neconyd | 49a63cc7dabfe0bf43910ec0599d4f70042d9d71eb1c7fa2dd918c21e815a5e0

Analysis

max time kernel
145s
max time network
147s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
10/07/2024, 22:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

49a63cc7dabfe0bf43910ec0599d4f70042d9d71eb1c7fa2dd918c21e815a5e0.exe
Size

96KB
MD5

4c7738cdcea0993ad15b2bb5cdf2da59
SHA1

199dbea4a3ead2737f04f44ad8b16b4de441589e
SHA256

49a63cc7dabfe0bf43910ec0599d4f70042d9d71eb1c7fa2dd918c21e815a5e0
SHA512

8e144a0e0a00da69aedf92c88256f9c97f19e807e54801007ecb97f44ce21f5fad42b1354785ea7b9c30747dd2a5a0769e326ba6dd0ae52b9d4768602f661027
SSDEEP

1536:6nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:6Gs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 6 IoCs

pid	Process
2180	omsecor.exe
2708	omsecor.exe
304	omsecor.exe
1996	omsecor.exe
2000	omsecor.exe
1072	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2428	49a63cc7dabfe0bf43910ec0599d4f70042d9d71eb1c7fa2dd918c21e815a5e0.exe
2428	49a63cc7dabfe0bf43910ec0599d4f70042d9d71eb1c7fa2dd918c21e815a5e0.exe
2180	omsecor.exe
2708	omsecor.exe
2708	omsecor.exe
1996	omsecor.exe
1996	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1236 set thread context of 2428	1236	49a63cc7dabfe0bf43910ec0599d4f70042d9d71eb1c7fa2dd918c21e815a5e0.exe	31
PID 2180 set thread context of 2708	2180	omsecor.exe	33
PID 304 set thread context of 1996	304	omsecor.exe	36
PID 2000 set thread context of 1072	2000	omsecor.exe	38

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1236 wrote to memory of 2428	1236	49a63cc7dabfe0bf43910ec0599d4f70042d9d71eb1c7fa2dd918c21e815a5e0.exe	31
PID 1236 wrote to memory of 2428	1236	49a63cc7dabfe0bf43910ec0599d4f70042d9d71eb1c7fa2dd918c21e815a5e0.exe	31
PID 1236 wrote to memory of 2428	1236	49a63cc7dabfe0bf43910ec0599d4f70042d9d71eb1c7fa2dd918c21e815a5e0.exe	31
PID 1236 wrote to memory of 2428	1236	49a63cc7dabfe0bf43910ec0599d4f70042d9d71eb1c7fa2dd918c21e815a5e0.exe	31
PID 1236 wrote to memory of 2428	1236	49a63cc7dabfe0bf43910ec0599d4f70042d9d71eb1c7fa2dd918c21e815a5e0.exe	31
PID 1236 wrote to memory of 2428	1236	49a63cc7dabfe0bf43910ec0599d4f70042d9d71eb1c7fa2dd918c21e815a5e0.exe	31
PID 2428 wrote to memory of 2180	2428	49a63cc7dabfe0bf43910ec0599d4f70042d9d71eb1c7fa2dd918c21e815a5e0.exe	32
PID 2428 wrote to memory of 2180	2428	49a63cc7dabfe0bf43910ec0599d4f70042d9d71eb1c7fa2dd918c21e815a5e0.exe	32
PID 2428 wrote to memory of 2180	2428	49a63cc7dabfe0bf43910ec0599d4f70042d9d71eb1c7fa2dd918c21e815a5e0.exe	32
PID 2428 wrote to memory of 2180	2428	49a63cc7dabfe0bf43910ec0599d4f70042d9d71eb1c7fa2dd918c21e815a5e0.exe	32
PID 2180 wrote to memory of 2708	2180	omsecor.exe	33
PID 2180 wrote to memory of 2708	2180	omsecor.exe	33
PID 2180 wrote to memory of 2708	2180	omsecor.exe	33
PID 2180 wrote to memory of 2708	2180	omsecor.exe	33
PID 2180 wrote to memory of 2708	2180	omsecor.exe	33
PID 2180 wrote to memory of 2708	2180	omsecor.exe	33
PID 2708 wrote to memory of 304	2708	omsecor.exe	35
PID 2708 wrote to memory of 304	2708	omsecor.exe	35
PID 2708 wrote to memory of 304	2708	omsecor.exe	35
PID 2708 wrote to memory of 304	2708	omsecor.exe	35
PID 304 wrote to memory of 1996	304	omsecor.exe	36
PID 304 wrote to memory of 1996	304	omsecor.exe	36
PID 304 wrote to memory of 1996	304	omsecor.exe	36
PID 304 wrote to memory of 1996	304	omsecor.exe	36
PID 304 wrote to memory of 1996	304	omsecor.exe	36
PID 304 wrote to memory of 1996	304	omsecor.exe	36
PID 1996 wrote to memory of 2000	1996	omsecor.exe	37
PID 1996 wrote to memory of 2000	1996	omsecor.exe	37
PID 1996 wrote to memory of 2000	1996	omsecor.exe	37
PID 1996 wrote to memory of 2000	1996	omsecor.exe	37
PID 2000 wrote to memory of 1072	2000	omsecor.exe	38
PID 2000 wrote to memory of 1072	2000	omsecor.exe	38
PID 2000 wrote to memory of 1072	2000	omsecor.exe	38
PID 2000 wrote to memory of 1072	2000	omsecor.exe	38
PID 2000 wrote to memory of 1072	2000	omsecor.exe	38
PID 2000 wrote to memory of 1072	2000	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\49a63cc7dabfe0bf43910ec0599d4f70042d9d71eb1c7fa2dd918c21e815a5e0.exe
"C:\Users\Admin\AppData\Local\Temp\49a63cc7dabfe0bf43910ec0599d4f70042d9d71eb1c7fa2dd918c21e815a5e0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1236
- C:\Users\Admin\AppData\Local\Temp\49a63cc7dabfe0bf43910ec0599d4f70042d9d71eb1c7fa2dd918c21e815a5e0.exe
  C:\Users\Admin\AppData\Local\Temp\49a63cc7dabfe0bf43910ec0599d4f70042d9d71eb1c7fa2dd918c21e815a5e0.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2428
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2180
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2708
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:304
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        
        PID:1072

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
4fceca16a34b8da24e3b80153b37da27

SHA1
91e113da1076f4e00f57619c74c5be7202985076

SHA256
c2e582f02287286d9566649bb7aa91ca6b81537e0d1d19249ef97d6265ce3ebc

SHA512
6ce0040614d8af89fdd44e3ca2e00b173118ebb75c3b3c20d541b6e9d073eddd8e4004de411e9e7b300435b70879e29d9675f87efbe4333395813e7f96b85440

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
9bc06a45de259a279297cb2db9aa803a

SHA1
06629c14a5aaaff129eae676ef51a43fe5277ff8

SHA256
5c7a06c2fba141c5d094494dc13665e2eb133bc849480d25e149f550e02069ff

SHA512
3b2b06f282e5fe3845e48025880c6c70fab47753d47ca64b56b5932d20eb2f6b682d59b6d16440b0e14402e6ae04fbab5784f8f7eafc273be248466b243d9941

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
08296c199532c798dcf0e575de1c9160

SHA1
6bde904f28b9f264f585b66f1311dba1d6c558db

SHA256
dba0fbd8aa44d932ba74f3ae859235a0e3074bc233b6e793c5da708a49e06144

SHA512
5cea6d00ac23b39cce01d106bdd98f75c4b14190f77d95caad9e4f79a1c20aa38c38c84a1884956bb273b35a28aadb444796889cc8726383ccaa97c0733abe9a

Download Submit
memory/304-65-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/304-56-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1072-93-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1072-90-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1236-35-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1236-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1236-6-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1996-73-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/1996-76-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2000-87-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2000-80-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2180-31-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2428-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2428-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2428-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2428-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2428-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2428-13-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download
memory/2708-33-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2708-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2708-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2708-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2708-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download