neconyd | 393101034ff161f0c2f53114a64bab995f92d522095faef29ba281c920c88521

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 01:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c6d3dd62bef9a84fc4f9ca040d8cd50_NeikiAnalytics.exe
Size

35KB
MD5

6c6d3dd62bef9a84fc4f9ca040d8cd50
SHA1

265162a5d5215cd72a286f7075d4e16300ed5a4d
SHA256

393101034ff161f0c2f53114a64bab995f92d522095faef29ba281c920c88521
SHA512

b41c53a428f10cd024ec69743d7fe37ee4fff28262f6397eeaa8cdca95cc3a38ed33fba03eb97938164b8a56c87991b27a8332f2707535bfa126ba3902813df4
SSDEEP

768:E6vjVmakOElpmAsUA7DJHrhto2OsgwAPTUrpiEe7HpB:T8Z0kA7FHlO2OwOTUtKjpB

Score

10^/10

neconyd trojan upx

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 2 IoCs

Processes:

omsecor.exeomsecor.exe

pid process

4032 omsecor.exe
3308 omsecor.exe

pid	process
4032	omsecor.exe
3308	omsecor.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4480-0-0x0000000000400000-0x000000000042D000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\omsecor.exe	upx
behavioral2/memory/4032-7-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/4480-6-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/4032-8-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/4032-11-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/4032-14-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/4032-15-0x0000000000400000-0x000000000042D000-memory.dmp	upx
C:\Windows\SysWOW64\omsecor.exe	upx
behavioral2/memory/4032-19-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/3308-21-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/3308-22-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/3308-25-0x0000000000400000-0x000000000042D000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

Processes:

omsecor.exeomsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe
File opened for modification C:\Windows\SysWOW64\merocz.xc6 omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

6c6d3dd62bef9a84fc4f9ca040d8cd50_NeikiAnalytics.exeomsecor.exe

description	pid	process	target process
PID 4480 wrote to memory of 4032	4480	6c6d3dd62bef9a84fc4f9ca040d8cd50_NeikiAnalytics.exe	omsecor.exe
PID 4480 wrote to memory of 4032	4480	6c6d3dd62bef9a84fc4f9ca040d8cd50_NeikiAnalytics.exe	omsecor.exe
PID 4480 wrote to memory of 4032	4480	6c6d3dd62bef9a84fc4f9ca040d8cd50_NeikiAnalytics.exe	omsecor.exe
PID 4032 wrote to memory of 3308	4032	omsecor.exe	omsecor.exe
PID 4032 wrote to memory of 3308	4032	omsecor.exe	omsecor.exe
PID 4032 wrote to memory of 3308	4032	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\6c6d3dd62bef9a84fc4f9ca040d8cd50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6c6d3dd62bef9a84fc4f9ca040d8cd50_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4480

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4032

C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
3⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3308

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
35KB

MD5
88be7cfa67f782d40bf19595240e2d2c

SHA1
d5dfb84cf19f2c37884418227a5c1362de505f2c

SHA256
7f963ff14affd2eb0ea5cc3f245949bbdf1ee0d8fc1b8702232b9a3f2cacf1df

SHA512
f48fcef3d44bbd58cbcc6b2345c51b5f4e038d99f4f15091693ac53c72c058d41f446882ca953ebdde4fa8afa8b5380ed135e7024bf841dabf0bd55b51c04465

Download Submit
C:\Windows\SysWOW64\omsecor.exe
Filesize
35KB

MD5
66c140e0e2ad020e63e8e102adbbcae6

SHA1
bc8ec7fd571687b4131a10e257caeefdf6696849

SHA256
b152c057da98ef1bfdb1f457f0723ce646b3b073c3a823287a83aa1341ec8070

SHA512
fa64b415a3fa304eb2c4063cd7c837a586171ecbe9e06f755e1a631f6093d0ed4df01c71881065bc3b3c68c532d13ad9e106a9e435a2015eb0042b41c8bb398e

Download Submit
memory/3308-25-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3308-22-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3308-21-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4032-19-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4032-14-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4032-15-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4032-11-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4032-8-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4032-7-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4480-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4480-6-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download