neconyd | d91b3ec73ca8044d0e377c7fe634d91e3d751913a801f45f4bef34570afef18b

Analysis

max time kernel
146s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 12:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

732b2433782c09459f211457ff9a6f20_NEAS.exe
Size

119KB
MD5

732b2433782c09459f211457ff9a6f20
SHA1

801d09fe6a3b1488740465bc9fa246947f792838
SHA256

d91b3ec73ca8044d0e377c7fe634d91e3d751913a801f45f4bef34570afef18b
SHA512

467369ddbd45434162d7f83465930a3de01a14716a82a54374182b61d43fb845edbf987b6cf85baeb9e67484e7e4c26194bb2417dcb8745595c1c30777e8077a
SSDEEP

1536:Dd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZznOeibgX7H:jdseIOMEZEyFjEOFqTiQmxnOeV7H

Score

10^/10

neconyd trojan upx

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 3 IoCs

pid	Process
4028	omsecor.exe
4532	omsecor.exe
2608	omsecor.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1564-0-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/1564-5-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/files/0x000c000000023b37-4.dat	upx
behavioral2/memory/4028-6-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/4028-7-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/files/0x00070000000229cd-11.dat	upx
behavioral2/memory/4028-12-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/4532-13-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/files/0x000c000000023b37-16.dat	upx
behavioral2/memory/2608-18-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/4532-17-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/2608-20-0x0000000000400000-0x000000000042D000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1564 wrote to memory of 4028	1564	732b2433782c09459f211457ff9a6f20_NEAS.exe	86
PID 1564 wrote to memory of 4028	1564	732b2433782c09459f211457ff9a6f20_NEAS.exe	86
PID 1564 wrote to memory of 4028	1564	732b2433782c09459f211457ff9a6f20_NEAS.exe	86
PID 4028 wrote to memory of 4532	4028	omsecor.exe	106
PID 4028 wrote to memory of 4532	4028	omsecor.exe	106
PID 4028 wrote to memory of 4532	4028	omsecor.exe	106
PID 4532 wrote to memory of 2608	4532	omsecor.exe	107
PID 4532 wrote to memory of 2608	4532	omsecor.exe	107
PID 4532 wrote to memory of 2608	4532	omsecor.exe	107

C:\Users\Admin\AppData\Local\Temp\732b2433782c09459f211457ff9a6f20_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\732b2433782c09459f211457ff9a6f20_NEAS.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1564
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4028
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4532
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      PID:2608

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
119KB

MD5
008fab6ae6c0de3a57c20bc1c3078e22

SHA1
48c5221e1570dc6d1ef0a0baf3004493aa77b11e

SHA256
66c8e0902fafbfbab4672046d2b7f0a7d068d55d316a3d84e6e46de953ab668c

SHA512
66d9598e775d95107ef62d86c76b8581b1d720326973034bc2414b23a72f2bed4165a1a06c9962e49c01dbda967977fa62cfa75342ffbcc37f2d5a8a5f1595da

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
119KB

MD5
3e5de6382dc23be53bcc614366dfade1

SHA1
904dc747d63d024776d92243fb07b7bba0fb901b

SHA256
11af0fc11e9b51624a2a844e9264d59ef0a26a098fc579aac0a6a282cbc5dec6

SHA512
423c395e8428778cfbd57d1f0b3e19970118acefa59779ceeefa1a3070e4c87080d06854fc3f237e971f912b083d558dc5fce4baef17aa33761a3be6bcda5138

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
119KB

MD5
66cdf22ccc19ea15e3cb5e657be3f2da

SHA1
fac829e5bcce5169ae464e8d845f61be394a9870

SHA256
6a1d58643926a1d0ddf15c779a90436feacd18375c8d6e52fa4835cf94be54cf

SHA512
8a174648df3bfbc6157bedb889e3398685d40f0c40130764b76a98672af64556a812fee00cd2e9bc8a6cc0c26f41bb66c4c52949340256688c95bd69e04d8a5b

Download Submit
memory/1564-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1564-5-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2608-18-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2608-20-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4028-6-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4028-7-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4028-12-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4532-13-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4532-17-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download