neconyd | ddae28e0835825ee304ffcb065ec18ba67248a41f083b9675cd39d2256fc6eb2

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2024, 03:43

Target

ddae28e0835825ee304ffcb065ec18ba67248a41f083b9675cd39d2256fc6eb2.exe
Size

80KB
MD5

58fbb520dbe699f6e87cacd69a98b07e
SHA1

e432141bc6d5437a705a633bedee265c6e4c2d25
SHA256

ddae28e0835825ee304ffcb065ec18ba67248a41f083b9675cd39d2256fc6eb2
SHA512

5e26dc077c2762c9eee454f1764d711906fa48e2756bd53448d099dcf82afc3f7f588f5aa47bcf5826bd82f9cff71c09c302026e04adf33f3c6b1974f216cd2e
SSDEEP

768:BfMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:BfbIvYvZEyFKF6N4yS+AQmZTl/5

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Executes dropped EXE 2 IoCs

pid	Process
4788	omsecor.exe
1204	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3104 wrote to memory of 4788	3104	ddae28e0835825ee304ffcb065ec18ba67248a41f083b9675cd39d2256fc6eb2.exe	84
PID 3104 wrote to memory of 4788	3104	ddae28e0835825ee304ffcb065ec18ba67248a41f083b9675cd39d2256fc6eb2.exe	84
PID 3104 wrote to memory of 4788	3104	ddae28e0835825ee304ffcb065ec18ba67248a41f083b9675cd39d2256fc6eb2.exe	84
PID 4788 wrote to memory of 1204	4788	omsecor.exe	106
PID 4788 wrote to memory of 1204	4788	omsecor.exe	106
PID 4788 wrote to memory of 1204	4788	omsecor.exe	106

C:\Users\Admin\AppData\Local\Temp\ddae28e0835825ee304ffcb065ec18ba67248a41f083b9675cd39d2256fc6eb2.exe
"C:\Users\Admin\AppData\Local\Temp\ddae28e0835825ee304ffcb065ec18ba67248a41f083b9675cd39d2256fc6eb2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3104
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4788
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:1204

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
725c3727c3f960a7041edbaed651c22e

SHA1
9d00373e9f3bb0485c29e0ac353e1d001825feab

SHA256
7b8b29ab90a2e0e4922f833426c9d4e320b775d109f1d7bd39134fad45018b1b

SHA512
beacd1497fb7115ed273a3666184b1c3f3837e5c81762bcefa824d5e57165d95646b5ec1d7c37a79f126a824c80b1991f869265bb7921d3c7198ccd6c45540e5

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
2883f5be0a957810b5de415222db8346

SHA1
f0013cfaa842ab04813e578a08d17163daa2e6f4

SHA256
3b4c9ea20a90dc84a50a8bae4f10f8c93c529826151a9d273fb9cabfd22c73fe

SHA512
4292d2b5d6244022e631c9230a2eb2482941a81e0c2928817551967d5bc59bcc277a497fc3255a13714734c04b4f4f07e569a0953aa245758ef7b3acabc16233

Download Submit