neconyd | 17c185a2c0d7db1ad1c29cd637557674967baba5584f095035bc49c9cdd31041

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
12-05-2024 15:16

Target

23ae0965995ed3c4551e9ca3503b8ef0_NeikiAnalytics.exe
Size

88KB
MD5

23ae0965995ed3c4551e9ca3503b8ef0
SHA1

38cdaf5c6aaf3fc7d3cb0340e67ed6ffbd67347c
SHA256

17c185a2c0d7db1ad1c29cd637557674967baba5584f095035bc49c9cdd31041
SHA512

e3ea2d146f38bde923f46a19f983a5bc456677a7710aa8d90f9112e21a50e54d9c372b794151539d2f0cf31d2e9acedf2c1bab1dfd2ed46ca89f287209cd13c4
SSDEEP

1536:id9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:SdseIOMEZEyFjEOFqTiQm5l/5

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Executes dropped EXE 3 IoCs

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3704 wrote to memory of 4304	3704	23ae0965995ed3c4551e9ca3503b8ef0_NeikiAnalytics.exe	82
PID 3704 wrote to memory of 4304	3704	23ae0965995ed3c4551e9ca3503b8ef0_NeikiAnalytics.exe	82
PID 3704 wrote to memory of 4304	3704	23ae0965995ed3c4551e9ca3503b8ef0_NeikiAnalytics.exe	82
PID 4304 wrote to memory of 2592	4304	omsecor.exe	104
PID 4304 wrote to memory of 2592	4304	omsecor.exe	104
PID 4304 wrote to memory of 2592	4304	omsecor.exe	104
PID 2592 wrote to memory of 4968	2592	omsecor.exe	105
PID 2592 wrote to memory of 4968	2592	omsecor.exe	105
PID 2592 wrote to memory of 4968	2592	omsecor.exe	105

C:\Users\Admin\AppData\Local\Temp\23ae0965995ed3c4551e9ca3503b8ef0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\23ae0965995ed3c4551e9ca3503b8ef0_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3704
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4304
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2592
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      PID:4968

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
88KB

MD5
e0af0f522407bf0d3a5908c550e1e89b

SHA1
53344131048130c981046a5c0ba6e07b5fdbdb81

SHA256
c3455cd6518f7616fbdebad881b1505c51979a57476e8cdbd5924fd951498830

SHA512
44ede6b5f41b244fc1da1b6e2d4bdfa8d9c66adbead2d5437edd1b0e2f403458940d0da13ef63aef7f589f107bc7bf42b85645e76ab60307ff1819732493da8f

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
88KB

MD5
15e64397c60d69d1e89b99c11e9726f8

SHA1
6f2fd5f0f77a6b9053758dee0f5db246d8652468

SHA256
52a9baab13b7c85d1e3f06f4f9d7c20fb25eb1b79193a9b94a03b86779f883d2

SHA512
a15f9c3eee6ff0edfb2da63249557cf3dfc075debcd40cc8addb578aaf1a350a350a9366ac08ea081f51a1caa3e5a0e9fdd468096732b2f497c0f68498026373

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
88KB

MD5
9ef5e6a4f88a7c7e306680ac6f27d5d7

SHA1
4bb858f9ff41f1709aff8f1daf8885dc7b2c3638

SHA256
bad2dfc07eeff60ea9ffac098a963273910f0eb735cab4fc288f91c6905fd17a

SHA512
ff9f61ea6cc66de692fa28756207382f54ce1c3296575e925cb0ecd80b1fd3be6a835b8b3b1713682e33f580e0b17fce735c6167ef8bd84199b2cd2f3a5e9fbc

Download Submit