neconyd | 16331d6f1437dc842ff61774b7f71f2e951cb2e259282a6e25314b9e2d87db5c

Analysis

max time kernel
142s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10-06-2024 19:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16331d6f1437dc842ff61774b7f71f2e951cb2e259282a6e25314b9e2d87db5c.exe
Size

92KB
MD5

6ba54844031eb80d4d6da6e516b8e657
SHA1

208618d23bb152da38915ddd1286f5d5e057e68b
SHA256

16331d6f1437dc842ff61774b7f71f2e951cb2e259282a6e25314b9e2d87db5c
SHA512

ce776f945ee1f165713dd245438941c22ba2529dc2639d89c73e2fc6b91230112963fd9c0b9b1f5386d906746102309e1bf641824f9f38d67bb005254bcac483
SSDEEP

768:hMEIvFGvoEr8LFK0ic46N47eSvYAHwmZGp6JXXlaa5uA:hbIvYvoEyFKF6N4ySAAQmZTl/5

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 3 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exe

pid process

5020 omsecor.exe
1432 omsecor.exe
4696 omsecor.exe
Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

pid	process
5020	omsecor.exe
1432	omsecor.exe
4696	omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

16331d6f1437dc842ff61774b7f71f2e951cb2e259282a6e25314b9e2d87db5c.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 3032 wrote to memory of 5020	3032	16331d6f1437dc842ff61774b7f71f2e951cb2e259282a6e25314b9e2d87db5c.exe	omsecor.exe
PID 3032 wrote to memory of 5020	3032	16331d6f1437dc842ff61774b7f71f2e951cb2e259282a6e25314b9e2d87db5c.exe	omsecor.exe
PID 3032 wrote to memory of 5020	3032	16331d6f1437dc842ff61774b7f71f2e951cb2e259282a6e25314b9e2d87db5c.exe	omsecor.exe
PID 5020 wrote to memory of 1432	5020	omsecor.exe	omsecor.exe
PID 5020 wrote to memory of 1432	5020	omsecor.exe	omsecor.exe
PID 5020 wrote to memory of 1432	5020	omsecor.exe	omsecor.exe
PID 1432 wrote to memory of 4696	1432	omsecor.exe	omsecor.exe
PID 1432 wrote to memory of 4696	1432	omsecor.exe	omsecor.exe
PID 1432 wrote to memory of 4696	1432	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\16331d6f1437dc842ff61774b7f71f2e951cb2e259282a6e25314b9e2d87db5c.exe
"C:\Users\Admin\AppData\Local\Temp\16331d6f1437dc842ff61774b7f71f2e951cb2e259282a6e25314b9e2d87db5c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3032

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5020

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1432

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
PID:4696

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
92KB

MD5
1807f84b8d5487a93b0dc2e603e552ca

SHA1
c1a37a6e60b0e9712de5771077f0204ffc05e48f

SHA256
ce68dff961db96341f008ecf18fc0522545c43016c8a2575274513a7064b136b

SHA512
66ae644fdde1e2b1daf7a24e3c73d9d09d97f442c53d1b666851ac4e301a45b14b9173a0c9afe55636bef22f49568d0e6788a7600b551eae4df7d0df57f67a6e

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
92KB

MD5
e1979a757a663d0d47976310da3a2fcb

SHA1
9e5073caac16ef7810beeca6e80d58324e102a38

SHA256
6ddf688fa5afce979fcd073964f7175ec38854b7e8c1bf163ee3526b238ba8be

SHA512
dc354566bd0fe60624b13bf2c91cdc099dc36b78842b137070f4fed841cbf40fe7392dcaac60d0c4ab8e5aafe3adf41dd707c5ef0b4c770523eefa30eed79134

Download Submit
C:\Windows\SysWOW64\omsecor.exe
Filesize
92KB

MD5
b4bbe071fb4157bdbd1acc95b1d8a926

SHA1
d9b40a14bc1ecae2a5d8663dfa804fab967f6224

SHA256
c7c78a450b292a0605d157c4cd356fe1e781921cebaf8b4d7893c446bcce26af

SHA512
7d30484f6d96089617e6fbeba0f91dc223471284edb47afee673cf8b8f0578e9165115005e81228378ee70428f8d902e028728b21473e54d9b8199dcbd24663a

Download Submit
memory/1432-13-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1432-18-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3032-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3032-6-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4696-17-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4696-20-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5020-4-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5020-7-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5020-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download