neconyd | cf58accd6d37a98df17bf4035371c41cc68e25956d4d9d7ca9ad9a39de82f9d1

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
15-05-2024 08:57

Target

b4cbb5c95840d823fb4b88156b32efe0_NeikiAnalytics.exe
Size

64KB
MD5

b4cbb5c95840d823fb4b88156b32efe0
SHA1

b0f5c57383541eb80a00df66870d4b92ca596079
SHA256

cf58accd6d37a98df17bf4035371c41cc68e25956d4d9d7ca9ad9a39de82f9d1
SHA512

877d524b269c3c584ee4ff4d2275c40a0f65c66f23053e1eb0f893fd9223e3fced989fc0bf911ee4d909287bf7ce21745938bc668a49ab6a52d83d9a02bc7a84
SSDEEP

768:uMEIvFGvZEr8LFK0ic46N47eSdYAHwmZwSp6JXXlaa5uA:ubIvYvZEyFKF6N4yS+AQmZcl/5

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Executes dropped EXE 3 IoCs

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3820 wrote to memory of 2424	3820	b4cbb5c95840d823fb4b88156b32efe0_NeikiAnalytics.exe	82
PID 3820 wrote to memory of 2424	3820	b4cbb5c95840d823fb4b88156b32efe0_NeikiAnalytics.exe	82
PID 3820 wrote to memory of 2424	3820	b4cbb5c95840d823fb4b88156b32efe0_NeikiAnalytics.exe	82
PID 2424 wrote to memory of 3620	2424	omsecor.exe	100
PID 2424 wrote to memory of 3620	2424	omsecor.exe	100
PID 2424 wrote to memory of 3620	2424	omsecor.exe	100
PID 3620 wrote to memory of 2792	3620	omsecor.exe	101
PID 3620 wrote to memory of 2792	3620	omsecor.exe	101
PID 3620 wrote to memory of 2792	3620	omsecor.exe	101

C:\Users\Admin\AppData\Local\Temp\b4cbb5c95840d823fb4b88156b32efe0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b4cbb5c95840d823fb4b88156b32efe0_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3820
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2424
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3620
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      PID:2792

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
66c3a980fa8a684cfe9659eae946f308

SHA1
e6ee5b22aa852750b2274510f81225746b88e66d

SHA256
7d594db598b51b8f72df15830b1a9d4ebed24111c0f18f89b8f117811b594e29

SHA512
4f53127b9b528ed3ff2a6cf914e0e46b54e5af8245578312235508594af04543ebae7ea808f4ed05b1fbdde563aaecbfa36e10e91d8039760be03d879be590ba

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
805636d81cfbb8f39065f95eb5cb5b80

SHA1
7e0234cb368db9b23cc9a51f3e5b6d36c748a00b

SHA256
389cc9d35c7156082cd42d62c8534bc99979a23a0b54bb327e05a154a2712d91

SHA512
cb802b1e1bf12a4a0d6675569f31b227744be84f0688781aed422ca8b9a233731c40af4985f6e26ae717a1f282d0b591f03e19c4e83062a413776064787251d1

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
64KB

MD5
667b41ec76245f6ba5e6146349853c8e

SHA1
8cf78c5ba8e9a499206ae04cf8b9d86a7fe182fb

SHA256
321f5410b3669ef3b1b4987021bc9ebca26bcb3dd882dfb7f01a9ba12da39292

SHA512
c0cd3698bfdb6ce5e95cda937a35ce7bd0b028bcf6857fb16601598e118310829afe8206172e52d08037f8c4cddb5640620a8fe5f449072335234174a7317d29

Download Submit