neconyd | 52ab5c2e6c1c6fe1fcef8345151a0672cd921dacd247d8fa52f6b829ce82f5f1

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2024, 21:43

Target

52ab5c2e6c1c6fe1fcef8345151a0672cd921dacd247d8fa52f6b829ce82f5f1.exe
Size

72KB
MD5

494272cda145356436ad683657c83908
SHA1

59bbd25db1bf0c0ee790905254b46ef642285adf
SHA256

52ab5c2e6c1c6fe1fcef8345151a0672cd921dacd247d8fa52f6b829ce82f5f1
SHA512

bbb993eeb9dd60737d46e0bbfd7ab804194888ca301e02606304aae7e01624701b5a3006ad1d660b438c8966db66e8984e9d4ae287ac8b9d3a2564c6eceade9f
SSDEEP

1536:5d9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5211:ZdseIOMEZEyFjEOFqTiQm5l/5211

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Executes dropped EXE 3 IoCs

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 816 wrote to memory of 4236	816	52ab5c2e6c1c6fe1fcef8345151a0672cd921dacd247d8fa52f6b829ce82f5f1.exe	84
PID 816 wrote to memory of 4236	816	52ab5c2e6c1c6fe1fcef8345151a0672cd921dacd247d8fa52f6b829ce82f5f1.exe	84
PID 816 wrote to memory of 4236	816	52ab5c2e6c1c6fe1fcef8345151a0672cd921dacd247d8fa52f6b829ce82f5f1.exe	84
PID 4236 wrote to memory of 4220	4236	omsecor.exe	106
PID 4236 wrote to memory of 4220	4236	omsecor.exe	106
PID 4236 wrote to memory of 4220	4236	omsecor.exe	106
PID 4220 wrote to memory of 2876	4220	omsecor.exe	107
PID 4220 wrote to memory of 2876	4220	omsecor.exe	107
PID 4220 wrote to memory of 2876	4220	omsecor.exe	107

C:\Users\Admin\AppData\Local\Temp\52ab5c2e6c1c6fe1fcef8345151a0672cd921dacd247d8fa52f6b829ce82f5f1.exe
"C:\Users\Admin\AppData\Local\Temp\52ab5c2e6c1c6fe1fcef8345151a0672cd921dacd247d8fa52f6b829ce82f5f1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:816
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4236
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4220
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      PID:2876

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
ea74b77f124af0c028135c80f94d6395

SHA1
eda0f898bbbf4aa4b72f6b849ccbe1cdacd739bd

SHA256
11cf4294bd31cf3751282247495ee90be2334998c02e487cd4e935c7bc44c3ad

SHA512
d194ce6ba321b4b2150a317f48358f01c6bdd9b74367c005d9ddc4bd45c89b9205acfc8d3887725742d0cf56a29ace29a61020774bade33098d893f8356a4dae

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
73ba94eac2bf65978b142ed2e57d3f39

SHA1
42e1018b8c3c3b6c56e7558949e9f2c29fe700e0

SHA256
678cdf90519de4b857dcee3116828def3100591c8f47bbdc839d029a3a0b10c4

SHA512
85aa213949426373f9d8eb4a0574ddd94cffb70d2cd2c79214f389db325995052d07e211dac3967ecfd5f42a492f2c7174389997fb1934606c72e86444b3b3aa

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
72KB

MD5
0d5b56b2d43bc96e9cd232573d592b15

SHA1
7de896b08b7bf0b638535988972c3b5a7d6a597e

SHA256
c393af3b8c5d8724b916d88650708370dcf3a18e55d065e0ab368401b4add85d

SHA512
c637d677f18e6cf68647bc896591cf790f9264168fbcc0d41ef4718c2266d696449395e02999d940199959dd36f0f1b3a9a320a6e37d17f7c2deec75aee8df95

Download Submit