neconyd | 2d76d5ddf0ceff3364c6fe3e39972bf251401e45640b1153bebea14b3917c951

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2024, 23:53

Target

3528c59d43e7da38d5d09c44e15be5d0_NEAS.exe
Size

76KB
MD5

3528c59d43e7da38d5d09c44e15be5d0
SHA1

195073692dd2cf372fcdf7ecd4d8c8b186391a9e
SHA256

2d76d5ddf0ceff3364c6fe3e39972bf251401e45640b1153bebea14b3917c951
SHA512

a6db3d80621c539736b271cc8d422ba7e6c2a20c2fb88bc4147ab77156a583850a8c5cae58a3b9ab024d66d7c9ef32262451dccbd107a5fbf967d3f52065cfbe
SSDEEP

768:EMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAW:EbIvYvZEyFKF6N4yS+AQmZTl/5O

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Executes dropped EXE 3 IoCs

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3968 wrote to memory of 3200	3968	3528c59d43e7da38d5d09c44e15be5d0_NEAS.exe	83
PID 3968 wrote to memory of 3200	3968	3528c59d43e7da38d5d09c44e15be5d0_NEAS.exe	83
PID 3968 wrote to memory of 3200	3968	3528c59d43e7da38d5d09c44e15be5d0_NEAS.exe	83
PID 3200 wrote to memory of 4704	3200	omsecor.exe	101
PID 3200 wrote to memory of 4704	3200	omsecor.exe	101
PID 3200 wrote to memory of 4704	3200	omsecor.exe	101
PID 4704 wrote to memory of 1680	4704	omsecor.exe	102
PID 4704 wrote to memory of 1680	4704	omsecor.exe	102
PID 4704 wrote to memory of 1680	4704	omsecor.exe	102

C:\Users\Admin\AppData\Local\Temp\3528c59d43e7da38d5d09c44e15be5d0_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\3528c59d43e7da38d5d09c44e15be5d0_NEAS.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3968
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3200
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4704
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      PID:1680

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
71bffa8a88ba369e6c8a1a20b954049b

SHA1
ae1db45d4696e567d2427be588c163048c5c0c95

SHA256
e9fc90a112bccbf928ea88869253e0b9d4405c8ce5f33f265b31bb82cc4e2f40

SHA512
8d4272fb7f1736ffd3265790d4653b86bcb434f657f011da3628ef7a9c435f5fe1f148a7d28ec3b722ddbb33e5953fc531a398948ba688b5f49886f40027b244

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
6c0abe69d9650705d4fd8f355ec458b9

SHA1
b96fae3c723011683607d7e9913354b0208ce7fd

SHA256
efa9afbd59234f3bcff82839449883fb9e6e39a9f162dc9a44f484e104e94e1e

SHA512
15d42a0cd4368a95697e4405d5740ca47f809e65521289c8253ace255d70119c0ebd786a9eb3a8a187c3d6f5bf443ea5f45b6b7bc221281ed2ab8f5083d65874

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
81f8470710b40e118657c1e5a87c6474

SHA1
66e609e144468c5347fac52fd3947a7e111b8f68

SHA256
e8cd66135f35d3df4111fdc83a975a640a373dfbc4317ee364cda5547f7d79cc

SHA512
1202227e66428a4e020aa57e12dd21accb0720e6c1dbeb60b346bd3a62c5df55c3021bc327b92cea6fbea6bd312710c038b62538024c0efff85031a210cb9714

Download Submit