neconyd | 1402d55ebe79764aa6b500d90065bfe6cac3be6e4b121d503aade48ba3beab58

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29-03-2024 17:42

Target

28867a2af3f4c42a66c63bd16404e801_JaffaCakes118.exe
Size

4.5MB
MD5

28867a2af3f4c42a66c63bd16404e801
SHA1

8e1bfb09703a0606f6852d12c0cf765d45e1cf2f
SHA256

1402d55ebe79764aa6b500d90065bfe6cac3be6e4b121d503aade48ba3beab58
SHA512

2d6e929894a2156be074fa055ba0062323a6ed0dd4ae513f1fe4a0666b8fd91181dd6d9f38a8f3c0eb9550433c9d7bede553f73f0a032b3c3dbfa5e7c9c11c73
SSDEEP

24576:29Z9yn0hTZrIbAEu8CkB7mA5yupIIKQS9YRXT8HU/ny5U5DB:QKnuTZh8JUUyJCS9CXT8Enys

Score

10^/10

neconyd trojan

Executes dropped EXE 3 IoCs

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4724 wrote to memory of 2488	4724	28867a2af3f4c42a66c63bd16404e801_JaffaCakes118.exe	87
PID 4724 wrote to memory of 2488	4724	28867a2af3f4c42a66c63bd16404e801_JaffaCakes118.exe	87
PID 4724 wrote to memory of 2488	4724	28867a2af3f4c42a66c63bd16404e801_JaffaCakes118.exe	87
PID 2488 wrote to memory of 4664	2488	omsecor.exe	98
PID 2488 wrote to memory of 4664	2488	omsecor.exe	98
PID 2488 wrote to memory of 4664	2488	omsecor.exe	98
PID 4664 wrote to memory of 3600	4664	omsecor.exe	99
PID 4664 wrote to memory of 3600	4664	omsecor.exe	99
PID 4664 wrote to memory of 3600	4664	omsecor.exe	99

C:\Users\Admin\AppData\Local\Temp\28867a2af3f4c42a66c63bd16404e801_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\28867a2af3f4c42a66c63bd16404e801_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4724
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4664
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      PID:3600

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
4.5MB

MD5
e97681c076195403a246193aee3d1c42

SHA1
c825170c5877c86942c7d708a824d95a7fd44731

SHA256
446697abd73922220b368373bf2e720328370b2e0eae73d6644aa1f749ba7d58

SHA512
da8fa5c830a3c865ad1f59c611faad4d94856e8ceda8970daa78fe2308e3445644fb65822c3254d71c41c874d97d3906dcdfc5eb7c2049156a4d238c6853913f

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
4.5MB

MD5
bb166f2e5141214baf2ff26f4dd7002b

SHA1
7519e5f63c1e5a73ab06345dc06c3a9782b26427

SHA256
11c6f34f46d95c9a7b10908b4207dbfee208767d1d02c555a6acaa57718d8028

SHA512
3cb4667a266fc70fb5d038eaf21da62de4b83cb48f912084bad527c9bfe72e54ec0d740cba5f81a62ba2a3b504f2e840a8d26c4e98b51f0cc72a0bd9beca52c3

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
4.5MB

MD5
16e5eb5eeb4ebaeb08d33a29ed16e180

SHA1
f45851dfb36f5821c4061b806cd2e75b6cdcb8b0

SHA256
1dbe1dc4a03df8288cc72c5c8ebaa7e452d5631091e58a8bc42782372b6f8ba6

SHA512
9466c98063b3e57dc44d62e69984548967ec3adcef145947b96a7776f5c59814046d3b7470fb22f4bc2bccddbeed387467df2e932bacc5d7b935c363fac184f4

Download Submit