neconyd | ebbe51ddad5dd8e18115a495db5ea4736405692b5436775a05d34838b8375f3a

Analysis

max time kernel
115s
max time network
119s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
16-07-2024 11:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

afbd69be0464f2b923e84d86121838a0N.exe
Size

134KB
MD5

afbd69be0464f2b923e84d86121838a0
SHA1

4e86c4a8b465058f04e63e1e1749bddbc31931f7
SHA256

ebbe51ddad5dd8e18115a495db5ea4736405692b5436775a05d34838b8375f3a
SHA512

98784665d6e3f0388073bcaf630cd8d282b1d9cd95374f30515276c9fb7438913ecafaaf00594ab325da1abb353315d45da393eb5dc7f60791559c98ee53f97a
SSDEEP

1536:WDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCia:IiRTeH0iqAW6J6f1tqF6dngNmaZCia

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 6 IoCs

pid	Process
2376	omsecor.exe
2332	omsecor.exe
3044	omsecor.exe
1948	omsecor.exe
2028	omsecor.exe
2060	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2428	afbd69be0464f2b923e84d86121838a0N.exe
2428	afbd69be0464f2b923e84d86121838a0N.exe
2376	omsecor.exe
2332	omsecor.exe
2332	omsecor.exe
1948	omsecor.exe
1948	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1984 set thread context of 2428	1984	afbd69be0464f2b923e84d86121838a0N.exe	30
PID 2376 set thread context of 2332	2376	omsecor.exe	32
PID 3044 set thread context of 1948	3044	omsecor.exe	36
PID 2028 set thread context of 2060	2028	omsecor.exe	38

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 2428	1984	afbd69be0464f2b923e84d86121838a0N.exe	30
PID 1984 wrote to memory of 2428	1984	afbd69be0464f2b923e84d86121838a0N.exe	30
PID 1984 wrote to memory of 2428	1984	afbd69be0464f2b923e84d86121838a0N.exe	30
PID 1984 wrote to memory of 2428	1984	afbd69be0464f2b923e84d86121838a0N.exe	30
PID 1984 wrote to memory of 2428	1984	afbd69be0464f2b923e84d86121838a0N.exe	30
PID 1984 wrote to memory of 2428	1984	afbd69be0464f2b923e84d86121838a0N.exe	30
PID 2428 wrote to memory of 2376	2428	afbd69be0464f2b923e84d86121838a0N.exe	31
PID 2428 wrote to memory of 2376	2428	afbd69be0464f2b923e84d86121838a0N.exe	31
PID 2428 wrote to memory of 2376	2428	afbd69be0464f2b923e84d86121838a0N.exe	31
PID 2428 wrote to memory of 2376	2428	afbd69be0464f2b923e84d86121838a0N.exe	31
PID 2376 wrote to memory of 2332	2376	omsecor.exe	32
PID 2376 wrote to memory of 2332	2376	omsecor.exe	32
PID 2376 wrote to memory of 2332	2376	omsecor.exe	32
PID 2376 wrote to memory of 2332	2376	omsecor.exe	32
PID 2376 wrote to memory of 2332	2376	omsecor.exe	32
PID 2376 wrote to memory of 2332	2376	omsecor.exe	32
PID 2332 wrote to memory of 3044	2332	omsecor.exe	35
PID 2332 wrote to memory of 3044	2332	omsecor.exe	35
PID 2332 wrote to memory of 3044	2332	omsecor.exe	35
PID 2332 wrote to memory of 3044	2332	omsecor.exe	35
PID 3044 wrote to memory of 1948	3044	omsecor.exe	36
PID 3044 wrote to memory of 1948	3044	omsecor.exe	36
PID 3044 wrote to memory of 1948	3044	omsecor.exe	36
PID 3044 wrote to memory of 1948	3044	omsecor.exe	36
PID 3044 wrote to memory of 1948	3044	omsecor.exe	36
PID 3044 wrote to memory of 1948	3044	omsecor.exe	36
PID 1948 wrote to memory of 2028	1948	omsecor.exe	37
PID 1948 wrote to memory of 2028	1948	omsecor.exe	37
PID 1948 wrote to memory of 2028	1948	omsecor.exe	37
PID 1948 wrote to memory of 2028	1948	omsecor.exe	37
PID 2028 wrote to memory of 2060	2028	omsecor.exe	38
PID 2028 wrote to memory of 2060	2028	omsecor.exe	38
PID 2028 wrote to memory of 2060	2028	omsecor.exe	38
PID 2028 wrote to memory of 2060	2028	omsecor.exe	38
PID 2028 wrote to memory of 2060	2028	omsecor.exe	38
PID 2028 wrote to memory of 2060	2028	omsecor.exe	38

C:\Users\Admin\AppData\Local\Temp\afbd69be0464f2b923e84d86121838a0N.exe
"C:\Users\Admin\AppData\Local\Temp\afbd69be0464f2b923e84d86121838a0N.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Users\Admin\AppData\Local\Temp\afbd69be0464f2b923e84d86121838a0N.exe
  C:\Users\Admin\AppData\Local\Temp\afbd69be0464f2b923e84d86121838a0N.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2428
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2376
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2332
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3044
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        
        PID:2060

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
f401753ca322f1287b7388fe1e7da389

SHA1
0029f85fd017b69e1de3dca7a7d2894ffc9b9798

SHA256
f5aade652af43c5063f9a0ad6b7561a160775fddc09206262354b2a08df70ecf

SHA512
46518a3392a4b0d19a40f8bd76e68fc4a13305b00170fbfed5329cec7fb50e09c069d79a80fadde2f52df8fe011a94893d535906cbcd2ec669af09ddddb667df

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
909374546f27a48cefd53da1cdeef5fa

SHA1
8cf690aadddc7c750c689d8930c76d2530d2f215

SHA256
e84f909c79e2c9e518463d0cd813177124c04001c103934fdb8855652c0f29b0

SHA512
4fd35392896ff49282eb3c6bda66650f03851c8dc255a3b087f9d2d6d3e94b91a030c1a04479235af7053cd7d2953fbaedf583588c2991fc8b002855ba6e746c

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
0effa449ff6991b0e152ce85d5d0d6b7

SHA1
a7a3ef361d7cd1a4c982745a7fb9df3ea6d41bc4

SHA256
50537408b837c8b9e3ba1294018c7f0067dd1cc6a4a14f1e29f2e363e724dcb2

SHA512
7337e041b1391072ed711e1b622f43d0eec80d0e99e265cf49c9c812e7cd8931055fe1b27878bcce668c6854c9686c681065b2e2b58fb4692c32fb38f633da21

Download Submit
memory/1984-6-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1984-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2028-78-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2028-84-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2060-87-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2332-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2332-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2332-47-0x0000000000470000-0x0000000000494000-memory.dmp

Filesize
144KB

Download
memory/2332-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2332-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2376-36-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/2376-30-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2376-32-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/2376-21-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2428-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2428-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2428-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2428-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2428-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3044-57-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3044-64-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download