neconyd | 81de26862a342c6ea1d2a3fdd35a1825191b9fde9dffaa0eac671e84d3e7fd2d

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
16/05/2024, 02:48

Target

848d7323ff8f14e37cb1f58bc5fca2b0_NeikiAnalytics.exe
Size

65KB
MD5

848d7323ff8f14e37cb1f58bc5fca2b0
SHA1

71bff5e7817c0b117100ca2cc0b9884ede310641
SHA256

81de26862a342c6ea1d2a3fdd35a1825191b9fde9dffaa0eac671e84d3e7fd2d
SHA512

f77332e854305fe145e9da9cef8667883aaa52b48ab84038aca202f3e67ae44e4d44597a3fe0e2bdd526466a294031763ff531dff9c2da38f4111f2d21f95354
SSDEEP

1536:id9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZcl/5:SdseIO+EZEyFjEOFqTiQmOl/5

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Executes dropped EXE 2 IoCs

pid	Process
1304	omsecor.exe
4404	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4444 wrote to memory of 1304	4444	848d7323ff8f14e37cb1f58bc5fca2b0_NeikiAnalytics.exe	91
PID 4444 wrote to memory of 1304	4444	848d7323ff8f14e37cb1f58bc5fca2b0_NeikiAnalytics.exe	91
PID 4444 wrote to memory of 1304	4444	848d7323ff8f14e37cb1f58bc5fca2b0_NeikiAnalytics.exe	91
PID 1304 wrote to memory of 4404	1304	omsecor.exe	101
PID 1304 wrote to memory of 4404	1304	omsecor.exe	101
PID 1304 wrote to memory of 4404	1304	omsecor.exe	101

C:\Users\Admin\AppData\Local\Temp\848d7323ff8f14e37cb1f58bc5fca2b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\848d7323ff8f14e37cb1f58bc5fca2b0_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4444
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1304
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:4404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1340 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:8
1⤵
PID:232

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
5ac07314ef0e215be2d0516867b9342f

SHA1
d4feff0a17d4b116f4fe4d5cbfa552f523cd3d52

SHA256
c78379fb7468af271cb323302624328fb675013d88c2d9f7d33b664ee983e564

SHA512
b4b8c25bf5f1bbea29cb2e68e775bc8e680d4a8fc94ba47a26c42fc42f2c885dd5b829c312379ba0a64700ff3c30cf3f66e6590ef064cf3f84c9aeabe8be0422

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
65KB

MD5
fc9ca4f0df618a4d23a782eeb0f63a37

SHA1
3a36b635058749426869c7cff16c00937d20d508

SHA256
4b8c82b75f2b3518d0e5cb0ca0dd9c9b7e57eb878f643ad286b1008abef13ff8

SHA512
f362c1655c6955023786463e424b5ed785835d226d1af0ee3f64b8f581f8ec4909502a0f4eb3268472d148b8ebcca1a8b361cdd25d611725cc7660321d33c952

Download Submit
memory/1304-5-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1304-7-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1304-13-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4404-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4404-14-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4444-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4444-6-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download