neconyd | fda238575d9bb4b30bce6fb14eb7c4762aa1edd3a8b19faad3b3cd216ae96fd7

Analysis

max time kernel
139s
max time network
184s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
31-10-2023 08:40

Target

NEAS.ee29d72cef5c9bdf8544ba520bb30f01.exe
Size

84KB
MD5

ee29d72cef5c9bdf8544ba520bb30f01
SHA1

6a74572b187eb9db8118e43cb243f20388201fea
SHA256

fda238575d9bb4b30bce6fb14eb7c4762aa1edd3a8b19faad3b3cd216ae96fd7
SHA512

8d00997e2806aedcc6aa4dea59fb41217cbe4aa6a4dfb075d5b0fd4ea1b4926e8d9e0eecf82e4396cc22105ccf995a729c257e940430a93277107ca5d3827b9b
SSDEEP

1536:Ad9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:gdseIOMEZEyFjEOFqTiQm5l/5

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Executes dropped EXE 2 IoCs

pid	Process
3336	omsecor.exe
4256	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4372 wrote to memory of 3336	4372	NEAS.ee29d72cef5c9bdf8544ba520bb30f01.exe	90
PID 4372 wrote to memory of 3336	4372	NEAS.ee29d72cef5c9bdf8544ba520bb30f01.exe	90
PID 4372 wrote to memory of 3336	4372	NEAS.ee29d72cef5c9bdf8544ba520bb30f01.exe	90
PID 3336 wrote to memory of 4256	3336	omsecor.exe	107
PID 3336 wrote to memory of 4256	3336	omsecor.exe	107
PID 3336 wrote to memory of 4256	3336	omsecor.exe	107

C:\Users\Admin\AppData\Local\Temp\NEAS.ee29d72cef5c9bdf8544ba520bb30f01.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.ee29d72cef5c9bdf8544ba520bb30f01.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4372
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3336
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:4256

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
84KB

MD5
ac499f69c9d63f35b44db022f8040ee1

SHA1
12874409e81f536e14bb96b0118dab8693638a4d

SHA256
9f21426501f39469309b1fbab864e4f6224019d82c53fc9542bb704464b6d359

SHA512
59c73ea08ecd705dadfeafc83795a6ede254ac6255a758f4c5a7f7cf0617946e01138a0fddcb1d1fc9c62d5b87608f794d9214d0395805ba88c29a80228d6e7e

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
84KB

MD5
ac499f69c9d63f35b44db022f8040ee1

SHA1
12874409e81f536e14bb96b0118dab8693638a4d

SHA256
9f21426501f39469309b1fbab864e4f6224019d82c53fc9542bb704464b6d359

SHA512
59c73ea08ecd705dadfeafc83795a6ede254ac6255a758f4c5a7f7cf0617946e01138a0fddcb1d1fc9c62d5b87608f794d9214d0395805ba88c29a80228d6e7e

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
84KB

MD5
90ed8f3bd058c7aacee0dab6128cf3fb

SHA1
213639762da0a72493aa51a3478ca6b1e8c9e4cf

SHA256
a24626104d1fe2a438a3794129ac177dbafe095a9d18b016bb41791a37caeed7

SHA512
cf83db10c2ca04a7c66160956062cd066822350eca0ce8449b8e69c6fc80287b4449969437c73e4967727c0ffa25bb8ec4d6616e6ca2859671ff1cf3640fc09a

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
84KB

MD5
90ed8f3bd058c7aacee0dab6128cf3fb

SHA1
213639762da0a72493aa51a3478ca6b1e8c9e4cf

SHA256
a24626104d1fe2a438a3794129ac177dbafe095a9d18b016bb41791a37caeed7

SHA512
cf83db10c2ca04a7c66160956062cd066822350eca0ce8449b8e69c6fc80287b4449969437c73e4967727c0ffa25bb8ec4d6616e6ca2859671ff1cf3640fc09a

Download Submit