neconyd | 2a927d231fae2216de7fdb36f598dd64f38e86c269ebbb5cf5ddee62ac7e2a11

Analysis

max time kernel
146s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
21-04-2024 19:59

Target

2a927d231fae2216de7fdb36f598dd64f38e86c269ebbb5cf5ddee62ac7e2a11.exe
Size

65KB
MD5

733c015d365180e05fb11804812a5414
SHA1

4833f352574c857c5ca94638bd2cebe9f690efd8
SHA256

2a927d231fae2216de7fdb36f598dd64f38e86c269ebbb5cf5ddee62ac7e2a11
SHA512

a68f1f34277674d3e645ff60f31f721bd85bf10426d72a8731d9fe9b963df78b9f8380ad737818a44f53a4b6009f438f010b144d703e3b82c453830f69082860
SSDEEP

1536:Td9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZcl/5:TdseIO+EZEyFjEOFqTiQmOl/5

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Executes dropped EXE 2 IoCs

pid	Process
3924	omsecor.exe
844	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3568 wrote to memory of 3924	3568	2a927d231fae2216de7fdb36f598dd64f38e86c269ebbb5cf5ddee62ac7e2a11.exe	85
PID 3568 wrote to memory of 3924	3568	2a927d231fae2216de7fdb36f598dd64f38e86c269ebbb5cf5ddee62ac7e2a11.exe	85
PID 3568 wrote to memory of 3924	3568	2a927d231fae2216de7fdb36f598dd64f38e86c269ebbb5cf5ddee62ac7e2a11.exe	85
PID 3924 wrote to memory of 844	3924	omsecor.exe	108
PID 3924 wrote to memory of 844	3924	omsecor.exe	108
PID 3924 wrote to memory of 844	3924	omsecor.exe	108

C:\Users\Admin\AppData\Local\Temp\2a927d231fae2216de7fdb36f598dd64f38e86c269ebbb5cf5ddee62ac7e2a11.exe
"C:\Users\Admin\AppData\Local\Temp\2a927d231fae2216de7fdb36f598dd64f38e86c269ebbb5cf5ddee62ac7e2a11.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3568
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3924
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:844

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
959d68e14a202a62e99cbb7c5d422b0d

SHA1
07ca614bf6c7c10a817d561db7772fef88f4ac52

SHA256
7ff0fbb2e34cb94b98320ddcf905d3b9030becd697ee0abc5faf14805f1b8c3d

SHA512
85569aed378b36069ac6f3fa4393a78e67433a12cb8d5e8e2bb54535bd161dc8471ca3130177b7b930e2f191bba6fb7ffdb3fdcd8a1feda7d10fd958d19f6103

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
65KB

MD5
039b56bca377d80361081c9c34608fbb

SHA1
3f2de955671f5f1e6c60a8b37f7b1c7a079984f9

SHA256
2e2b7b8922c73bd945f1b1bcf3887fa50cb5c8c35075c2dfe92e38b97cd58a44

SHA512
c2bd1bee3d08c33266e90d2ec9bcd2598b705613b6f838b086a96318710eb7c3416870afe4f540927772ea9ebb22f61c9b2af53746b5225fdbc10f26abf41bb7

Download Submit
memory/844-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/844-14-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3568-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3568-6-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3924-4-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3924-7-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3924-13-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download