neconyd | e96273ceddfcfa69af371c6bcdcfb3378fead79c7f375c9648b4bb0f2a49d5c9

Analysis

max time kernel
145s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 18:49

Target

16e8aee410fba3b7938b06295343ee50_NeikiAnalytics.exe
Size

89KB
MD5

16e8aee410fba3b7938b06295343ee50
SHA1

204e5b8550ce5fd5f4afd85bd4f4bfaf65e87307
SHA256

e96273ceddfcfa69af371c6bcdcfb3378fead79c7f375c9648b4bb0f2a49d5c9
SHA512

2c40d308c41b265dcc72ba6a7c02cc58d536cb195ef739210d040ffbe012d7086c4af66705a155f70d704dadf2d5c2c3b2c66afcfb4638242bc79cda3133b41b
SSDEEP

768:sMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:sbIvYvZEyFKF6N4yS+AQmZTl/5

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Executes dropped EXE 3 IoCs

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 4700	2904	16e8aee410fba3b7938b06295343ee50_NeikiAnalytics.exe	82
PID 2904 wrote to memory of 4700	2904	16e8aee410fba3b7938b06295343ee50_NeikiAnalytics.exe	82
PID 2904 wrote to memory of 4700	2904	16e8aee410fba3b7938b06295343ee50_NeikiAnalytics.exe	82
PID 4700 wrote to memory of 332	4700	omsecor.exe	93
PID 4700 wrote to memory of 332	4700	omsecor.exe	93
PID 4700 wrote to memory of 332	4700	omsecor.exe	93
PID 332 wrote to memory of 4752	332	omsecor.exe	94
PID 332 wrote to memory of 4752	332	omsecor.exe	94
PID 332 wrote to memory of 4752	332	omsecor.exe	94

C:\Users\Admin\AppData\Local\Temp\16e8aee410fba3b7938b06295343ee50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\16e8aee410fba3b7938b06295343ee50_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4700
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:332
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      PID:4752

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
89KB

MD5
1951ce7124941c8bd8eabc5ee97ce326

SHA1
1efc09e3c393a6208e7e78edd01ede9501fb36c8

SHA256
e209a754b57bbb15343ffc27710468e2483cd44647750d2a37b34deca06eb21c

SHA512
66c7521ade1afb489adce0de897468610e2e3364db807e99ded35fdf30d97fc893bb97e97107cd2e4f6c63b15fefcdf88791ea825fdfdfbeb834a97140eca261

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
89KB

MD5
066218c749bce421d00e8e7646faaa7e

SHA1
6d047be2b3d275944cf567635efc6f99718814be

SHA256
ea75b331644c51d0650bb30d727ef9c0548dbf8ef257a1367e2aa131c0c6da5c

SHA512
23100ac4ab7b77632a5655db85bfe15d67c63f4d21e527448f25465350b710670ab8e9e9bba09ffed53fdfe0ebd6446d12428ab74a9dd33a245370d8901df742

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
89KB

MD5
f30ffc44545a17e0fd378ccc7dc55cbf

SHA1
1cda60d98e20266318c0a95d816ca72784a370dd

SHA256
3771d416605fb3e0f787f3181d03bd097e6cd0d44ffe8720055a34b4c42697a8

SHA512
3f62bfa0b239d4cdc68e526601a348e72e2882f12ca9e61eaf1b5f0bd4811130b7b4bd153c144f8e961c4237b55001f6af5f621b167fbf34df47132164f9a3f0

Download Submit