neconyd | 097c79c852b7e404c9cfaa04a2fcd010c3a1769761f040ab0f6a6db1eed96374

Analysis

max time kernel
148s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16-05-2024 18:31

Target

097c79c852b7e404c9cfaa04a2fcd010c3a1769761f040ab0f6a6db1eed96374.exe
Size

72KB
MD5

73740b2d73331201c0cd16be06c8c0cf
SHA1

556100d8889f6ffe9346ff5b36a8076b9c19e423
SHA256

097c79c852b7e404c9cfaa04a2fcd010c3a1769761f040ab0f6a6db1eed96374
SHA512

96a7a2dada390c91b7124d1f693aab62a1247bd623af78a50890befee4cc787773aa4f3e4819336ed0662a862a677b47a3f3ea8ee37184f548ba80160f73ea64
SSDEEP

768:CMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAW:CbIvYvZEyFKF6N4yS+AQmZTl/5O

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Executes dropped EXE 2 IoCs

pid	Process
2368	omsecor.exe
4312	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2996 wrote to memory of 2368	2996	097c79c852b7e404c9cfaa04a2fcd010c3a1769761f040ab0f6a6db1eed96374.exe	83
PID 2996 wrote to memory of 2368	2996	097c79c852b7e404c9cfaa04a2fcd010c3a1769761f040ab0f6a6db1eed96374.exe	83
PID 2996 wrote to memory of 2368	2996	097c79c852b7e404c9cfaa04a2fcd010c3a1769761f040ab0f6a6db1eed96374.exe	83
PID 2368 wrote to memory of 4312	2368	omsecor.exe	94
PID 2368 wrote to memory of 4312	2368	omsecor.exe	94
PID 2368 wrote to memory of 4312	2368	omsecor.exe	94

C:\Users\Admin\AppData\Local\Temp\097c79c852b7e404c9cfaa04a2fcd010c3a1769761f040ab0f6a6db1eed96374.exe
"C:\Users\Admin\AppData\Local\Temp\097c79c852b7e404c9cfaa04a2fcd010c3a1769761f040ab0f6a6db1eed96374.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:4312

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
759e87a6927cb5a79fd504eaa8f0f540

SHA1
0fc5fd84f0690ac62af2831e2a8f7f909d500da3

SHA256
6d6031da4a951bf1b08c7a88ce5a76f99480e183115be8a19c099576fa6ccb9f

SHA512
8941f4960ba8085a2257f41af278a9d092a19189248adf50dffb536ed992505dc26321b2a3478b02ceeecc48d5911ee6f7ae59732422106368cd9e74dce3777d

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
72KB

MD5
27a7c3897d68a0dee2f54625290a49e3

SHA1
585075dbb5a2cf3bd6d01157ca53fe5eb2562839

SHA256
5a7fb82c3105e09e3a9d796a719c1cf8301b2dc18bbc2a3502f8ff45a73476bb

SHA512
d619d6b7ff5ad633a3859d26b3fa5845b443f0d564233cbd9a92e1e1aaf4ec7bfedf3ec8918e9123738c3a131ad857c92766c7dfe98e9dc41d015524b34b4017

Download Submit