neconyd | f2ac925ed9c3727ae63f1e754ffc4aeff43a672d5ad9ceffd5e8504cd4204ca9

Analysis

max time kernel
145s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21-06-2024 05:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f2ac925ed9c3727ae63f1e754ffc4aeff43a672d5ad9ceffd5e8504cd4204ca9.exe
Size

92KB
MD5

6bc7d09b34f66619a52cb94681609178
SHA1

b2e26fe961d14b823370701f2eb2b92849af9e77
SHA256

f2ac925ed9c3727ae63f1e754ffc4aeff43a672d5ad9ceffd5e8504cd4204ca9
SHA512

07e014f150d0df5549360a53cfe22f6faf46a3fde31041de3dc9062b24c8564143b86f02f313f56eae96f41a5bfad87aa1159882ae26e98067ceea60a435ebfc
SSDEEP

1536:md9dseIOcEE3bIvYvZEyF4EEOF6N4yS+AQmZTl/5:edseIO/EZEyFjEOFqTiQm5l/5

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 3 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exe

pid process

2100 omsecor.exe
1896 omsecor.exe
3672 omsecor.exe
Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

pid	process
2100	omsecor.exe
1896	omsecor.exe
3672	omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

f2ac925ed9c3727ae63f1e754ffc4aeff43a672d5ad9ceffd5e8504cd4204ca9.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 4588 wrote to memory of 2100	4588	f2ac925ed9c3727ae63f1e754ffc4aeff43a672d5ad9ceffd5e8504cd4204ca9.exe	omsecor.exe
PID 4588 wrote to memory of 2100	4588	f2ac925ed9c3727ae63f1e754ffc4aeff43a672d5ad9ceffd5e8504cd4204ca9.exe	omsecor.exe
PID 4588 wrote to memory of 2100	4588	f2ac925ed9c3727ae63f1e754ffc4aeff43a672d5ad9ceffd5e8504cd4204ca9.exe	omsecor.exe
PID 2100 wrote to memory of 1896	2100	omsecor.exe	omsecor.exe
PID 2100 wrote to memory of 1896	2100	omsecor.exe	omsecor.exe
PID 2100 wrote to memory of 1896	2100	omsecor.exe	omsecor.exe
PID 1896 wrote to memory of 3672	1896	omsecor.exe	omsecor.exe
PID 1896 wrote to memory of 3672	1896	omsecor.exe	omsecor.exe
PID 1896 wrote to memory of 3672	1896	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\f2ac925ed9c3727ae63f1e754ffc4aeff43a672d5ad9ceffd5e8504cd4204ca9.exe
"C:\Users\Admin\AppData\Local\Temp\f2ac925ed9c3727ae63f1e754ffc4aeff43a672d5ad9ceffd5e8504cd4204ca9.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4588

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2100

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1896

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
PID:3672

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
92KB

MD5
d18c9c915c1c8993e9b0c7eb703cb006

SHA1
ec69ed6289d4397a8124862a98492970267be40a

SHA256
8b55539c939d8cc6a4f0d34755287244d2fa373559b309797a6f8d86865aa0b2

SHA512
416a566a64e3098443c224aa8e99c5c1d565fba29dda33687c9b4de2e874bb589ae3302479a8b41c5311a930985dc4ea5bce77012cb30658b16ce8e211b10179

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
92KB

MD5
06c7438dfe4b5b96eabfaa786e5b5b91

SHA1
d54d401a62a0e824e687df42ea8bdf01143b50c9

SHA256
77f8bd7c9e090320d6d1b27077cbc305ee5f169381da9b2793c7b9dd895f8ae1

SHA512
79bf819ba63a8ba04518da8ac4af04b336dd4c0a377b07f2c5b2baf1169ce362e59049f9498fe8f44e7be4ab44db872a2b5f2579b40a4cc54448900eb0840d2f

Download Submit
C:\Windows\SysWOW64\omsecor.exe
Filesize
92KB

MD5
e1a2981e555ac15bc66cc430e145ae9c

SHA1
efd686adcd376d78ae6a4536461e3602d3f1a56c

SHA256
64495032ea8c10cc44daaf5a74cbb8aa1850a38131dd3b88bb6716f7eab6139f

SHA512
1a3af6c93f985f85d984144668f1258d3f9a08d261087674f283b2077993ce98b0f2651b02f2fd8790cad5c11df86263b0b3ba4b8d5c714732e9ac6ff3ec780d

Download Submit
memory/1896-13-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1896-17-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2100-5-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2100-7-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2100-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3672-18-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3672-20-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4588-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4588-3-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download