neconyd | ac75dc3384c2b996654bbf0ecfa447cb67720d90b91792ff7dddc4f339d78024

Analysis

max time kernel
145s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 01:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c178d6373b618988c16d29a802d2b90_NeikiAnalytics.exe
Size

35KB
MD5

5c178d6373b618988c16d29a802d2b90
SHA1

30a97a3cfe581653f153b0d711dd8afff1280791
SHA256

ac75dc3384c2b996654bbf0ecfa447cb67720d90b91792ff7dddc4f339d78024
SHA512

e1e2c1992fd7b9c21d6e10d6a3e101528d72ce06f418861122a75a984ab3b029f78d3f657719914fc6f6b719a805f63b44c6b06223b3d726d4c93292f87a3ef8
SSDEEP

768:n6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:68Z0kA7FHlO2OwOTUtKjpB

Score

10^/10

neconyd trojan upx

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 2 IoCs

pid	Process
2344	omsecor.exe
3268	omsecor.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2668-0-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/files/0x0008000000022f51-3.dat	upx
behavioral2/memory/2344-6-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/2668-5-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/2344-7-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/2344-10-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/2344-13-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/2344-14-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/files/0x000900000002336d-17.dat	upx
behavioral2/memory/3268-21-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/2344-20-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/3268-22-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/3268-25-0x0000000000400000-0x000000000042D000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 2344	2668	5c178d6373b618988c16d29a802d2b90_NeikiAnalytics.exe	82
PID 2668 wrote to memory of 2344	2668	5c178d6373b618988c16d29a802d2b90_NeikiAnalytics.exe	82
PID 2668 wrote to memory of 2344	2668	5c178d6373b618988c16d29a802d2b90_NeikiAnalytics.exe	82
PID 2344 wrote to memory of 3268	2344	omsecor.exe	91
PID 2344 wrote to memory of 3268	2344	omsecor.exe	91
PID 2344 wrote to memory of 3268	2344	omsecor.exe	91

C:\Users\Admin\AppData\Local\Temp\5c178d6373b618988c16d29a802d2b90_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5c178d6373b618988c16d29a802d2b90_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:3268

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
35KB

MD5
8b00b6b8b7fec5cb834677e5f2eae88c

SHA1
20f54a2ddf388b6efce55e3c1fe97570fc1a52f1

SHA256
1077c9218aff5e6286520d87768ac81fd7a6bb81130dd7374aa562df5d8c2908

SHA512
f599c4ef0f99081d19dc9c9f4511929a91f66da408ad02df9d1d4414063ff285ec0915b37c15746d9bf9b665e284b2abffd6b70dc0f3ff4a3060a7d776cf38a8

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
35KB

MD5
dd441dde606c833b0dd458a6051a0d31

SHA1
c7df557aff879fa2697271ee5047bdfbff52456e

SHA256
fc9afa66192adfd74dccf6ccf37ee924cd9a90a322dab5beb1336f87775a279d

SHA512
12dedc31e6f893bf88a3461775286404d8de620552b6f39d8cd92b735a4cbfe77342fa18ea35788d576c160e86bd50e99fdf57819cb85b350de256a4477a0bf1

Download Submit
memory/2344-6-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2344-20-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2344-7-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2344-10-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2344-13-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2344-14-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2668-5-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2668-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3268-21-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3268-22-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3268-25-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download