neconyd | 2d1c98fb8fdd0db641416e76c1ed7dce5c04bd543d75bf8c8b46dec3512693d3

Analysis

max time kernel
139s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
05/11/2023, 07:30

Target

NEAS.69dc3bec0e7d37dad8dc2c3276d06380.exe
Size

81KB
MD5

69dc3bec0e7d37dad8dc2c3276d06380
SHA1

21cce4528dcdb1449c7040ed7bc23b69526947a0
SHA256

2d1c98fb8fdd0db641416e76c1ed7dce5c04bd543d75bf8c8b46dec3512693d3
SHA512

031ba9150aa0ff183dc782d882537edb39abb9e2ff5a49290533d880ae2b3c97c127e0fe6af1686b012802994c33d0c391ed007dca694e2cda3e43f47f6f82fc
SSDEEP

1536:Xd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:fdseIOMEZEyFjEOFqTiQm5l/5

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Executes dropped EXE 2 IoCs

pid	Process
2684	omsecor.exe
2116	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 2684	2352	NEAS.69dc3bec0e7d37dad8dc2c3276d06380.exe	84
PID 2352 wrote to memory of 2684	2352	NEAS.69dc3bec0e7d37dad8dc2c3276d06380.exe	84
PID 2352 wrote to memory of 2684	2352	NEAS.69dc3bec0e7d37dad8dc2c3276d06380.exe	84
PID 2684 wrote to memory of 2116	2684	omsecor.exe	105
PID 2684 wrote to memory of 2116	2684	omsecor.exe	105
PID 2684 wrote to memory of 2116	2684	omsecor.exe	105

C:\Users\Admin\AppData\Local\Temp\NEAS.69dc3bec0e7d37dad8dc2c3276d06380.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.69dc3bec0e7d37dad8dc2c3276d06380.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:2116

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
81KB

MD5
efc2e0ffe105524512477fb21850121a

SHA1
71fde4345822edbf7b1710edc33c66745aee06c1

SHA256
088365e4da546452d6d7a191c635f9606b314d2d0a7f72947b014f123a03599e

SHA512
c6fc9875167a5daa885ab67d243e7d6d3413e7a9fe0ab73a4e5a24ac23509f931bb100b18227a56a8cf0a632b736eda279b9b0f445a90aa6807e9005eb711a23

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
81KB

MD5
efc2e0ffe105524512477fb21850121a

SHA1
71fde4345822edbf7b1710edc33c66745aee06c1

SHA256
088365e4da546452d6d7a191c635f9606b314d2d0a7f72947b014f123a03599e

SHA512
c6fc9875167a5daa885ab67d243e7d6d3413e7a9fe0ab73a4e5a24ac23509f931bb100b18227a56a8cf0a632b736eda279b9b0f445a90aa6807e9005eb711a23

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
81KB

MD5
399e35ee548b9b3af16ab59e661be66f

SHA1
e51ec82fc8a91b360e7e07538abdf2d9e9438926

SHA256
03106e203ccc64e8b1bc6c73fbe01388dc932f8cf0545b07804c7adca8070e12

SHA512
7d06b297d6a96db3d400ad4eae3fc3456613e3aec775a7c37e300d428f58c5d66778d877276bbcb86d7ec8499b35e60fa57339be1eee9207808ab15291d2cd96

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
81KB

MD5
399e35ee548b9b3af16ab59e661be66f

SHA1
e51ec82fc8a91b360e7e07538abdf2d9e9438926

SHA256
03106e203ccc64e8b1bc6c73fbe01388dc932f8cf0545b07804c7adca8070e12

SHA512
7d06b297d6a96db3d400ad4eae3fc3456613e3aec775a7c37e300d428f58c5d66778d877276bbcb86d7ec8499b35e60fa57339be1eee9207808ab15291d2cd96

Download Submit