neconyd | a80086422dcda28b32344d311800632c25a092cf05fe44dac793c91137ca23d5

Analysis

max time kernel
145s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
16-05-2024 14:17

Target

e1acc146ab0852f6b2c5128e944e8fc0_NeikiAnalytics.exe
Size

84KB
MD5

e1acc146ab0852f6b2c5128e944e8fc0
SHA1

cf98c348e6f6132581a26713ede8c6bd0a54d5d3
SHA256

a80086422dcda28b32344d311800632c25a092cf05fe44dac793c91137ca23d5
SHA512

27792e91d93fa03f400a2876331db9a96203638ae9036408f5a24caed0f4086bcb934ecdce6298a0b40be7e76019bfe097f96242d8edf4fa28ecca2ca206c807
SSDEEP

1536:Bd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:xdseIOMEZEyFjEOFqTiQm5l/5

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Executes dropped EXE 3 IoCs

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4928 wrote to memory of 1284	4928	e1acc146ab0852f6b2c5128e944e8fc0_NeikiAnalytics.exe	83
PID 4928 wrote to memory of 1284	4928	e1acc146ab0852f6b2c5128e944e8fc0_NeikiAnalytics.exe	83
PID 4928 wrote to memory of 1284	4928	e1acc146ab0852f6b2c5128e944e8fc0_NeikiAnalytics.exe	83
PID 1284 wrote to memory of 5048	1284	omsecor.exe	100
PID 1284 wrote to memory of 5048	1284	omsecor.exe	100
PID 1284 wrote to memory of 5048	1284	omsecor.exe	100
PID 5048 wrote to memory of 2696	5048	omsecor.exe	101
PID 5048 wrote to memory of 2696	5048	omsecor.exe	101
PID 5048 wrote to memory of 2696	5048	omsecor.exe	101

C:\Users\Admin\AppData\Local\Temp\e1acc146ab0852f6b2c5128e944e8fc0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\e1acc146ab0852f6b2c5128e944e8fc0_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4928
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1284
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5048
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      PID:2696

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
84KB

MD5
529b4043417e9458892abb9b62dfce68

SHA1
c7dbcee2e6b6e8f4b0c8f8007370b694719e86be

SHA256
d64392fa018bd743768d303eca2a49a19c0a15e48533b40513c7f2c5f4f0c1f5

SHA512
0db9179cb7b118207a73eea2159131d9bcb09657cc6d0284fc9dacf792016f792a55dd812908d5ab2c2d19790b17885ae05b9e251018ac552917433fef805756

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
84KB

MD5
b54441ff844d419541d22ffaaca9e361

SHA1
0d0d197e833cfccdfcc01547cf86ad4218325343

SHA256
88762f11ddb9384bd4c984a9698bf49b7428ce54a1926146acf9760eef63f298

SHA512
5543663cdfa8ab134749f5228f31e3aa034928f46e3b120015abc07118bb081f6bd5fcc913963e84895c6c1e6aed78688e1a27b8936b73cfbaf329d3317ff011

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
84KB

MD5
4d72349f2d9e1d80d9c6eb1c17ce5c9a

SHA1
463a1151d2c1e251c1bff06ce8e90df4dd28518d

SHA256
d016084e0724f7095f3357cbedb4f59cfdb0e917467870e15aadbf4940395c2e

SHA512
900a628462c535b083bdc9c006d33a0c0ed08eb5a2b85a0d701185b0dd161f5d20d9b6bfadca95880fa046960059d8ce5638f5374ae17c8e7ea2b468350961fa

Download Submit