neconyd | 12d49b38e64fcf5fdd3c4252a9f74e5840ce7ba40c1b9655174a6cd26750cd78

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
30/05/2024, 19:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

12d49b38e64fcf5fdd3c4252a9f74e5840ce7ba40c1b9655174a6cd26750cd78.exe
Size

76KB
MD5

52d431afd5444972c8e6a6899594069c
SHA1

fad3a794109e065e4f506f5a7bf2c20e13768e24
SHA256

12d49b38e64fcf5fdd3c4252a9f74e5840ce7ba40c1b9655174a6cd26750cd78
SHA512

effc45a9a07949b497f368bbcac62c863710ad1c69cb73520bd78fb12ed79ff8589fe93821a9101548efb44ae327739f0f20e01d2068dc6d38dba288c271df02
SSDEEP

1536:zd9dseIOcE93jIvYvZEyF4EEOF6N4yS+AQmZTl/5Z11:zdseIOUEZEyFjEOFqTiQm5l/5Z11

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 3 IoCs

pid	Process
2060	omsecor.exe
1244	omsecor.exe
1848	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
840	12d49b38e64fcf5fdd3c4252a9f74e5840ce7ba40c1b9655174a6cd26750cd78.exe
840	12d49b38e64fcf5fdd3c4252a9f74e5840ce7ba40c1b9655174a6cd26750cd78.exe
2060	omsecor.exe
2060	omsecor.exe
1244	omsecor.exe
1244	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 840 wrote to memory of 2060	840	12d49b38e64fcf5fdd3c4252a9f74e5840ce7ba40c1b9655174a6cd26750cd78.exe	28
PID 840 wrote to memory of 2060	840	12d49b38e64fcf5fdd3c4252a9f74e5840ce7ba40c1b9655174a6cd26750cd78.exe	28
PID 840 wrote to memory of 2060	840	12d49b38e64fcf5fdd3c4252a9f74e5840ce7ba40c1b9655174a6cd26750cd78.exe	28
PID 840 wrote to memory of 2060	840	12d49b38e64fcf5fdd3c4252a9f74e5840ce7ba40c1b9655174a6cd26750cd78.exe	28
PID 2060 wrote to memory of 1244	2060	omsecor.exe	32
PID 2060 wrote to memory of 1244	2060	omsecor.exe	32
PID 2060 wrote to memory of 1244	2060	omsecor.exe	32
PID 2060 wrote to memory of 1244	2060	omsecor.exe	32
PID 1244 wrote to memory of 1848	1244	omsecor.exe	33
PID 1244 wrote to memory of 1848	1244	omsecor.exe	33
PID 1244 wrote to memory of 1848	1244	omsecor.exe	33
PID 1244 wrote to memory of 1848	1244	omsecor.exe	33

C:\Users\Admin\AppData\Local\Temp\12d49b38e64fcf5fdd3c4252a9f74e5840ce7ba40c1b9655174a6cd26750cd78.exe
"C:\Users\Admin\AppData\Local\Temp\12d49b38e64fcf5fdd3c4252a9f74e5840ce7ba40c1b9655174a6cd26750cd78.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:840
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1244
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      PID:1848

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
95ad57406250e58fd37ce98e8ca104de

SHA1
07d9409a25b1787ecb85a586daf2f6ea28f4c8fc

SHA256
50506b04b52265632238f1124b849cbb3e31f4f73031763313ad66937bfb982e

SHA512
c675f434f4bcc184d5470c0fde4d56d670990221284eeebac28fa67e7bb85bf62982be7dea782aa8210743d123d09e613811f3bf48a86e3ebef4beb822acccb7

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
0dd0b36aadc6379efaf595bf08541051

SHA1
50463368ed96dcb68cc550e86cb0118964994cbe

SHA256
b8d6c71e66047b411bacaf265f2538b6862d6ac2d628d59b6be92f6f5c50d543

SHA512
5b3b9c0926a9e2ef8a5e02c0b58475dce44e882511977610a437e2784935576a73b6aa65ffde8d5fde92c85694d46a32115a8add3f25b387e3e5d28d4034245e

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
ec116d374ec7fe2ad1dcd4c29bb9d0c5

SHA1
1b211d3dbab558e285556611c6a394a1991f81a2

SHA256
d516c919461bc6a98b7374457284080303f47bce09889ecac3e10f6c6845a1e7

SHA512
c21cce38a1ea68a5183a596fe23d2cddebaf3b518fce9bf5d24910ad61b15e7aa131d6d4f0a26362b6a054c354ad258ccce66b8b7a5a628e7aab67aa2ca8cbee

Download Submit
memory/840-8-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/840-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1244-30-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1244-29-0x00000000003A0000-0x00000000003CA000-memory.dmp

Filesize
168KB

Download
memory/1848-38-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1848-36-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2060-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2060-24-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2060-18-0x0000000000280000-0x00000000002AA000-memory.dmp

Filesize
168KB

Download
memory/2060-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download