neconyd | 43ca3b6181c95ea2e1fa8d001ab33f82930c7d8640c1adcffcdface45be8757b

Analysis

max time kernel
115s
max time network
123s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
21/07/2024, 00:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

35dc7b0f47bc9b224b4268d07fa1f2b0N.exe
Size

71KB
MD5

35dc7b0f47bc9b224b4268d07fa1f2b0
SHA1

ac92f59343c2d4d900ca03b36b7570a9aa897468
SHA256

43ca3b6181c95ea2e1fa8d001ab33f82930c7d8640c1adcffcdface45be8757b
SHA512

b8be78bcbceca5dda7acba485d008c6681244562006db28fbfabe70e5cddd1d404680931945b161aa8d5f67d3eb9abd993ea06504584aba4f70f4940ca5d6282
SSDEEP

1536:ad9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZSDHIbH:6dseIOMEZEyFjEOFqTiQmQDHIbH

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 3 IoCs

pid	Process
2704	omsecor.exe
1972	omsecor.exe
2956	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2884	35dc7b0f47bc9b224b4268d07fa1f2b0N.exe
2884	35dc7b0f47bc9b224b4268d07fa1f2b0N.exe
2704	omsecor.exe
2704	omsecor.exe
1972	omsecor.exe
1972	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 2704	2884	35dc7b0f47bc9b224b4268d07fa1f2b0N.exe	29
PID 2884 wrote to memory of 2704	2884	35dc7b0f47bc9b224b4268d07fa1f2b0N.exe	29
PID 2884 wrote to memory of 2704	2884	35dc7b0f47bc9b224b4268d07fa1f2b0N.exe	29
PID 2884 wrote to memory of 2704	2884	35dc7b0f47bc9b224b4268d07fa1f2b0N.exe	29
PID 2704 wrote to memory of 1972	2704	omsecor.exe	31
PID 2704 wrote to memory of 1972	2704	omsecor.exe	31
PID 2704 wrote to memory of 1972	2704	omsecor.exe	31
PID 2704 wrote to memory of 1972	2704	omsecor.exe	31
PID 1972 wrote to memory of 2956	1972	omsecor.exe	32
PID 1972 wrote to memory of 2956	1972	omsecor.exe	32
PID 1972 wrote to memory of 2956	1972	omsecor.exe	32
PID 1972 wrote to memory of 2956	1972	omsecor.exe	32

C:\Users\Admin\AppData\Local\Temp\35dc7b0f47bc9b224b4268d07fa1f2b0N.exe
"C:\Users\Admin\AppData\Local\Temp\35dc7b0f47bc9b224b4268d07fa1f2b0N.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1972
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      PID:2956

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\omsecor.exe

Filesize
71KB

MD5
8efac0166f27b734ec3b0b029733429e

SHA1
7cf001340f9fbfa92e76c790eccb5280ef2b4c34

SHA256
b78ac26cf26f689563200143569fa55c103140b781a542551b96adc42d3b0878

SHA512
f3dda91f46b368b84a2c2f0d57fc42f2f607b4bb072e854b69e49d1064860e1526c73e747ed0e5f49aa72d97c2cc039db456dd9544640d05f4057cec856787a1

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
71KB

MD5
9b5ef530708d2fd57ca73f7d73714796

SHA1
8830b1ed28ea4e8dab9ee378796938e81c084f3f

SHA256
b1599b3b0cddc655ea0fca50d339462d9e2a20b6387dbdbb2b869c4676e51ac8

SHA512
bcd5b83f42f86d2601b0343555382b8d7a2d198890aabdf3de76146933c2e54b58a10deadabcacd64789384c9ca8c6fed75483da770b389b340710e8a553f9f7

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
71KB

MD5
321bc4d038f0ade3b8db40a558ff07c0

SHA1
cd98cf6310bee0aad6871ee9426512a7d0cf1998

SHA256
049f8e2fc853796ca8aa187b5ada5142f9d568698834759c62020e8d89ddc1b4

SHA512
2555c2ace4c2117603c4ae487c4ac8d2371649618f0fed1fe133ddd23dd5633b8acdb3eb26e786c9796e869e6b417b61a23b81951bbdd1df14c56ac35fc6aa73

Download Submit
memory/1972-36-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1972-29-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2704-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2704-14-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2704-19-0x0000000002200000-0x000000000222B000-memory.dmp

Filesize
172KB

Download
memory/2704-26-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2884-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2884-6-0x0000000000220000-0x000000000024B000-memory.dmp

Filesize
172KB

Download
memory/2884-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2884-9-0x0000000000220000-0x000000000024B000-memory.dmp

Filesize
172KB

Download
memory/2956-38-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2956-40-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download