neconyd | b06dba33e70303625df9db84cc395610be0a0ab5651e3a66cd413a3add1745ba

Analysis

max time kernel
138s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
22/04/2024, 01:58

Target

b06dba33e70303625df9db84cc395610be0a0ab5651e3a66cd413a3add1745ba.exe
Size

88KB
MD5

7846049cbabe03519393d78b2624526c
SHA1

838a95b9f5c11adf58383c8cb55087eec1feb423
SHA256

b06dba33e70303625df9db84cc395610be0a0ab5651e3a66cd413a3add1745ba
SHA512

927eeb220b8c622d1e297100a218ec8ec8d3f66df537e87ae0f0a82b4dd52eeb09434297069a9caa35e1c541467222a5064815be5b2c3e6221ecbd644b86c112
SSDEEP

1536:bd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:rdseIOMEZEyFjEOFqTiQm5l/5

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Executes dropped EXE 3 IoCs

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 4840	3024	b06dba33e70303625df9db84cc395610be0a0ab5651e3a66cd413a3add1745ba.exe	87
PID 3024 wrote to memory of 4840	3024	b06dba33e70303625df9db84cc395610be0a0ab5651e3a66cd413a3add1745ba.exe	87
PID 3024 wrote to memory of 4840	3024	b06dba33e70303625df9db84cc395610be0a0ab5651e3a66cd413a3add1745ba.exe	87
PID 4840 wrote to memory of 2536	4840	omsecor.exe	115
PID 4840 wrote to memory of 2536	4840	omsecor.exe	115
PID 4840 wrote to memory of 2536	4840	omsecor.exe	115
PID 2536 wrote to memory of 4380	2536	omsecor.exe	116
PID 2536 wrote to memory of 4380	2536	omsecor.exe	116
PID 2536 wrote to memory of 4380	2536	omsecor.exe	116

C:\Users\Admin\AppData\Local\Temp\b06dba33e70303625df9db84cc395610be0a0ab5651e3a66cd413a3add1745ba.exe
"C:\Users\Admin\AppData\Local\Temp\b06dba33e70303625df9db84cc395610be0a0ab5651e3a66cd413a3add1745ba.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4840
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2536
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      PID:4380

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
88KB

MD5
3b95fb0e0ff6d4385fc24a33e61a7fd3

SHA1
c1eeebe97e1ee2edee3c290e72a5b3cb3aeac305

SHA256
6dd179edc2b006bd796ad014e52c95cf88fd5dce0b3ee0a97e1c7f3796867606

SHA512
e4dfffe19d6326fe82485e18bebf7ccd84156838dcdd73ed86329da3cc834a52d0f1f7be8b6f086583d3eb64e0ba2618dabf6e3b15dc37f90b89446439edc055

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
88KB

MD5
2fdb5c3d66d89cc999cc56a168b94d26

SHA1
054990a4e1b935e1e560f85497be67bea39b249e

SHA256
430d1c18e1aad3993574338f69a3ca38c36d3fa54b274a3c9839f4eb15a6b158

SHA512
7704082174fc41406a7b05e95a8455a0dd7415101f754fa40d26e9efa05c6fe27d38d2d293050c3aba712d3a3da3d8c4e2facc39221a7f772bba2e3febfda934

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
88KB

MD5
6f0faa7ccc956e88ec5864eb91302f62

SHA1
4b948c343dc4281203b364a606cfeee9bc6edcfd

SHA256
e525cebe2e9914b610844d44ee9dce6f5b3509ceff9b11e258b86ab3631929f1

SHA512
799741c1479517adf6b88d41dd51a0ffa7227363b307304af986cc5b99f3139467ea7561cb9540bbcba12cf9942ded047011594b8ccfb67b8786b1f7dea90d64

Download Submit