neconyd | 58efcf20523a4fffcc4fdc229f2323a52ef0b1a355d713606702f1a7308cccb2

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 23:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58efcf20523a4fffcc4fdc229f2323a52ef0b1a355d713606702f1a7308cccb2.exe
Size

35KB
MD5

11fa304e0abec32f6a61eb96578784a0
SHA1

4a8727736d141a4fab9fda2f10402b62c081b712
SHA256

58efcf20523a4fffcc4fdc229f2323a52ef0b1a355d713606702f1a7308cccb2
SHA512

96b4a5def62ce0e13e3a0c7aff1ed422224844bb7243faacc5604423b088413746cd74e26f15b4019b54b5b7e3c5cce33bb43e4d210f52d83034b9c793f89c23
SSDEEP

768:L6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:28Z0kA7FHlO2OwOTUtKjpB

Score

10^/10

neconyd trojan upx

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 2 IoCs

Processes:

omsecor.exeomsecor.exe

pid process

3196 omsecor.exe
4412 omsecor.exe

pid	process
3196	omsecor.exe
4412	omsecor.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/560-0-0x0000000000400000-0x000000000042D000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\omsecor.exe	upx
behavioral2/memory/560-5-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/3196-6-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/3196-8-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/3196-11-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/3196-14-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/3196-15-0x0000000000400000-0x000000000042D000-memory.dmp	upx
C:\Windows\SysWOW64\omsecor.exe	upx
behavioral2/memory/4412-22-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/3196-21-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/4412-23-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/4412-26-0x0000000000400000-0x000000000042D000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

Processes:

omsecor.exeomsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe
File opened for modification C:\Windows\SysWOW64\merocz.xc6 omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

58efcf20523a4fffcc4fdc229f2323a52ef0b1a355d713606702f1a7308cccb2.exeomsecor.exe

description	pid	process	target process
PID 560 wrote to memory of 3196	560	58efcf20523a4fffcc4fdc229f2323a52ef0b1a355d713606702f1a7308cccb2.exe	omsecor.exe
PID 560 wrote to memory of 3196	560	58efcf20523a4fffcc4fdc229f2323a52ef0b1a355d713606702f1a7308cccb2.exe	omsecor.exe
PID 560 wrote to memory of 3196	560	58efcf20523a4fffcc4fdc229f2323a52ef0b1a355d713606702f1a7308cccb2.exe	omsecor.exe
PID 3196 wrote to memory of 4412	3196	omsecor.exe	omsecor.exe
PID 3196 wrote to memory of 4412	3196	omsecor.exe	omsecor.exe
PID 3196 wrote to memory of 4412	3196	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\58efcf20523a4fffcc4fdc229f2323a52ef0b1a355d713606702f1a7308cccb2.exe
"C:\Users\Admin\AppData\Local\Temp\58efcf20523a4fffcc4fdc229f2323a52ef0b1a355d713606702f1a7308cccb2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:560

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3196

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
3⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4412

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
35KB

MD5
aa0e450021dfba3816c1a7ffd49778f1

SHA1
0f89d7867dda58b71d655e6742dcbceb624f2f97

SHA256
251b86da5a2b3f77c16022d2cb2db5ce2744a4878c5c5e5c672eb8cc13512112

SHA512
7909175c217c6f165953f2a0ddeddf680d37f040893f3a22db237a36bfb572784a81a599d66d9e9e6f448f8aaa8c6251a7f73aa142f2d6bf66b3826bd752cecb

Download Submit
C:\Windows\SysWOW64\omsecor.exe
Filesize
35KB

MD5
5bab926e2386721cb1f24c8d3ff290e1

SHA1
30e9795f8628cbb9d7378251289112ff6b9b1361

SHA256
ef7d7721fbd2c9df351b4f30f414343a05aa0f025898203d4229a0634429def0

SHA512
8766f446bd03b899071cfa78ed510da21417b99d58947e3ca2a3067133d6558cdac1a4f3425a1d6fdf7bc80953ca3e834bbe86d66ed772e190a83be1af6c23ff

Download Submit
memory/560-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/560-5-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3196-14-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3196-11-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3196-8-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3196-15-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3196-6-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3196-21-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4412-22-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4412-23-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4412-26-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download