neconyd | 33ccc527df2ece719cde70bd62630d49b44fe664da6cdf815b56c4eb2cc9b7ad

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29-05-2024 20:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33ccc527df2ece719cde70bd62630d49b44fe664da6cdf815b56c4eb2cc9b7ad.exe
Size

134KB
MD5

277aeea6d61bf51c8cdfb24d8de58056
SHA1

fc346fd775ecac621899f936875fcd3a86e8b9ee
SHA256

33ccc527df2ece719cde70bd62630d49b44fe664da6cdf815b56c4eb2cc9b7ad
SHA512

6d5d8335a4a5b2434cf0685527e7f12ebe67a03a0673b5f62074c7156b17bd0783cba826526c1870252385fe6330619212fa625ce5e61faa30012bc3a8a0c6de
SSDEEP

1536:hDfDbhERTatPLTH0NqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwC7M:BiRTeH0NqAW6J6f1tqF6dngNmaZC7M

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Detects executables built or packed with MPress PE compressor 9 IoCs

resource	yara_rule
behavioral2/memory/228-0-0x0000000000400000-0x0000000000424000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1976-9-0x0000000000400000-0x0000000000424000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0008000000022f51-10.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1976-17-0x0000000000400000-0x0000000000424000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/228-18-0x0000000000400000-0x0000000000424000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0010000000023437-29.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3056-34-0x0000000000400000-0x0000000000424000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0008000000022f51-43.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1984-45-0x0000000000400000-0x0000000000424000-memory.dmp	INDICATOR_EXE_Packed_MPress

Executes dropped EXE 6 IoCs

pid	Process
1976	omsecor.exe
3700	omsecor.exe
3056	omsecor.exe
3900	omsecor.exe
1984	omsecor.exe
3688	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 228 set thread context of 208	228	33ccc527df2ece719cde70bd62630d49b44fe664da6cdf815b56c4eb2cc9b7ad.exe	83
PID 1976 set thread context of 3700	1976	omsecor.exe	87
PID 3056 set thread context of 3900	3056	omsecor.exe	110
PID 1984 set thread context of 3688	1984	omsecor.exe	113

Program crash 4 IoCs

pid	pid_target	Process	procid_target
4040	1976	WerFault.exe	85
1404	228	WerFault.exe	82
2256	3056	WerFault.exe	109
2420	1984	WerFault.exe	112

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 228 wrote to memory of 208	228	33ccc527df2ece719cde70bd62630d49b44fe664da6cdf815b56c4eb2cc9b7ad.exe	83
PID 228 wrote to memory of 208	228	33ccc527df2ece719cde70bd62630d49b44fe664da6cdf815b56c4eb2cc9b7ad.exe	83
PID 228 wrote to memory of 208	228	33ccc527df2ece719cde70bd62630d49b44fe664da6cdf815b56c4eb2cc9b7ad.exe	83
PID 228 wrote to memory of 208	228	33ccc527df2ece719cde70bd62630d49b44fe664da6cdf815b56c4eb2cc9b7ad.exe	83
PID 228 wrote to memory of 208	228	33ccc527df2ece719cde70bd62630d49b44fe664da6cdf815b56c4eb2cc9b7ad.exe	83
PID 208 wrote to memory of 1976	208	33ccc527df2ece719cde70bd62630d49b44fe664da6cdf815b56c4eb2cc9b7ad.exe	85
PID 208 wrote to memory of 1976	208	33ccc527df2ece719cde70bd62630d49b44fe664da6cdf815b56c4eb2cc9b7ad.exe	85
PID 208 wrote to memory of 1976	208	33ccc527df2ece719cde70bd62630d49b44fe664da6cdf815b56c4eb2cc9b7ad.exe	85
PID 1976 wrote to memory of 3700	1976	omsecor.exe	87
PID 1976 wrote to memory of 3700	1976	omsecor.exe	87
PID 1976 wrote to memory of 3700	1976	omsecor.exe	87
PID 1976 wrote to memory of 3700	1976	omsecor.exe	87
PID 1976 wrote to memory of 3700	1976	omsecor.exe	87
PID 3700 wrote to memory of 3056	3700	omsecor.exe	109
PID 3700 wrote to memory of 3056	3700	omsecor.exe	109
PID 3700 wrote to memory of 3056	3700	omsecor.exe	109
PID 3056 wrote to memory of 3900	3056	omsecor.exe	110
PID 3056 wrote to memory of 3900	3056	omsecor.exe	110
PID 3056 wrote to memory of 3900	3056	omsecor.exe	110
PID 3056 wrote to memory of 3900	3056	omsecor.exe	110
PID 3056 wrote to memory of 3900	3056	omsecor.exe	110
PID 3900 wrote to memory of 1984	3900	omsecor.exe	112
PID 3900 wrote to memory of 1984	3900	omsecor.exe	112
PID 3900 wrote to memory of 1984	3900	omsecor.exe	112
PID 1984 wrote to memory of 3688	1984	omsecor.exe	113
PID 1984 wrote to memory of 3688	1984	omsecor.exe	113
PID 1984 wrote to memory of 3688	1984	omsecor.exe	113
PID 1984 wrote to memory of 3688	1984	omsecor.exe	113
PID 1984 wrote to memory of 3688	1984	omsecor.exe	113

C:\Users\Admin\AppData\Local\Temp\33ccc527df2ece719cde70bd62630d49b44fe664da6cdf815b56c4eb2cc9b7ad.exe
"C:\Users\Admin\AppData\Local\Temp\33ccc527df2ece719cde70bd62630d49b44fe664da6cdf815b56c4eb2cc9b7ad.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:228
- C:\Users\Admin\AppData\Local\Temp\33ccc527df2ece719cde70bd62630d49b44fe664da6cdf815b56c4eb2cc9b7ad.exe
  C:\Users\Admin\AppData\Local\Temp\33ccc527df2ece719cde70bd62630d49b44fe664da6cdf815b56c4eb2cc9b7ad.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:208
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1976
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3700
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3056
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3900
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        
        PID:3688
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 268
        8⤵
        Program crash
        
        PID:2420
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 292
        6⤵
        Program crash
        
        PID:2256
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1976 -s 288
      4⤵
      Program crash
      PID:4040
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 300
  2⤵
  - Program crash
  PID:1404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 228 -ip 228
1⤵
PID:3188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 1976 -ip 1976
1⤵
PID:4000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3056 -ip 3056
1⤵
PID:2648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 1984 -ip 1984
1⤵
PID:4296

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
c08d0d9c768cffd9a6c3bb7bb1f1baaa

SHA1
0df2d84f7a245008ad417084bd1474945dab1707

SHA256
453cb284e3f16bfbdcf470eb705fc114d876ee989cba7a617c4cd482dfd1a191

SHA512
781a33ddfaa3f20b7ce370bee9cd520ab4c12cf4fa8eb637cfeb0d3138d1f6a86adcdae25a30ab96f16161e65a1b493ddd9d986e3249b5156cb9e41b078365ae

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
2579882ceb0e15191bcfee067020139d

SHA1
c0e433e5224fcb749de7999a63e7f11c3cc362e1

SHA256
124c8e382e8e7954f26d4d92c9a61833c29d9a57b8e38e332dabf0f9e00688f7

SHA512
e972274dabda27d851f9bc8d2327e9389a0df2bf2366f965685e7676202f66b98ab13727783e3715eb78b924c2ab7039db18a7009b617ec1197b65ab1f12c2e9

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
90f5cd9ad7829d5e66cbb22efd7a5c2f

SHA1
295fd3ed5b21938b7553ab7b0ae640c1a87303c8

SHA256
8bd4fc0e9bba3b846eb044307140a161f4f196e0bb87177dbc3a011746a49c03

SHA512
6c32d230020b34cb037900ae4496f8020d903073022bf95013a14f2b7121439c8f8c8ddb1b612bc4e3920ac7be0863fe3d631ec4b74bc73a308a13937735d6bd

Download Submit
memory/208-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/208-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/208-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/208-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/228-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/228-18-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1976-17-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1976-9-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1984-45-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3056-34-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3688-51-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3688-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3688-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3688-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3700-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3700-33-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3700-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3700-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3700-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3700-16-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3700-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3900-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3900-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3900-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download