neconyd | 4f8eab55c185ced3aec2de348aec9026a3ae9d2b07a7086cd87225e4d20e3387

Analysis

max time kernel
148s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16-05-2024 12:28

Target

de86bcecd5ab117c9ddb8d6656cd2c20_NeikiAnalytics.exe
Size

89KB
MD5

de86bcecd5ab117c9ddb8d6656cd2c20
SHA1

a6c5feb3548f464de304ede65e05f951135462b8
SHA256

4f8eab55c185ced3aec2de348aec9026a3ae9d2b07a7086cd87225e4d20e3387
SHA512

87888d11431b6647bcb3e80c84e37fcb3193a7fbcc524f7af45306484fa91d697577635fe050d29f5720bb976741f72c2ff25f125ddc50f26a0d9764a44d4185
SSDEEP

768:ZMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:ZbIvYvZEyFKF6N4yS+AQmZTl/5

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Executes dropped EXE 3 IoCs

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5052 wrote to memory of 3544	5052	de86bcecd5ab117c9ddb8d6656cd2c20_NeikiAnalytics.exe	82
PID 5052 wrote to memory of 3544	5052	de86bcecd5ab117c9ddb8d6656cd2c20_NeikiAnalytics.exe	82
PID 5052 wrote to memory of 3544	5052	de86bcecd5ab117c9ddb8d6656cd2c20_NeikiAnalytics.exe	82
PID 3544 wrote to memory of 4336	3544	omsecor.exe	91
PID 3544 wrote to memory of 4336	3544	omsecor.exe	91
PID 3544 wrote to memory of 4336	3544	omsecor.exe	91
PID 4336 wrote to memory of 4040	4336	omsecor.exe	92
PID 4336 wrote to memory of 4040	4336	omsecor.exe	92
PID 4336 wrote to memory of 4040	4336	omsecor.exe	92

C:\Users\Admin\AppData\Local\Temp\de86bcecd5ab117c9ddb8d6656cd2c20_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\de86bcecd5ab117c9ddb8d6656cd2c20_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5052
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3544
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4336
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      PID:4040

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
89KB

MD5
3c16237bff7b078f69e35449c5f2ff53

SHA1
0902f21d33c7e6a1025d6b21dee08a70d104245b

SHA256
bbccc78471c86a88262cdcaf6d366073e72de3b12cc2e6d5e6a9ec9d6a50103d

SHA512
005204e3580674c27058799b82ab6c729e7f5fa329fb8021f2a14929593f07cbccedef6645c5657463a17021786ec421202a5ddc3ce9955cb1c032a9dd0ebaef

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
89KB

MD5
654a82bb4f83a017d36d29107c782da1

SHA1
ac087ece0430443d68ee062cdbec078a6664d672

SHA256
b3324cdd9226f63a02577504d8267ee09eb32bd0969681472945336b8af4bf82

SHA512
52850bbf90e46c96af30997506315ad2f418ab37a8564446958907001cf0c2e71dfa73ac84309cf1148e84868f9496d544d43f6cd5bba718eb3c298482c0338b

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
89KB

MD5
fd1788aa2f1aa71fd6dde43d3916ab1e

SHA1
08de4f47caa26f605d0a329a491cccd7e2f0ddee

SHA256
a3efe9e841e7798feab6367ba0b6358c368e651e6f0a8de3d097a689596dfa1b

SHA512
cdfd739956fbcf6d746d72083e54b1d6a8e439a71ffaf13aee9ce2de80357429137be890037d8d2820d5bfcdf4681d23a3ec4b06432840e58ac5a27017eb5389

Download Submit