neconyd | 7f2f739bf6c8ebfad3068915cbdad24a3a519923526d0edfa8aaf8845e32badf

Analysis

max time kernel
115s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
22/07/2024, 12:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac36fb8669f17acc001f879c823ad8f0N.exe
Size

134KB
MD5

ac36fb8669f17acc001f879c823ad8f0
SHA1

6d9095dbb9b5f6e9047163d92931f2f5bd74f117
SHA256

7f2f739bf6c8ebfad3068915cbdad24a3a519923526d0edfa8aaf8845e32badf
SHA512

509bb1c35ab2b27054452ab1d4c598f3ef01998993438e4a4cc8e6f475810a6c81b264af334f44fcf777f0305d08ac9b7cd1d5f60e1ea1c6af2bb9a67d8f724d
SSDEEP

1536:gDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCia:WiRTeH0iqAW6J6f1tqF6dngNmaZCia

Score

10^/10

neconyd trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 6 IoCs

pid	Process
2004	omsecor.exe
4484	omsecor.exe
4592	omsecor.exe
3512	omsecor.exe
5076	omsecor.exe
4396	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1096 set thread context of 4708	1096	ac36fb8669f17acc001f879c823ad8f0N.exe	83
PID 2004 set thread context of 4484	2004	omsecor.exe	88
PID 4592 set thread context of 3512	4592	omsecor.exe	107
PID 5076 set thread context of 4396	5076	omsecor.exe	111

Program crash 4 IoCs

pid	pid_target	Process	procid_target
2112	1096	WerFault.exe	82
1512	2004	WerFault.exe	85
2104	4592	WerFault.exe	106
4124	5076	WerFault.exe	109

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1096 wrote to memory of 4708	1096	ac36fb8669f17acc001f879c823ad8f0N.exe	83
PID 1096 wrote to memory of 4708	1096	ac36fb8669f17acc001f879c823ad8f0N.exe	83
PID 1096 wrote to memory of 4708	1096	ac36fb8669f17acc001f879c823ad8f0N.exe	83
PID 1096 wrote to memory of 4708	1096	ac36fb8669f17acc001f879c823ad8f0N.exe	83
PID 1096 wrote to memory of 4708	1096	ac36fb8669f17acc001f879c823ad8f0N.exe	83
PID 4708 wrote to memory of 2004	4708	ac36fb8669f17acc001f879c823ad8f0N.exe	85
PID 4708 wrote to memory of 2004	4708	ac36fb8669f17acc001f879c823ad8f0N.exe	85
PID 4708 wrote to memory of 2004	4708	ac36fb8669f17acc001f879c823ad8f0N.exe	85
PID 2004 wrote to memory of 4484	2004	omsecor.exe	88
PID 2004 wrote to memory of 4484	2004	omsecor.exe	88
PID 2004 wrote to memory of 4484	2004	omsecor.exe	88
PID 2004 wrote to memory of 4484	2004	omsecor.exe	88
PID 2004 wrote to memory of 4484	2004	omsecor.exe	88
PID 4484 wrote to memory of 4592	4484	omsecor.exe	106
PID 4484 wrote to memory of 4592	4484	omsecor.exe	106
PID 4484 wrote to memory of 4592	4484	omsecor.exe	106
PID 4592 wrote to memory of 3512	4592	omsecor.exe	107
PID 4592 wrote to memory of 3512	4592	omsecor.exe	107
PID 4592 wrote to memory of 3512	4592	omsecor.exe	107
PID 4592 wrote to memory of 3512	4592	omsecor.exe	107
PID 4592 wrote to memory of 3512	4592	omsecor.exe	107
PID 3512 wrote to memory of 5076	3512	omsecor.exe	109
PID 3512 wrote to memory of 5076	3512	omsecor.exe	109
PID 3512 wrote to memory of 5076	3512	omsecor.exe	109
PID 5076 wrote to memory of 4396	5076	omsecor.exe	111
PID 5076 wrote to memory of 4396	5076	omsecor.exe	111
PID 5076 wrote to memory of 4396	5076	omsecor.exe	111
PID 5076 wrote to memory of 4396	5076	omsecor.exe	111
PID 5076 wrote to memory of 4396	5076	omsecor.exe	111

C:\Users\Admin\AppData\Local\Temp\ac36fb8669f17acc001f879c823ad8f0N.exe
"C:\Users\Admin\AppData\Local\Temp\ac36fb8669f17acc001f879c823ad8f0N.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Users\Admin\AppData\Local\Temp\ac36fb8669f17acc001f879c823ad8f0N.exe
  C:\Users\Admin\AppData\Local\Temp\ac36fb8669f17acc001f879c823ad8f0N.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4708
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2004
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4484
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4592
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3512
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:5076
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        
        PID:4396
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 256
        8⤵
        Program crash
        
        PID:4124
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 296
        6⤵
        Program crash
        
        PID:2104
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 288
      4⤵
      Program crash
      PID:1512
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1096 -s 300
  2⤵
  - Program crash
  PID:2112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1096 -ip 1096
1⤵
PID:3668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2004 -ip 2004
1⤵
PID:3596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4592 -ip 4592
1⤵
PID:2332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5076 -ip 5076
1⤵
PID:2996

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
046b3ba68552b9decaab80df8c869890

SHA1
357360d71562b24a3331f187ec6e88c4bbc521bc

SHA256
d16829f15a625f7cc8a48d3f37bb23d514f54abe68ad7f8cba4888a0c20ed1dd

SHA512
70094644742d2eae76056c1a3012b640ab117ae8212f50dacf65eaad03630bc903e6b0d4122a13eb85c4ef7701a64a9ac77abd2df38c8e7809a37865680a1742

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
f68fad6f7d29551eca01b55fec8fc680

SHA1
2beed62c23458db795df9c2fab2bff06e0d56e6f

SHA256
57c29aa30faafec573dd1f363bac8d3e7b4c0e3fd0ab0eeb1441c55d5b06f031

SHA512
2e070e5cccd5db15cb5f4597700bb3701a261304e8635ee18631d164e45cda3ec26e1bb37fc88b31a2bd82b6104b3ce3937a67ee0080576d1b7e57edbee96d21

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
82e559381fa3faea25cb25f44a943283

SHA1
d8346c2ceddcdeb5927907b2f2dac862bc68aca5

SHA256
7d1431d5785e2d1219ea58b1eb1d273849df379a64f53291511e6b5847a8f9ea

SHA512
220872229f9a68d3d7f31382bd05bcdabbf75fca14ac847eef0bdad5fdab4f8c67d14c755c511157920c82c31a13758969e6f86447b6edce626d954b071bbdd5

Download Submit
memory/1096-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1096-17-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2004-10-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3512-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3512-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3512-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4396-51-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4396-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4396-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4484-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4484-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4484-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4484-32-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4484-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4484-16-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4484-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4592-33-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4708-6-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4708-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4708-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4708-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5076-44-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download