neconyd | 04bf2f640affb7d4a6c6f2fd8644471301a9b0f0f4d0b6407b55f5784db6bb06

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2024, 14:32

Target

0ea0473e79c565198836f8c68397e1d0_NeikiAnalytics.exe
Size

89KB
MD5

0ea0473e79c565198836f8c68397e1d0
SHA1

04a460382a2ca31bc366932cc17f66fdcc9249bc
SHA256

04bf2f640affb7d4a6c6f2fd8644471301a9b0f0f4d0b6407b55f5784db6bb06
SHA512

5ce411f784e9b52fd1a743bb6449a5ba6f8fd1404fe0a23fdf48dd844a26f050898a48e64faa7c20bcd3378760bf69dc344868224fd499b0f79299a11be68bfb
SSDEEP

768:LMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:LbIvYvZEyFKF6N4yS+AQmZTl/5

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Executes dropped EXE 3 IoCs

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4496 wrote to memory of 512	4496	0ea0473e79c565198836f8c68397e1d0_NeikiAnalytics.exe	84
PID 4496 wrote to memory of 512	4496	0ea0473e79c565198836f8c68397e1d0_NeikiAnalytics.exe	84
PID 4496 wrote to memory of 512	4496	0ea0473e79c565198836f8c68397e1d0_NeikiAnalytics.exe	84
PID 512 wrote to memory of 5100	512	omsecor.exe	101
PID 512 wrote to memory of 5100	512	omsecor.exe	101
PID 512 wrote to memory of 5100	512	omsecor.exe	101
PID 5100 wrote to memory of 1280	5100	omsecor.exe	102
PID 5100 wrote to memory of 1280	5100	omsecor.exe	102
PID 5100 wrote to memory of 1280	5100	omsecor.exe	102

C:\Users\Admin\AppData\Local\Temp\0ea0473e79c565198836f8c68397e1d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0ea0473e79c565198836f8c68397e1d0_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4496
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:512
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5100
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      PID:1280

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
89KB

MD5
09cf74efe8433fe597ba0732886da3f9

SHA1
5b6c845a6904a361142d209abd36b17f7b94d3b9

SHA256
e8f1c98b009571c3a9fe229a7565cc625bf8851cb3daaa163474c968b33919e7

SHA512
d7980b9b0e2fc2c2ea666ce418573e6e22ad87d7d04c20ca4ab743c86a2fa4b8b58315fcfab28da9d2aaffd9ef66aba6a06626c94327578f190e0970afa4cdfa

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
89KB

MD5
f1327f1f7b510583e3a8586aded218ca

SHA1
6400a002af63ddf9aa8514847429a19f47bda0bd

SHA256
ad4bed6f81d60f9bbbb4d391f294c06f92947a89bf343f4b8fa62f7ef9266016

SHA512
6759c348adb21d21fefe2d2a3da8a34b2840bebda0394022929ded7f0c9bd079fc65e179b8fcd21ddebd1684cd868a359c1421cba2c0ec4fc3a0abcfab82f4dd

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
89KB

MD5
518f0548036ce21f2b6896de8179197c

SHA1
ed98d1ea4ccdef946123a6d662ae9e9e622a8f79

SHA256
e9a33912349876fb3b7f0de8b4356b5846650ab9124dbb715d3be130c752b7e4

SHA512
47e636efa4a718a3730ff451db1a99c5f97006533e2247cd227b157857fe742e53a9919c76c4393b10e08f372737bbc6e8b1dfc3a359cf4d4a0ba578cb6aced5

Download Submit