neconyd | 690058e9b33ce5a4543dda1601df0ae085a21a2d1faea3cab34d3eff4c98d703

Analysis

max time kernel
145s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2024, 22:35

Target

690058e9b33ce5a4543dda1601df0ae085a21a2d1faea3cab34d3eff4c98d703.exe
Size

72KB
MD5

a592b40a82d919681b39f6371ac937e7
SHA1

9859ba60b97cf5509154cfcafbf3a41bdfebbbc4
SHA256

690058e9b33ce5a4543dda1601df0ae085a21a2d1faea3cab34d3eff4c98d703
SHA512

24c972c79e3068411e1d7205ec0f16b8a75a2b9f7dd9fc0f31f6cb4f6a8beb123b1f427c20bf12e44440aabe6c0c0a79cd567406c389953eb6f709e3526fa399
SSDEEP

768:iMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAW:ibIvYvZEyFKF6N4yS+AQmZTl/5O

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Executes dropped EXE 3 IoCs

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 2596	2108	690058e9b33ce5a4543dda1601df0ae085a21a2d1faea3cab34d3eff4c98d703.exe	83
PID 2108 wrote to memory of 2596	2108	690058e9b33ce5a4543dda1601df0ae085a21a2d1faea3cab34d3eff4c98d703.exe	83
PID 2108 wrote to memory of 2596	2108	690058e9b33ce5a4543dda1601df0ae085a21a2d1faea3cab34d3eff4c98d703.exe	83
PID 2596 wrote to memory of 4996	2596	omsecor.exe	90
PID 2596 wrote to memory of 4996	2596	omsecor.exe	90
PID 2596 wrote to memory of 4996	2596	omsecor.exe	90
PID 4996 wrote to memory of 844	4996	omsecor.exe	91
PID 4996 wrote to memory of 844	4996	omsecor.exe	91
PID 4996 wrote to memory of 844	4996	omsecor.exe	91

C:\Users\Admin\AppData\Local\Temp\690058e9b33ce5a4543dda1601df0ae085a21a2d1faea3cab34d3eff4c98d703.exe
"C:\Users\Admin\AppData\Local\Temp\690058e9b33ce5a4543dda1601df0ae085a21a2d1faea3cab34d3eff4c98d703.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4996
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      PID:844

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
b0b19c839140598da1fa1a228676e6a5

SHA1
7779bb91cce56b5d212c952033e98f58f5633ee2

SHA256
3cff80f9d9167e6fc9d4c8edfc971897a352c2db7d2a35bfdf3663951d5a3c86

SHA512
71fb8a89cde821e50566ba9841f58780b0152f836af2aa030a436faed0826da8767ccccc10506064336824ecb808c44d665f07149f0550ae57751920955662ef

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
298f434e7bed71dcb00b9e903c8ab34f

SHA1
def2c0cc1cd2dd7a33cd3c3cff098362d9fea2a3

SHA256
7f6329ace69938e3dd7e98c3eaedfb663720fe113ceb69dd8f60536edd6ccc21

SHA512
2978c96da2394611b244dab1240802658bcc8b8f7422ccce5fe2cd6e6a96ffaabf86b80b93a3e57b5d44360853ca431047a5b1b7f44a7166e6934b29960eb1bd

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
72KB

MD5
33aa8dc87e59bf1bcd3c42d77a9c6c99

SHA1
4469d728e9a30331db705725f6d1feb399c50ea9

SHA256
4325a9b0dd41fbb9e3cfb2e273d923d14196fa16ddd910c4458a3c0432cef42a

SHA512
aea55fcbefe2c6ef72c4fa4de3bbeab82d5da1013ea61c5b9b43484b946f0714550bc852cc99486374ef1f8ccf573f74862b880e8c9bf816e6a9bd460b5e6226

Download Submit