neconyd | 77e97a16f3f8e134a93c1dcb6de4a77a89ee4b057edbf74dfb6fd01e58aa57ca

Analysis

max time kernel
148s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
16/05/2024, 22:20

Target

47ded403654e8022869bc04eb8006aa0_NeikiAnalytics.exe
Size

88KB
MD5

47ded403654e8022869bc04eb8006aa0
SHA1

a177b2e5cbd4aadad6299c1bceff85b96e496d14
SHA256

77e97a16f3f8e134a93c1dcb6de4a77a89ee4b057edbf74dfb6fd01e58aa57ca
SHA512

9269d534d8274e1113ef94d49ab0a2b2ccc65c1c7c6bdfd63c06cf5816122bba3306d72d8918ac4fa29ada8c1a90370aa5a74d6f809e08725215602053299c0d
SSDEEP

768:/MEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:/bIvYvZEyFKF6N4yS+AQmZTl/5

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Executes dropped EXE 3 IoCs

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 576	2348	47ded403654e8022869bc04eb8006aa0_NeikiAnalytics.exe	90
PID 2348 wrote to memory of 576	2348	47ded403654e8022869bc04eb8006aa0_NeikiAnalytics.exe	90
PID 2348 wrote to memory of 576	2348	47ded403654e8022869bc04eb8006aa0_NeikiAnalytics.exe	90
PID 576 wrote to memory of 912	576	omsecor.exe	100
PID 576 wrote to memory of 912	576	omsecor.exe	100
PID 576 wrote to memory of 912	576	omsecor.exe	100
PID 912 wrote to memory of 568	912	omsecor.exe	101
PID 912 wrote to memory of 568	912	omsecor.exe	101
PID 912 wrote to memory of 568	912	omsecor.exe	101

C:\Users\Admin\AppData\Local\Temp\47ded403654e8022869bc04eb8006aa0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\47ded403654e8022869bc04eb8006aa0_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:576
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:912
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      PID:568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4072 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
1⤵
PID:3588

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
88KB

MD5
c4f12aaabeda7287f470e5c84efc6b1c

SHA1
599ed2f67d655d9a6a36ac09aa664cc81d88871e

SHA256
2a6a7b949d6a0d38ed2b8e319974775ca11b6295cf2c048aad1eaefe61cf904a

SHA512
5f74e0d22f0fd30157639cbd9a8cc1002aa91d57e980775d8b74863b58eb1319f641f745281fcd719248cd8255c8dcbac8d59809ed1b1a086f1766ec11844982

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
88KB

MD5
381e0ad3bdfced5734a771e72a3afc64

SHA1
4b0db500b6ef4a787b1a0ec40f62e0e79f244c63

SHA256
de2a35383595302340963bd2c225b660a03ebfc64b2af814008b79c7729f9345

SHA512
7b2191b46b8806680657b47b4b28373a25d0cf84bf5b33660c5c4882cc9d77baf36d2b0d98dcbb90882d528400f2ea349702ae2ed206f00afe8077def95b3be2

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
88KB

MD5
de94d4ada0f8967cda76165d98ef015b

SHA1
89d31931a5b2b7c5deb335045489f0b611c5a08d

SHA256
7b4cdaffd3c50890b6cd2a2d5b96b417723308fb713ee244506ce186368145a3

SHA512
ba7c0a31797ca8a7c40f96386d8f3e78cc23c7c230f7f898fe4958b3185fb34be79dae88ec3f72cf9908162c26038229efa999992775cccb3a852e1baba6caf8

Download Submit