neconyd | 06fb849c085af20e8ed815b454bb051212215479347f373a99175f0631c7c4d0

Analysis

max time kernel
142s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21-06-2024 18:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06fb849c085af20e8ed815b454bb051212215479347f373a99175f0631c7c4d0.exe
Size

72KB
MD5

9a0584fbce47d592dae45689049a44d4
SHA1

5cd3174b1116f5f06287e9c0df5d962b7e8acda6
SHA256

06fb849c085af20e8ed815b454bb051212215479347f373a99175f0631c7c4d0
SHA512

a217f638a6edc71c64c4afd62252dad20f0739c06ce55ad13c49e17f19d7d76ebd8c497398fdc47a10bc2d5fe3b4f1d605ee0eaeb1e0e07fd221236ce1973c90
SSDEEP

768:7MEIvFGvoEr8LFK0ic46N47eSvYAHwmZGp6JXXlaa5uA:7bIvYvoEyFKF6N4ySAAQmZTl/5

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 3 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exe

pid process

4520 omsecor.exe
5040 omsecor.exe
2292 omsecor.exe
Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

pid	process
4520	omsecor.exe
5040	omsecor.exe
2292	omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

06fb849c085af20e8ed815b454bb051212215479347f373a99175f0631c7c4d0.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 1724 wrote to memory of 4520	1724	06fb849c085af20e8ed815b454bb051212215479347f373a99175f0631c7c4d0.exe	omsecor.exe
PID 1724 wrote to memory of 4520	1724	06fb849c085af20e8ed815b454bb051212215479347f373a99175f0631c7c4d0.exe	omsecor.exe
PID 1724 wrote to memory of 4520	1724	06fb849c085af20e8ed815b454bb051212215479347f373a99175f0631c7c4d0.exe	omsecor.exe
PID 4520 wrote to memory of 5040	4520	omsecor.exe	omsecor.exe
PID 4520 wrote to memory of 5040	4520	omsecor.exe	omsecor.exe
PID 4520 wrote to memory of 5040	4520	omsecor.exe	omsecor.exe
PID 5040 wrote to memory of 2292	5040	omsecor.exe	omsecor.exe
PID 5040 wrote to memory of 2292	5040	omsecor.exe	omsecor.exe
PID 5040 wrote to memory of 2292	5040	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\06fb849c085af20e8ed815b454bb051212215479347f373a99175f0631c7c4d0.exe
"C:\Users\Admin\AppData\Local\Temp\06fb849c085af20e8ed815b454bb051212215479347f373a99175f0631c7c4d0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1724

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4520

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5040

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
PID:2292

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
72KB

MD5
fe329954fdb83adffe829e3c870d786d

SHA1
717b015241b9f27014321c0116e550af27483a0b

SHA256
fba7e52179052b3330552ef566dd4a98f57cbdfe28d76e85a0d6361c64394021

SHA512
9a0362b786734bd2e92415ae8785ec1f3faca37b7faf2c64d912e765da991d7f66fa78dfd452a744743b9e1ab25f0840b0c7c98bfc1a729d0cb18d5f12037e89

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
72KB

MD5
19ccaf464a091e062b03fb80d35f1c27

SHA1
0c0e9b32f66d49e2754af7ff83f2109bd643c470

SHA256
8906730d7858dcd68ea18026427d8934b326abfc3a5d0d8070cb18430de7a53d

SHA512
6e413b862bb7fbb1bebcebabe0dd0397185e2625ec17364c21720d12179583e4965f279c56798049aeef45367a5031b324c6122888c2b6bba21ca40610bdf96c

Download Submit
C:\Windows\SysWOW64\omsecor.exe
Filesize
72KB

MD5
606da41b97cb0c85ad806851fa847c6f

SHA1
18709394fc2beb212c8db8a3baea00a178016a2d

SHA256
a870a29edc76af9a7c487ecac88ab8f0e6f3697246c90aba93c28d82118d3771

SHA512
09031a77d8727659f1889aa54395ea0248eba2aeafcc41e2f5f2640f13cb70792b2b479b520cc3c80e660ea9916d930f057ff6b901a5a73c5d392d1387004b88

Download Submit
memory/1724-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1724-6-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2292-18-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2292-20-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4520-5-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4520-7-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4520-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5040-14-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5040-17-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download