neconyd | 80ef1d24178c3831c71e1a4b2b4401f60b237698efe8f8047ee4f97bd9f29b5c

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
15-11-2023 00:49

Target

NEAS.42ca8459c925ee7a5bad2874c43d0730.exe
Size

61KB
MD5

42ca8459c925ee7a5bad2874c43d0730
SHA1

202b0c4141f5b6e3920c6a41c2bac22c6ca9f66e
SHA256

80ef1d24178c3831c71e1a4b2b4401f60b237698efe8f8047ee4f97bd9f29b5c
SHA512

3ea41efdb54c65e42eb12308f2d412a71192c831d6e91162523fb3a797768708c2b153b5a91fa59364398dd8cfd473d9bb4c220c7a8e78f9c55c616693a98714
SSDEEP

1536:rd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZfl/5:bdseIOMEZEyFjEOFqTiQm1l/5

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Executes dropped EXE 2 IoCs

pid	Process
1192	omsecor.exe
3344	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 416 wrote to memory of 1192	416	NEAS.42ca8459c925ee7a5bad2874c43d0730.exe	84
PID 416 wrote to memory of 1192	416	NEAS.42ca8459c925ee7a5bad2874c43d0730.exe	84
PID 416 wrote to memory of 1192	416	NEAS.42ca8459c925ee7a5bad2874c43d0730.exe	84
PID 1192 wrote to memory of 3344	1192	omsecor.exe	104
PID 1192 wrote to memory of 3344	1192	omsecor.exe	104
PID 1192 wrote to memory of 3344	1192	omsecor.exe	104

C:\Users\Admin\AppData\Local\Temp\NEAS.42ca8459c925ee7a5bad2874c43d0730.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.42ca8459c925ee7a5bad2874c43d0730.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:416
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1192
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:3344

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
e5f5d40369b45dbc6a8cb977941614fc

SHA1
396e16c9ea5c2dcf8636359e68d3634792b67e85

SHA256
3387712b304dcc6e60e265b459a3818f27377bd78216dc87ea2d100cfb38c06a

SHA512
9c00229370287837654b25bfd0b76a3b2d67a224e82efc21e3e88aac2d3708a5b752ae007fc667ad8b3bca3e43ba018517d1a1bac056c4a37dffc464baa1c9fe

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
61KB

MD5
e5f5d40369b45dbc6a8cb977941614fc

SHA1
396e16c9ea5c2dcf8636359e68d3634792b67e85

SHA256
3387712b304dcc6e60e265b459a3818f27377bd78216dc87ea2d100cfb38c06a

SHA512
9c00229370287837654b25bfd0b76a3b2d67a224e82efc21e3e88aac2d3708a5b752ae007fc667ad8b3bca3e43ba018517d1a1bac056c4a37dffc464baa1c9fe

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
70094d97151b2c246609477043021701

SHA1
f06e71d3f456daeecaf9ecdd5369923f5b8b6020

SHA256
cdc128e118ad1b9a9f81fc5619aa7b484208a56183c879f3497ebebb267fda1a

SHA512
09cc8d7951bbe2068e0bd3c9dd12d4296d10b1bdface65130b673b260a9d292b659d1811d43f6c477dd7cc5f410584faa6e4b8df4e16a89c24058e21a17c35c8

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
61KB

MD5
70094d97151b2c246609477043021701

SHA1
f06e71d3f456daeecaf9ecdd5369923f5b8b6020

SHA256
cdc128e118ad1b9a9f81fc5619aa7b484208a56183c879f3497ebebb267fda1a

SHA512
09cc8d7951bbe2068e0bd3c9dd12d4296d10b1bdface65130b673b260a9d292b659d1811d43f6c477dd7cc5f410584faa6e4b8df4e16a89c24058e21a17c35c8

Download Submit