neconyd | ebbe51ddad5dd8e18115a495db5ea4736405692b5436775a05d34838b8375f3a

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
16/07/2024, 11:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

afbd69be0464f2b923e84d86121838a0N.exe
Size

134KB
MD5

afbd69be0464f2b923e84d86121838a0
SHA1

4e86c4a8b465058f04e63e1e1749bddbc31931f7
SHA256

ebbe51ddad5dd8e18115a495db5ea4736405692b5436775a05d34838b8375f3a
SHA512

98784665d6e3f0388073bcaf630cd8d282b1d9cd95374f30515276c9fb7438913ecafaaf00594ab325da1abb353315d45da393eb5dc7f60791559c98ee53f97a
SSDEEP

1536:WDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCia:IiRTeH0iqAW6J6f1tqF6dngNmaZCia

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 6 IoCs

pid	Process
2600	omsecor.exe
4444	omsecor.exe
2084	omsecor.exe
3304	omsecor.exe
4592	omsecor.exe
1440	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3244 set thread context of 3468	3244	afbd69be0464f2b923e84d86121838a0N.exe	84
PID 2600 set thread context of 4444	2600	omsecor.exe	89
PID 2084 set thread context of 3304	2084	omsecor.exe	99
PID 4592 set thread context of 1440	4592	omsecor.exe	103

Program crash 4 IoCs

pid	pid_target	Process	procid_target
2204	3244	WerFault.exe	82
3080	2600	WerFault.exe	86
2748	2084	WerFault.exe	98
4116	4592	WerFault.exe	101

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 3244 wrote to memory of 3468	3244	afbd69be0464f2b923e84d86121838a0N.exe	84
PID 3244 wrote to memory of 3468	3244	afbd69be0464f2b923e84d86121838a0N.exe	84
PID 3244 wrote to memory of 3468	3244	afbd69be0464f2b923e84d86121838a0N.exe	84
PID 3244 wrote to memory of 3468	3244	afbd69be0464f2b923e84d86121838a0N.exe	84
PID 3244 wrote to memory of 3468	3244	afbd69be0464f2b923e84d86121838a0N.exe	84
PID 3468 wrote to memory of 2600	3468	afbd69be0464f2b923e84d86121838a0N.exe	86
PID 3468 wrote to memory of 2600	3468	afbd69be0464f2b923e84d86121838a0N.exe	86
PID 3468 wrote to memory of 2600	3468	afbd69be0464f2b923e84d86121838a0N.exe	86
PID 2600 wrote to memory of 4444	2600	omsecor.exe	89
PID 2600 wrote to memory of 4444	2600	omsecor.exe	89
PID 2600 wrote to memory of 4444	2600	omsecor.exe	89
PID 2600 wrote to memory of 4444	2600	omsecor.exe	89
PID 2600 wrote to memory of 4444	2600	omsecor.exe	89
PID 4444 wrote to memory of 2084	4444	omsecor.exe	98
PID 4444 wrote to memory of 2084	4444	omsecor.exe	98
PID 4444 wrote to memory of 2084	4444	omsecor.exe	98
PID 2084 wrote to memory of 3304	2084	omsecor.exe	99
PID 2084 wrote to memory of 3304	2084	omsecor.exe	99
PID 2084 wrote to memory of 3304	2084	omsecor.exe	99
PID 2084 wrote to memory of 3304	2084	omsecor.exe	99
PID 2084 wrote to memory of 3304	2084	omsecor.exe	99
PID 3304 wrote to memory of 4592	3304	omsecor.exe	101
PID 3304 wrote to memory of 4592	3304	omsecor.exe	101
PID 3304 wrote to memory of 4592	3304	omsecor.exe	101
PID 4592 wrote to memory of 1440	4592	omsecor.exe	103
PID 4592 wrote to memory of 1440	4592	omsecor.exe	103
PID 4592 wrote to memory of 1440	4592	omsecor.exe	103
PID 4592 wrote to memory of 1440	4592	omsecor.exe	103
PID 4592 wrote to memory of 1440	4592	omsecor.exe	103

C:\Users\Admin\AppData\Local\Temp\afbd69be0464f2b923e84d86121838a0N.exe
"C:\Users\Admin\AppData\Local\Temp\afbd69be0464f2b923e84d86121838a0N.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3244
- C:\Users\Admin\AppData\Local\Temp\afbd69be0464f2b923e84d86121838a0N.exe
  C:\Users\Admin\AppData\Local\Temp\afbd69be0464f2b923e84d86121838a0N.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3468
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4444
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2084
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3304
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        
        PID:1440
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 256
        8⤵
        Program crash
        
        PID:4116
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 292
        6⤵
        Program crash
        
        PID:2748
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 296
      4⤵
      Program crash
      PID:3080
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 288
  2⤵
  - Program crash
  PID:2204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3244 -ip 3244
1⤵
PID:3820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2600 -ip 2600
1⤵
PID:544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2084 -ip 2084
1⤵
PID:4120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4592 -ip 4592
1⤵
PID:872

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
440c9f4ac0cb074633de5574a73a4571

SHA1
fee3602d6029a80bd154ced2ebec417677c4206a

SHA256
7696a0df7e0048cffb78452ac1f337d3ae92f95cd2c8d16f537f8a45faf1ba11

SHA512
fd0024b0cc789eaf1bff11c5221ebe8ce51a5e41a2430b9638f07eeb47764a46583e0dadfe4322f3efeb02b527af26fb8f787909fcd4ba63ab289976b9642f7d

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
f401753ca322f1287b7388fe1e7da389

SHA1
0029f85fd017b69e1de3dca7a7d2894ffc9b9798

SHA256
f5aade652af43c5063f9a0ad6b7561a160775fddc09206262354b2a08df70ecf

SHA512
46518a3392a4b0d19a40f8bd76e68fc4a13305b00170fbfed5329cec7fb50e09c069d79a80fadde2f52df8fe011a94893d535906cbcd2ec669af09ddddb667df

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
11d150b1d1e715ca79308ab2ca8a234b

SHA1
bab123adc90f2e109c6488f26434717fd7afc287

SHA256
bc5fcbde761975054521ff005b7615b743328a8b1ce2d982f7f71bd5a7bd03bf

SHA512
4501d5cb1e928c2f13d93f35f106268e439dae62934f60f51a2bea710f465629fceb92bcb477baaa63fe82e3b91e93f8b8c3ca4efb566af76c775ac5e869d9df

Download Submit
memory/1440-51-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1440-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1440-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2084-33-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2600-11-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3244-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3244-17-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3304-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3304-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3304-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3468-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3468-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3468-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3468-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4444-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4444-32-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4444-16-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4444-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4444-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4444-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4444-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4592-44-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4592-50-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download