neconyd | f9828277217b81d4b9fbf52b8d99ff54f0f9aa7c5452ea3bf6733fb047af7c8d

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 16:33

Target

0156355f5fc0b4cb172aab9c1956ebd0_NeikiAnalytics.exe
Size

76KB
MD5

0156355f5fc0b4cb172aab9c1956ebd0
SHA1

913daadca5a6f6b8fc3395c0bcdd131a05f8ee01
SHA256

f9828277217b81d4b9fbf52b8d99ff54f0f9aa7c5452ea3bf6733fb047af7c8d
SHA512

09d4c045204ae5bd15f5f6a3fcdd9500944ba2a3f6c1c202b4e356f0141fc9ed253b827277f18c18b26a778f32de6fbf055b0986822578bca5dbe184e313215b
SSDEEP

768:VMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAW:VbIvYvZEyFKF6N4yS+AQmZTl/5O

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Executes dropped EXE 2 IoCs

pid	Process
2264	omsecor.exe
5052	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 368 wrote to memory of 2264	368	0156355f5fc0b4cb172aab9c1956ebd0_NeikiAnalytics.exe	82
PID 368 wrote to memory of 2264	368	0156355f5fc0b4cb172aab9c1956ebd0_NeikiAnalytics.exe	82
PID 368 wrote to memory of 2264	368	0156355f5fc0b4cb172aab9c1956ebd0_NeikiAnalytics.exe	82
PID 2264 wrote to memory of 5052	2264	omsecor.exe	94
PID 2264 wrote to memory of 5052	2264	omsecor.exe	94
PID 2264 wrote to memory of 5052	2264	omsecor.exe	94

C:\Users\Admin\AppData\Local\Temp\0156355f5fc0b4cb172aab9c1956ebd0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0156355f5fc0b4cb172aab9c1956ebd0_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:368
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:5052

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
6990b1a95aa07f85ebba3ceb08679b5a

SHA1
e7fa1d684c78eb0378f66bf11ba91a94b1e0e973

SHA256
a6c41d083c1545f7f7133037b3f798996a8368c38f129b9a8c668eecf79b406e

SHA512
e26f4ff7c86149591492cf69e40f8993afc1154e32b1f5b6cf31fc8dabaeab1a5249397d977f6bf6088d4a16e29dcb33522d6ce61e4ce06956563783ce1ea12c

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
fd5314a081b03b19fed7874bc21460e3

SHA1
a35cf65149cb85b01f392dfc859dacad0469cacb

SHA256
67e818fca0d91e7cb6252b8280d8beabd786dc1df037be3d2a69f2169cb99645

SHA512
1b6f05c3b56095d46b3d420890c2dbc8420288fad5917420f6144cd8efce30ce6a4ef62a8018fbc4ee35f52896b50b520180d18f636f6913d6c4feca0ce93ba1

Download Submit