neconyd | e6fe94943b3236cce6391e051a9d17413fadbf81d240b50f8f6fc3592176f5db

Analysis

max time kernel
145s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16/05/2024, 08:26

Target

c83c021bb16de57c5f3bd4b29fda5c70_NeikiAnalytics.exe
Size

72KB
MD5

c83c021bb16de57c5f3bd4b29fda5c70
SHA1

f4e673c2c9525448728a19814ed92b6da26891d6
SHA256

e6fe94943b3236cce6391e051a9d17413fadbf81d240b50f8f6fc3592176f5db
SHA512

0db7d89cc1cdbb3f060c55094074f6c1322c1bb33136c8b5d1ff684efbb389d646c98baf5dbf68b3258b04c8a68cb220a98c82bc24315cb5cc2880be645dd65a
SSDEEP

1536:7d9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5211:LdseIOMEZEyFjEOFqTiQm5l/5211

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Executes dropped EXE 3 IoCs

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 3096	1672	c83c021bb16de57c5f3bd4b29fda5c70_NeikiAnalytics.exe	83
PID 1672 wrote to memory of 3096	1672	c83c021bb16de57c5f3bd4b29fda5c70_NeikiAnalytics.exe	83
PID 1672 wrote to memory of 3096	1672	c83c021bb16de57c5f3bd4b29fda5c70_NeikiAnalytics.exe	83
PID 3096 wrote to memory of 4288	3096	omsecor.exe	97
PID 3096 wrote to memory of 4288	3096	omsecor.exe	97
PID 3096 wrote to memory of 4288	3096	omsecor.exe	97
PID 4288 wrote to memory of 4268	4288	omsecor.exe	98
PID 4288 wrote to memory of 4268	4288	omsecor.exe	98
PID 4288 wrote to memory of 4268	4288	omsecor.exe	98

C:\Users\Admin\AppData\Local\Temp\c83c021bb16de57c5f3bd4b29fda5c70_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\c83c021bb16de57c5f3bd4b29fda5c70_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3096
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4288
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      PID:4268

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
acea25f0913174a8f1411497bf34d3d6

SHA1
197009e5d6fc6e3df1e4c4d151d171c54d7706ab

SHA256
545cd8f83f28b5af43569ccb2b4c57fd5efc02b9d1b6f846b561ff4c0990a83b

SHA512
9160b34770b388d6c5e40c8da14b46f20e1d20fb46b86443f0c94d6229b08b524b92ef60253807414c1a96247b0d3f3732fd11ade72e0ce6cc71c683a4040d2a

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
b515345afafbfa869ed9b9e665bfffa5

SHA1
649fca7226c6da78a85883958429dcf3c2dd301f

SHA256
541c33a43c61bf71e3aba742ab116d31c3a89f71b9a317a7058d8c17a1bcdad1

SHA512
5f1722db6de5af6f3b078a23603df9fe04f5e2886ef142bb64e18339814e07879865962aca50ff0ac807916f251bc4d19335173b7fef99bb51b7ab5f003234ea

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
72KB

MD5
486d89f4702edd4248048030e6b0af7b

SHA1
f65aeb29e42ed771400bf54384044694f568ea54

SHA256
dbc789708bbf2d1648198891d805c8d0b7226d33d38f74232f839547828d7e90

SHA512
020f33eef8f44e3d2a2e56820db29cfc1a82ea313c5cff6d7e6149778202b992d00db6fe0672d69dead57d041f4272fa655621b8caf706391891a38cece3169d

Download Submit