neconyd | fae9755130481f576308a55fbc8b3a28f48ca68a7cb5d7a43d9870716a91881a

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2024, 19:36

Target

2ff0895a476c899b424463c0b37cb120_NeikiAnalytics.exe
Size

68KB
MD5

2ff0895a476c899b424463c0b37cb120
SHA1

2dec326faae455d22292209d0cba6dbb13752dad
SHA256

fae9755130481f576308a55fbc8b3a28f48ca68a7cb5d7a43d9870716a91881a
SHA512

a1a9d8866d2d2f5cb3691328f0398b6ebf28cc0d6dc0bdd591f79fa8cbdf0c8a881a64aa9ccde19ea3614e54c9155da54b2bddb35ab6c73b2436acb72ca339be
SSDEEP

1536:+d9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:mdseIOMEZEyFjEOFqTiQm5l/5

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Executes dropped EXE 3 IoCs

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 5072	1220	2ff0895a476c899b424463c0b37cb120_NeikiAnalytics.exe	82
PID 1220 wrote to memory of 5072	1220	2ff0895a476c899b424463c0b37cb120_NeikiAnalytics.exe	82
PID 1220 wrote to memory of 5072	1220	2ff0895a476c899b424463c0b37cb120_NeikiAnalytics.exe	82
PID 5072 wrote to memory of 680	5072	omsecor.exe	92
PID 5072 wrote to memory of 680	5072	omsecor.exe	92
PID 5072 wrote to memory of 680	5072	omsecor.exe	92
PID 680 wrote to memory of 3288	680	omsecor.exe	93
PID 680 wrote to memory of 3288	680	omsecor.exe	93
PID 680 wrote to memory of 3288	680	omsecor.exe	93

C:\Users\Admin\AppData\Local\Temp\2ff0895a476c899b424463c0b37cb120_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2ff0895a476c899b424463c0b37cb120_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:5072
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:680
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      PID:3288

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
68KB

MD5
28c34ecbaf2e048b7d0101dfdd6bc1f5

SHA1
92e59ff56de3095bcdf3003592f7626f0e1314d2

SHA256
8f76f3986e5b2bba95d85c8be5aebdef4abfdef77fd4d70591dfdbd8597947c9

SHA512
15549649b30a153b80187c52a526bb56481a2aa52e1b204b1971b35281a0700946b23b6a4c8b289e1e750757639dd8e368fde3007c2967c15e454b8b0bdb5309

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
68KB

MD5
9127625884a020dd1a0d95401c2899c0

SHA1
7eb6dc32b9a49dd641721807e73f601d13a602a1

SHA256
9b9664c3120309b8cf92ff30b186f9bca73a2d19d3159617cd70d3bdbdb792e6

SHA512
9c212c23ba48a79e81b5f1472e9718d4dc68b374cc1f0fd60ce7a454ccf00a66c725cf39a41d8f472b1001c8402f9a88ccd862092d989ad24c7c4ac5b323bb3f

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
68KB

MD5
eb42735ef4dc0c3cf2024d118e1c65dc

SHA1
6c6b06fa9abbe61ac55499e397871b06b5279b8d

SHA256
dcf4f3ab1ddd3787626490e97e222a980c7efd36fa14304500154f17a110c53a

SHA512
0309289c1e668ff19cdf08d1446b8d291a64ebeb8a881f964bc5733b245c43290b6218ab3609799b4bde9c15ec7dfb211f88cfda0df9f653afdd1eeef8bd9677

Download Submit