neconyd | 28706a55c8770d5ce4bd44669c6cd1deb059bfe4b2189324a23d8c488972a61f

Analysis

max time kernel
135s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
08-05-2024 01:41

Target

9820d839f42f4f2e9ea4d7957cd24d30_NEIKI.exe
Size

88KB
MD5

9820d839f42f4f2e9ea4d7957cd24d30
SHA1

0760bcc46ad9b2d3bc1f74323fe7049c26310882
SHA256

28706a55c8770d5ce4bd44669c6cd1deb059bfe4b2189324a23d8c488972a61f
SHA512

fac4bf4de9c07477d8ad29edacc2b5a1feaf8e097b2a1fbedaa9b933b5b2e7f8799df61f370f76c1610b541e02e07b5df6581aff1a12c97d4abdb3e38777d40a
SSDEEP

1536:1d9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:9dseIOMEZEyFjEOFqTiQm5l/5

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Executes dropped EXE 3 IoCs

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4568 wrote to memory of 3492	4568	9820d839f42f4f2e9ea4d7957cd24d30_NEIKI.exe	84
PID 4568 wrote to memory of 3492	4568	9820d839f42f4f2e9ea4d7957cd24d30_NEIKI.exe	84
PID 4568 wrote to memory of 3492	4568	9820d839f42f4f2e9ea4d7957cd24d30_NEIKI.exe	84
PID 3492 wrote to memory of 1532	3492	omsecor.exe	112
PID 3492 wrote to memory of 1532	3492	omsecor.exe	112
PID 3492 wrote to memory of 1532	3492	omsecor.exe	112
PID 1532 wrote to memory of 1056	1532	omsecor.exe	113
PID 1532 wrote to memory of 1056	1532	omsecor.exe	113
PID 1532 wrote to memory of 1056	1532	omsecor.exe	113

C:\Users\Admin\AppData\Local\Temp\9820d839f42f4f2e9ea4d7957cd24d30_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\9820d839f42f4f2e9ea4d7957cd24d30_NEIKI.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4568
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3492
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1532
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      PID:1056

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
88KB

MD5
abacdbe7418bb73e6dd72b667dc92fe1

SHA1
feb0e6608b4821de5372b48cfc169c5f1d8e0a91

SHA256
a380597d868c0b4d0a3228f48ba9aa91877d34a16099b8e31f8743edbf5a6fba

SHA512
3595fd6521770cb2fc06ec7129a32792c0263385d4e8f75a05f2987250e2e9f20836672e77f8899c066d10a37597eb091ea29ec36e1dd684d4318752b7395ee4

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
88KB

MD5
0ff174c3caba986773fb7a0634ac70a5

SHA1
35f69714fe956abe1265a7692938b089828a3b6d

SHA256
b51c6afd0f52d1e43765e8814806fdeecf4e751006d3481afb115fa34a07355d

SHA512
134707939ac3ebe412c4ad13fae42ac4bc1f1a2e898d888d4600a56118110d9bcbd0493ddfa2e20ac2e04271226fb6488af2dc17fbedc2d3cebb5e40be48f1cf

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
88KB

MD5
ff4d043fb7d48ef4d351a377c262475c

SHA1
7ab6532a2d406b51b53b18e2b3fc2215785e49b4

SHA256
4e6d805c0d371e393f180ff9f1bb9b3ff724906268ba54dcc4bc1bb677ebf450

SHA512
af37ef8a787e696375b6cbb1cd5b5662764106d8d6541bd8ad739be8277751bfd38a0e917d6a55e274db4fb9015343ffdf2c92171cec7601ad386e39f767a3a7

Download Submit