neconyd | b87a21e5ac07a9b9863ee2d9e265340bef3937e3a30a92ec74c8db618d4f50af

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 01:03

Target

41f8d75e8978ed377acc0f3024a64a70_NEAS.exe
Size

88KB
MD5

41f8d75e8978ed377acc0f3024a64a70
SHA1

fc0a433aa5e13b050ae39b18cf5c59bfd61818d9
SHA256

b87a21e5ac07a9b9863ee2d9e265340bef3937e3a30a92ec74c8db618d4f50af
SHA512

3cfcfab11e7accebb66dea3c2f4117e5fa5879b10682f4769d411b101fae24ba2e39f1896a0ac3cdabcc25a529d3bd5f966ff11bc3e87a5e6537ed600d609c14
SSDEEP

768:bMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:bbIvYvZEyFKF6N4yS+AQmZTl/5

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Executes dropped EXE 3 IoCs

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 532 wrote to memory of 1464	532	41f8d75e8978ed377acc0f3024a64a70_NEAS.exe	83
PID 532 wrote to memory of 1464	532	41f8d75e8978ed377acc0f3024a64a70_NEAS.exe	83
PID 532 wrote to memory of 1464	532	41f8d75e8978ed377acc0f3024a64a70_NEAS.exe	83
PID 1464 wrote to memory of 1008	1464	omsecor.exe	104
PID 1464 wrote to memory of 1008	1464	omsecor.exe	104
PID 1464 wrote to memory of 1008	1464	omsecor.exe	104
PID 1008 wrote to memory of 4592	1008	omsecor.exe	105
PID 1008 wrote to memory of 4592	1008	omsecor.exe	105
PID 1008 wrote to memory of 4592	1008	omsecor.exe	105

C:\Users\Admin\AppData\Local\Temp\41f8d75e8978ed377acc0f3024a64a70_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\41f8d75e8978ed377acc0f3024a64a70_NEAS.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:532
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1464
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1008
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      PID:4592

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
88KB

MD5
23aa020a09d1eca6fb447c24180f0393

SHA1
79f6ccd7da37013a60df1d035f76a7c4d45387dc

SHA256
f1ca080330658d854c77440d78af2997044a8137e395ab8e60db869601373cf2

SHA512
4679487492f5618519cef482daea6b50fef5a54cb7a73b915407351b2d6e6f8efc7ea26a00da8767f70462aff1f04e2b12ad7cee381aa6c95cd837675adf9c18

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
88KB

MD5
3cf5d917a060684a9efff3074b149e97

SHA1
45fcfff1a3c4433d4f4fb4e51ae0fe25228066ec

SHA256
3de32c2e9033517203ad77ef7fd349322ad359972f4a11d2eac581bab5fca96f

SHA512
7cb1793a877f01a5516738412744aecc37c1acf8623d07e7d7939c5658d347be21c02a308469ff733cbdcb07f0653e085094333c35db74b0f12c852c22b503fb

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
88KB

MD5
ac8f9329110f8d1e564572b281ef893a

SHA1
2ef3f7287678a0f27fed89e6c9c6b7c5f0887b0f

SHA256
582c96823f03e314eae0611a052af803f3f5d60f8192680d388ef5162a4e163a

SHA512
2debd93e583c18916808570b0963b961bfc1c0b12055c8b4e096ec23618ebfab791b60de71ad415f9f304fdaa4498e70f0ba7d1a071e06c7f70e5a8573e7ba6d

Download Submit