neconyd | 1a9be485c47a7a64da19d5cd4b46b9be87cb880c38c19cee11dc135ff8377d24

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2024, 19:52

Target

19352471d1b651e1f36b526272ce5710_NeikiAnalytics.exe
Size

76KB
MD5

19352471d1b651e1f36b526272ce5710
SHA1

430a8a97642e4f288b22e7646b4640b75bdd4d14
SHA256

1a9be485c47a7a64da19d5cd4b46b9be87cb880c38c19cee11dc135ff8377d24
SHA512

a037f9156f477215f2fefc90b2c1b0ffb5933891429b7b8c2a4580e8f2287566949c42e8efd2d8b0cb3cedd3e7d2061e05b4596599c94325249727994a80f540
SSDEEP

768:vOMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAW:vObIvYvZEyFKF6N4yS+AQmZTl/5O

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Executes dropped EXE 2 IoCs

pid	Process
2444	omsecor.exe
3488	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 2444	2412	19352471d1b651e1f36b526272ce5710_NeikiAnalytics.exe	82
PID 2412 wrote to memory of 2444	2412	19352471d1b651e1f36b526272ce5710_NeikiAnalytics.exe	82
PID 2412 wrote to memory of 2444	2412	19352471d1b651e1f36b526272ce5710_NeikiAnalytics.exe	82
PID 2444 wrote to memory of 3488	2444	omsecor.exe	91
PID 2444 wrote to memory of 3488	2444	omsecor.exe	91
PID 2444 wrote to memory of 3488	2444	omsecor.exe	91

C:\Users\Admin\AppData\Local\Temp\19352471d1b651e1f36b526272ce5710_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\19352471d1b651e1f36b526272ce5710_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2444
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:3488

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
565b1971bfd6b624eb01ef7176611c3e

SHA1
6a45075c0c04408cb7b13aed897bc668851b6dbe

SHA256
32dc652ccdfe56482c974220becd282ebf674599f5f416023c09a24bb87796fb

SHA512
31688ece071a783e89e34ba39a26d5c68a2c598438fc190ef5ed5727e73ff7031b58d2c4c01dbe883c93d8bea23a031a860add4002e209665fa2546e8c7da3f0

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
290fbb6c9bedd8e0e752dd703522994f

SHA1
e82ea8c4fa0d98e141df9ef4ff5fc57a35b007d4

SHA256
2b89597457efb830e869a631411b16416c09228c7393f79da15e625a8b5749b3

SHA512
125a7d49d06abaed23438444a9ab79d46e82e4077bb4152712efaeb7fc7ab5a30ece73f857fdac69c53615975ec4b74fa1a2f4c17553fe0453ce3aefedc3e780

Download Submit