neconyd | 722d36c2433205b4f1ec3bad0dae81536ae7160120c79fb8bf91df080ad229a5

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
24/04/2024, 17:24

Target

722d36c2433205b4f1ec3bad0dae81536ae7160120c79fb8bf91df080ad229a5.exe
Size

76KB
MD5

549ea22878963ea9e5533174f6ddf215
SHA1

6c9acb1ae1b2abb61b864c2ccfe5664da8d3179c
SHA256

722d36c2433205b4f1ec3bad0dae81536ae7160120c79fb8bf91df080ad229a5
SHA512

81181515d4f619f71383676b4a040bdc5d24b4c3a3a63a773040c07dc56a6bfcb937de05c5385bcd3280e8143c3065a186a0308e5b9b9cec2303896e1337d04c
SSDEEP

768:WMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAW:WbIvYvZEyFKF6N4yS+AQmZTl/5O

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Executes dropped EXE 2 IoCs

pid	Process
1644	omsecor.exe
768	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3648 wrote to memory of 1644	3648	722d36c2433205b4f1ec3bad0dae81536ae7160120c79fb8bf91df080ad229a5.exe	84
PID 3648 wrote to memory of 1644	3648	722d36c2433205b4f1ec3bad0dae81536ae7160120c79fb8bf91df080ad229a5.exe	84
PID 3648 wrote to memory of 1644	3648	722d36c2433205b4f1ec3bad0dae81536ae7160120c79fb8bf91df080ad229a5.exe	84
PID 1644 wrote to memory of 768	1644	omsecor.exe	102
PID 1644 wrote to memory of 768	1644	omsecor.exe	102
PID 1644 wrote to memory of 768	1644	omsecor.exe	102

C:\Users\Admin\AppData\Local\Temp\722d36c2433205b4f1ec3bad0dae81536ae7160120c79fb8bf91df080ad229a5.exe
"C:\Users\Admin\AppData\Local\Temp\722d36c2433205b4f1ec3bad0dae81536ae7160120c79fb8bf91df080ad229a5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3648
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:768

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
13686e26a2e01a357194508717ebb9b3

SHA1
6d0752ec1fa95387ea559a51b7e119575dd0f700

SHA256
d3acc2aeb26eb43badcb9691840f777bf541e4e0d8e490ba6ea9de30237fad37

SHA512
552110cf5cbca30dde17a7783020ab99107276fcf764c486ffe2de3ea3c02f02e6628ea15d94285a18e26f2947a4ba59921081e1996720f759f647977d593aed

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
338bfc4c3448bc573864cc57f2012478

SHA1
a9847d4ea5d5172862ea26014bf3813679cf4e51

SHA256
8ba4563b523dfa5eebafdd2f2f4326b07482157331409defa3614278415a2554

SHA512
a403128069c8b748d159412d1c53c1078556469f84df047596cb6fd62af09322826cc027a39aac7d2a4329226be7b7ecf26e33244ac5fbfdaac1c630dddde8ee

Download Submit