neconyd | c8d66f81fb6872e9a575e3d9c96d74dc656884c5af212431c3ce03b6519c1796

Analysis

max time kernel
145s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2024, 01:35

Target

4dde36502dc77fbcc5cb3d22d0c2b450_NeikiAnalytics.exe
Size

89KB
MD5

4dde36502dc77fbcc5cb3d22d0c2b450
SHA1

a9f891e3f72ab1848bdb2d324bdb5aa56e586930
SHA256

c8d66f81fb6872e9a575e3d9c96d74dc656884c5af212431c3ce03b6519c1796
SHA512

97a887c89c96902445b8a034dc063e4cf1c0b77a5558fcffd2bae0a5826a69b85b273ae09f911c0dac7b48a76153b4a952530b4838a1cc1e9d3f30df426a7c21
SSDEEP

768:+MEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:+bIvYvZEyFKF6N4yS+AQmZTl/5

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Executes dropped EXE 3 IoCs

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1160 wrote to memory of 4764	1160	4dde36502dc77fbcc5cb3d22d0c2b450_NeikiAnalytics.exe	83
PID 1160 wrote to memory of 4764	1160	4dde36502dc77fbcc5cb3d22d0c2b450_NeikiAnalytics.exe	83
PID 1160 wrote to memory of 4764	1160	4dde36502dc77fbcc5cb3d22d0c2b450_NeikiAnalytics.exe	83
PID 4764 wrote to memory of 3364	4764	omsecor.exe	102
PID 4764 wrote to memory of 3364	4764	omsecor.exe	102
PID 4764 wrote to memory of 3364	4764	omsecor.exe	102
PID 3364 wrote to memory of 1332	3364	omsecor.exe	103
PID 3364 wrote to memory of 1332	3364	omsecor.exe	103
PID 3364 wrote to memory of 1332	3364	omsecor.exe	103

C:\Users\Admin\AppData\Local\Temp\4dde36502dc77fbcc5cb3d22d0c2b450_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4dde36502dc77fbcc5cb3d22d0c2b450_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1160
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4764
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3364
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      PID:1332

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
89KB

MD5
e7c3db1a26083756f3defd0a18f70303

SHA1
ed0c64822e50b22c6676426fbb2b6712c9d4ec59

SHA256
56f175d33b3af7737942a6ca48c634b29bc5b92eff8be161d670c17d5fc808df

SHA512
0c9364c3f033b52aeccd6745e8d096d6969988cf8164d601da1bf44ea9825e2a2618b3fcc7a8ca50015985d4873bbfc1c42eee3a4894bba37a6d8880bc257d58

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
89KB

MD5
119722b7d67e6d94fdac45a8832e64cc

SHA1
47057b09e1aa4f37e21add9e90902c3697f3b42d

SHA256
3a0a527a0b2e01a65e0557190be3223f6c5b66939a0718f113076a19b66cc037

SHA512
d5857adaedd80c0de0fe80f1b7603f573cb2688469d3a3cc460914b807b28df1452908e6f3229a340b46d42845dc223110bdcd1be598aa346f003b605e0fa532

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
89KB

MD5
cb26fe3e0db4f6fc0c8e3b7cf3c2881d

SHA1
eabd8a478d22a8e7f96330347d8bdcd191d50856

SHA256
ecb20b7b6099dfe101ab047a7c0d93b1cf194e52c5ab76ba9474bb874d111439

SHA512
e202f7437cf95961ae3ffb2f166e1dcf20736be1da70533ba9a531033027d2c5fb9fda54c810241e5a87c4111589a83d14ed88050015362e76f63c540b64f29f

Download Submit