	omsecor.exe	30
PID 2936 wrote to memory of 2540	2936	omsecor.exe	30
PID 2540 wrote to memory of 1600	2540	omsecor.exe	34
PID 2540 wrote to memory of 1600	2540	omsecor.exe	34
PID 2540 wrote to memory of 1600	2540	omsecor.exe	34
PID 2540 wrote to memory of 1600	2540	omsecor.exe	34
PID 1600 wrote to memory of 2032	1600	omsecor.exe	35
PID 1600 wrote to memory of 2032	1600	omsecor.exe	35
PID 1600 wrote to memory of 2032	1600	omsecor.exe	35
PID 1600 wrote to memory of 2032	1600	omsecor.exe	35
PID 1600 wrote to memory of 2032	1600	omsecor.exe	35
PID 1600 wrote to memory of 2032	1600	omsecor.exe	35
PID 2032 wrote to memory of 2012	2032	omsecor.exe	36
PID 2032 wrote to memory of 2012	2032	omsecor.exe	36
PID 2032 wrote to memory of 2012	2032	omsecor.exe	36
PID 2032 wrote to memory of 2012	2032	omsecor.exe	36
PID 2012 wrote to memory of 2756	2012	omsecor.exe	37
PID 2012 wrote to memory of 2756	2012	omsecor.exe	37
PID 2012 wrote to memory of 2756	2012	omsecor.exe	37
PID 2012 wrote to memory of 2756	2012	omsecor.exe	37
PID 2012 wrote to memory of 2756	2012	omsecor.exe	37
PID 2012 wrote to memory of 2756	2012	omsecor.exe	37

C:\Users\Admin\AppData\Local\Temp\9bccb2034b9a3fb750f186a47df5857072d0a19065a0706fcfa020824600854e.exe
"C:\Users\Admin\AppData\Local\Temp\9bccb2034b9a3fb750f186a47df5857072d0a19065a0706fcfa020824600854e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Users\Admin\AppData\Local\Temp\9bccb2034b9a3fb750f186a47df5857072d0a19065a0706fcfa020824600854e.exe
  C:\Users\Admin\AppData\Local\Temp\9bccb2034b9a3fb750f186a47df5857072d0a19065a0706fcfa020824600854e.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2936
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2540
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1600
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        
        PID:2756

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
abe62148ffa7f11669a6143081f89bf3

SHA1
4e642271706bb7d2c957b0e3423d6166a9ebf2bb

SHA256
c28f337a2e35bc4e5f9eaeb96510858b0fae81ac5da5b77758b7f3f4c89d041f

SHA512
552fcf9f1c5e03d671f4b2862866b32dbe63a397c7b51bb82e5509ba76a5518139829ddd58f817bf74dc5b6a0ffc64b5bbf8cfc70709745405e4bcb41912ea1f

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
de45d79760620cce76d654f40a9fafa2

SHA1
d5709be0317d546b74375462fde6e0128c7393ff

SHA256
ac41354520783af3ce88ed148d7348e35de4c40b2f26433328586c34e4fe44fe

SHA512
e4337a2880f0aa5a855424c90bb5bd53a1ec12382b1e32bbd29923f6b154ef0ea3a1a3d06457aae3275633abbfd67bf8192cc6de12ed5333166224288838a2f1

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
e3ed853005cad84dca6d6c9f438b7c8b

SHA1
6fbaef848b80937309b2db31bbe9b2f823d82a6e

SHA256
6d3334463524b54266ea45b8a89ad37e82197d110254b30e8c89f9255f5b960f

SHA512
d386db2dd3b9cef49ec97e7123b97787839a30f466382544d36852abc7e1f1ad5fe6405a33e4156c4ca5ad5117ec126598c40df1649d0c4b8c971218e4801df7

Download Submit
memory/1600-65-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1600-56-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2012-85-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2012-78-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2088-13-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2088-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2088-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2088-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2088-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2088-14-0x00000000001C0000-0x00000000001E3000-memory.dmp

Filesize
140KB

Download
memory/2196-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2196-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2540-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2540-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2540-46-0x0000000002330000-0x0000000002353000-memory.dmp

Filesize
140KB

Download
memory/2540-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2540-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2540-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2756-88-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2756-91-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2936-31-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download