neconyd | 800bb074b481707314f876fc063159fe9f51fb2517042166da4b8fe03b5970fc

Analysis

max time kernel
180s
max time network
200s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2023, 01:33

Target

c5757a071087afb476be0d4767ede487_JC.exe
Size

84KB
MD5

c5757a071087afb476be0d4767ede487
SHA1

302a85149053c8051f1b0922cc09465113babda9
SHA256

800bb074b481707314f876fc063159fe9f51fb2517042166da4b8fe03b5970fc
SHA512

0ccddb5c501afe58b54f10d8b018ee37440e987e6882033402622d8897208f5ef1738839362fdfed36bf8e0cb929ee39f33f737f662e8523cf5d879298a13421
SSDEEP

768:7MEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:7bIvYvZEyFKF6N4yS+AQmZTl/5

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Executes dropped EXE 2 IoCs

pid	Process
5008	omsecor.exe
4740	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3424 wrote to memory of 5008	3424	c5757a071087afb476be0d4767ede487_JC.exe	86
PID 3424 wrote to memory of 5008	3424	c5757a071087afb476be0d4767ede487_JC.exe	86
PID 3424 wrote to memory of 5008	3424	c5757a071087afb476be0d4767ede487_JC.exe	86
PID 5008 wrote to memory of 4740	5008	omsecor.exe	100
PID 5008 wrote to memory of 4740	5008	omsecor.exe	100
PID 5008 wrote to memory of 4740	5008	omsecor.exe	100

C:\Users\Admin\AppData\Local\Temp\c5757a071087afb476be0d4767ede487_JC.exe
"C:\Users\Admin\AppData\Local\Temp\c5757a071087afb476be0d4767ede487_JC.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3424
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:5008
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:4740

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
84KB

MD5
1cdc63217e7be07c22c4f707720436c7

SHA1
8b01241606680c6b4e0970d2cde99522b365c378

SHA256
4d4b331dce34a6dc3b494149adbd671846f7d24dcb4f7cca3e40cc58ae6a1770

SHA512
03d2be30ea2934c972a4ccab7ea164d00980f52e1b2f3c907692a57a4aa9b5636f19530e7a56170fe8692b3f373e4f24b289d634dbeb6eb46efdebd8be8879ab

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
84KB

MD5
1cdc63217e7be07c22c4f707720436c7

SHA1
8b01241606680c6b4e0970d2cde99522b365c378

SHA256
4d4b331dce34a6dc3b494149adbd671846f7d24dcb4f7cca3e40cc58ae6a1770

SHA512
03d2be30ea2934c972a4ccab7ea164d00980f52e1b2f3c907692a57a4aa9b5636f19530e7a56170fe8692b3f373e4f24b289d634dbeb6eb46efdebd8be8879ab

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
84KB

MD5
fe0837dc2f45b745b818547e64791651

SHA1
690d42f6a754ace7af37ff1d63f1e005c82f47dd

SHA256
b3bc3e4bc9e5a55ad2fcc7cceeabc3b1b0cf02aa898264c66f5c0a3469caf565

SHA512
3b0612abcc72d35be7d67bfac94d30d9de56b107eab21e0b6702f03e5b9d774ea736b9051ce8a43b4520310342fda793307b3eb276412e62356fd57a548c10b1

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
84KB

MD5
fe0837dc2f45b745b818547e64791651

SHA1
690d42f6a754ace7af37ff1d63f1e005c82f47dd

SHA256
b3bc3e4bc9e5a55ad2fcc7cceeabc3b1b0cf02aa898264c66f5c0a3469caf565

SHA512
3b0612abcc72d35be7d67bfac94d30d9de56b107eab21e0b6702f03e5b9d774ea736b9051ce8a43b4520310342fda793307b3eb276412e62356fd57a548c10b1

Download Submit