neconyd | 49a63cc7dabfe0bf43910ec0599d4f70042d9d71eb1c7fa2dd918c21e815a5e0

Analysis

max time kernel
146s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10-07-2024 22:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49a63cc7dabfe0bf43910ec0599d4f70042d9d71eb1c7fa2dd918c21e815a5e0.exe
Size

96KB
MD5

4c7738cdcea0993ad15b2bb5cdf2da59
SHA1

199dbea4a3ead2737f04f44ad8b16b4de441589e
SHA256

49a63cc7dabfe0bf43910ec0599d4f70042d9d71eb1c7fa2dd918c21e815a5e0
SHA512

8e144a0e0a00da69aedf92c88256f9c97f19e807e54801007ecb97f44ce21f5fad42b1354785ea7b9c30747dd2a5a0769e326ba6dd0ae52b9d4768602f661027
SSDEEP

1536:6nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxL:6Gs8cd8eXlYairZYqMddH13L

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 6 IoCs

pid	Process
1916	omsecor.exe
2580	omsecor.exe
1312	omsecor.exe
1880	omsecor.exe
788	omsecor.exe
3244	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1492 set thread context of 3888	1492	49a63cc7dabfe0bf43910ec0599d4f70042d9d71eb1c7fa2dd918c21e815a5e0.exe	83
PID 1916 set thread context of 2580	1916	omsecor.exe	89
PID 1312 set thread context of 1880	1312	omsecor.exe	98
PID 788 set thread context of 3244	788	omsecor.exe	101

Program crash 4 IoCs

pid	pid_target	Process	procid_target
2356	1492	WerFault.exe	82
3996	1916	WerFault.exe	86
2128	1312	WerFault.exe	97
1776	788	WerFault.exe	100

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1492 wrote to memory of 3888	1492	49a63cc7dabfe0bf43910ec0599d4f70042d9d71eb1c7fa2dd918c21e815a5e0.exe	83
PID 1492 wrote to memory of 3888	1492	49a63cc7dabfe0bf43910ec0599d4f70042d9d71eb1c7fa2dd918c21e815a5e0.exe	83
PID 1492 wrote to memory of 3888	1492	49a63cc7dabfe0bf43910ec0599d4f70042d9d71eb1c7fa2dd918c21e815a5e0.exe	83
PID 1492 wrote to memory of 3888	1492	49a63cc7dabfe0bf43910ec0599d4f70042d9d71eb1c7fa2dd918c21e815a5e0.exe	83
PID 1492 wrote to memory of 3888	1492	49a63cc7dabfe0bf43910ec0599d4f70042d9d71eb1c7fa2dd918c21e815a5e0.exe	83
PID 3888 wrote to memory of 1916	3888	49a63cc7dabfe0bf43910ec0599d4f70042d9d71eb1c7fa2dd918c21e815a5e0.exe	86
PID 3888 wrote to memory of 1916	3888	49a63cc7dabfe0bf43910ec0599d4f70042d9d71eb1c7fa2dd918c21e815a5e0.exe	86
PID 3888 wrote to memory of 1916	3888	49a63cc7dabfe0bf43910ec0599d4f70042d9d71eb1c7fa2dd918c21e815a5e0.exe	86
PID 1916 wrote to memory of 2580	1916	omsecor.exe	89
PID 1916 wrote to memory of 2580	1916	omsecor.exe	89
PID 1916 wrote to memory of 2580	1916	omsecor.exe	89
PID 1916 wrote to memory of 2580	1916	omsecor.exe	89
PID 1916 wrote to memory of 2580	1916	omsecor.exe	89
PID 2580 wrote to memory of 1312	2580	omsecor.exe	97
PID 2580 wrote to memory of 1312	2580	omsecor.exe	97
PID 2580 wrote to memory of 1312	2580	omsecor.exe	97
PID 1312 wrote to memory of 1880	1312	omsecor.exe	98
PID 1312 wrote to memory of 1880	1312	omsecor.exe	98
PID 1312 wrote to memory of 1880	1312	omsecor.exe	98
PID 1312 wrote to memory of 1880	1312	omsecor.exe	98
PID 1312 wrote to memory of 1880	1312	omsecor.exe	98
PID 1880 wrote to memory of 788	1880	omsecor.exe	100
PID 1880 wrote to memory of 788	1880	omsecor.exe	100
PID 1880 wrote to memory of 788	1880	omsecor.exe	100
PID 788 wrote to memory of 3244	788	omsecor.exe	101
PID 788 wrote to memory of 3244	788	omsecor.exe	101
PID 788 wrote to memory of 3244	788	omsecor.exe	101
PID 788 wrote to memory of 3244	788	omsecor.exe	101
PID 788 wrote to memory of 3244	788	omsecor.exe	101

C:\Users\Admin\AppData\Local\Temp\49a63cc7dabfe0bf43910ec0599d4f70042d9d71eb1c7fa2dd918c21e815a5e0.exe
"C:\Users\Admin\AppData\Local\Temp\49a63cc7dabfe0bf43910ec0599d4f70042d9d71eb1c7fa2dd918c21e815a5e0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1492
- C:\Users\Admin\AppData\Local\Temp\49a63cc7dabfe0bf43910ec0599d4f70042d9d71eb1c7fa2dd918c21e815a5e0.exe
  C:\Users\Admin\AppData\Local\Temp\49a63cc7dabfe0bf43910ec0599d4f70042d9d71eb1c7fa2dd918c21e815a5e0.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3888
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1916
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2580
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1312
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:788
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        
        PID:3244
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 788 -s 256
        8⤵
        Program crash
        
        PID:1776
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1312 -s 292
        6⤵
        Program crash
        
        PID:2128
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 300
      4⤵
      Program crash
      PID:3996
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 288
  2⤵
  - Program crash
  PID:2356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1492 -ip 1492
1⤵
PID:4412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1916 -ip 1916
1⤵
PID:2512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1312 -ip 1312
1⤵
PID:396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 788 -ip 788
1⤵
PID:1308

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
baa8afde4e25c4aca05f41c5b663390f

SHA1
26bd6a9a296ba3ae94b3fadbf0a60e63a1f6dabe

SHA256
240f5d644972b579a4bfdc7543ecebbbba4933b0ea44fbcb0a17f12deeaf14a8

SHA512
930ac50685b7c835066ebb059d148ab9f4a9bb064dc56d013a3766d610953e821650ad866376ec2eeeb12f2fc11ab3205952877f0f9ade74a654d1a5417235e6

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
4fceca16a34b8da24e3b80153b37da27

SHA1
91e113da1076f4e00f57619c74c5be7202985076

SHA256
c2e582f02287286d9566649bb7aa91ca6b81537e0d1d19249ef97d6265ce3ebc

SHA512
6ce0040614d8af89fdd44e3ca2e00b173118ebb75c3b3c20d541b6e9d073eddd8e4004de411e9e7b300435b70879e29d9675f87efbe4333395813e7f96b85440

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
c90e656d07bf93a87648b216275b7d7e

SHA1
f807fbf97a30460d7c58014aea2d8ae966f0072a

SHA256
f56854e3c0315dcce0f785f6ddcb1108d13d45f05893b154c236f9fdbbd1fdd5

SHA512
7027d1d1b48fbe470277fa53eb6298d1d391e31ddcc98712a882d0a9ac065621d9fe87aebffc8f8c09d0ba2a25a1a3d0f328debf6e789d0797820950ebc00e2d

Download Submit
memory/788-45-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1312-34-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1492-18-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1492-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1880-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1880-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1880-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1916-9-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1916-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2580-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2580-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2580-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2580-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2580-33-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2580-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2580-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3244-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3244-51-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3244-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3244-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3888-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3888-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3888-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3888-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download