neconyd | dc7eada2411ef969352ece4534059ab5945a3795d7161d056178ffea53f415ab

Analysis

max time kernel
146s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04/06/2024, 04:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc7eada2411ef969352ece4534059ab5945a3795d7161d056178ffea53f415ab.exe
Size

92KB
MD5

8f3fa2efea2f458ff0fe01de23122487
SHA1

cf886d14754740cc502ab4a670cc808564d0b513
SHA256

dc7eada2411ef969352ece4534059ab5945a3795d7161d056178ffea53f415ab
SHA512

dfb7704b5c5c64c22332c38eb6028344dfb3d9d8df813e925ffa8f0ea1e05ae23dc714dc848b093743718cd910c23602e226a539f0e50901521a588e7eb896a9
SSDEEP

768:uMEIvFGvZEr8LFK0ic4PN47eSdYAHwmZNp6JXXlaa5uA:ubIvYvZEyFKFPN4yS+AQmZol/5

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 3 IoCs

pid	Process
1980	omsecor.exe
2448	omsecor.exe
1984	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2164	dc7eada2411ef969352ece4534059ab5945a3795d7161d056178ffea53f415ab.exe
2164	dc7eada2411ef969352ece4534059ab5945a3795d7161d056178ffea53f415ab.exe
1980	omsecor.exe
1980	omsecor.exe
2448	omsecor.exe
2448	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 1980	2164	dc7eada2411ef969352ece4534059ab5945a3795d7161d056178ffea53f415ab.exe	28
PID 2164 wrote to memory of 1980	2164	dc7eada2411ef969352ece4534059ab5945a3795d7161d056178ffea53f415ab.exe	28
PID 2164 wrote to memory of 1980	2164	dc7eada2411ef969352ece4534059ab5945a3795d7161d056178ffea53f415ab.exe	28
PID 2164 wrote to memory of 1980	2164	dc7eada2411ef969352ece4534059ab5945a3795d7161d056178ffea53f415ab.exe	28
PID 1980 wrote to memory of 2448	1980	omsecor.exe	32
PID 1980 wrote to memory of 2448	1980	omsecor.exe	32
PID 1980 wrote to memory of 2448	1980	omsecor.exe	32
PID 1980 wrote to memory of 2448	1980	omsecor.exe	32
PID 2448 wrote to memory of 1984	2448	omsecor.exe	33
PID 2448 wrote to memory of 1984	2448	omsecor.exe	33
PID 2448 wrote to memory of 1984	2448	omsecor.exe	33
PID 2448 wrote to memory of 1984	2448	omsecor.exe	33

C:\Users\Admin\AppData\Local\Temp\dc7eada2411ef969352ece4534059ab5945a3795d7161d056178ffea53f415ab.exe
"C:\Users\Admin\AppData\Local\Temp\dc7eada2411ef969352ece4534059ab5945a3795d7161d056178ffea53f415ab.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2448
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      PID:1984

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
92KB

MD5
515addfc9b7e67959c8ad8428e32fb95

SHA1
bfa921366cc818026676794e0ec12e8f5d035252

SHA256
86cfc771601170448e901675768408cb401bf8a4f8ce332bc82ef657ffc6b526

SHA512
65466a753e4b2a775216821109a8d058a3c6bd3e799b0e74dade461a8ac06e19bc72d32037c9f569b09cc863a9d94f5e1b28f794d8e675d7f0de3a15efdc276c

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
92KB

MD5
3dd6eb041a61cc699d4df64bf08d82ab

SHA1
7bcd992b3dc4d2f3f190d34c2ce9cf21febc9237

SHA256
8e60db4ea58acb88f9c6e66abb8467582752ab596416ef69dd6a99068bcb2fb3

SHA512
003ac69bd62e37c90f8342244f6f326d3c8785a6d3c1bc5eeb4536f2aaf53f930f995e40545a6c8f6f2967009993d4e2b788a59efc029726b158a80819f9c0fe

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
92KB

MD5
68583be73ab4af9f0be836eada1ab602

SHA1
5c4468a16dba28ed21d384a7250b2f63ab86fe3d

SHA256
b6f4894da05de0ef876b15ccb1d65f4d8faa5c82a79a883ca3a3f9987e0c4878

SHA512
06fccc068b9aef4879c5eb47313fa25fa997ec5a38982761cd3f9ad24edb14a5f925af22f7f5a6e4158684c37d87a222f0f4383a6eac1002ec7634fa90545af3

Download Submit
memory/1980-10-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1980-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1980-17-0x0000000000350000-0x000000000037B000-memory.dmp

Filesize
172KB

Download
memory/1980-23-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1984-36-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1984-38-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2164-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2164-8-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2448-29-0x00000000003A0000-0x00000000003CB000-memory.dmp

Filesize
172KB

Download
memory/2448-34-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download