neconyd | 2a927d231fae2216de7fdb36f598dd64f38e86c269ebbb5cf5ddee62ac7e2a11

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21/04/2024, 19:59

Target

2a927d231fae2216de7fdb36f598dd64f38e86c269ebbb5cf5ddee62ac7e2a11.exe
Size

65KB
MD5

733c015d365180e05fb11804812a5414
SHA1

4833f352574c857c5ca94638bd2cebe9f690efd8
SHA256

2a927d231fae2216de7fdb36f598dd64f38e86c269ebbb5cf5ddee62ac7e2a11
SHA512

a68f1f34277674d3e645ff60f31f721bd85bf10426d72a8731d9fe9b963df78b9f8380ad737818a44f53a4b6009f438f010b144d703e3b82c453830f69082860
SSDEEP

1536:Td9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZcl/5:TdseIO+EZEyFjEOFqTiQmOl/5

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Executes dropped EXE 2 IoCs

pid	Process
2836	omsecor.exe
1716	omsecor.exe

Loads dropped DLL 4 IoCs

pid	Process
1888	2a927d231fae2216de7fdb36f598dd64f38e86c269ebbb5cf5ddee62ac7e2a11.exe
1888	2a927d231fae2216de7fdb36f598dd64f38e86c269ebbb5cf5ddee62ac7e2a11.exe
2836	omsecor.exe
2836	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1888 wrote to memory of 2836	1888	2a927d231fae2216de7fdb36f598dd64f38e86c269ebbb5cf5ddee62ac7e2a11.exe	28
PID 1888 wrote to memory of 2836	1888	2a927d231fae2216de7fdb36f598dd64f38e86c269ebbb5cf5ddee62ac7e2a11.exe	28
PID 1888 wrote to memory of 2836	1888	2a927d231fae2216de7fdb36f598dd64f38e86c269ebbb5cf5ddee62ac7e2a11.exe	28
PID 1888 wrote to memory of 2836	1888	2a927d231fae2216de7fdb36f598dd64f38e86c269ebbb5cf5ddee62ac7e2a11.exe	28
PID 2836 wrote to memory of 1716	2836	omsecor.exe	32
PID 2836 wrote to memory of 1716	2836	omsecor.exe	32
PID 2836 wrote to memory of 1716	2836	omsecor.exe	32
PID 2836 wrote to memory of 1716	2836	omsecor.exe	32

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
959d68e14a202a62e99cbb7c5d422b0d

SHA1
07ca614bf6c7c10a817d561db7772fef88f4ac52

SHA256
7ff0fbb2e34cb94b98320ddcf905d3b9030becd697ee0abc5faf14805f1b8c3d

SHA512
85569aed378b36069ac6f3fa4393a78e67433a12cb8d5e8e2bb54535bd161dc8471ca3130177b7b930e2f191bba6fb7ffdb3fdcd8a1feda7d10fd958d19f6103

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
65KB

MD5
9bef9d867c2e6f799d6b25a351aa1e00

SHA1
861c2ef456f3a6037a3c114c2a079df52a301dd2

SHA256
0eb8f2cd78f71de9ee4fe4ce0d67fa3563e2479f1ca8dca557023b8eac114f5f

SHA512
d66d9f2f8d2aa0038b3d0cd76b169e5264ffda75d55925b7c85d2b06453701ff97c8a9a0a9b35597a76a3ae112376d4db751315834f9e9c5ccaa104fd0f7218c

Download Submit
memory/1716-27-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1888-1-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1888-9-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1888-4-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/2836-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2836-13-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2836-18-0x00000000005D0000-0x00000000005FA000-memory.dmp

Filesize
168KB

Download
memory/2836-24-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download