neconyd | 8c2b4ff60f386cc6f64fb0567c0b2fc87704f14f699939943c94a0a287516837

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17/05/2024, 01:09

Target

8c2b4ff60f386cc6f64fb0567c0b2fc87704f14f699939943c94a0a287516837.exe
Size

84KB
MD5

9db6c3f3a5b068ce6e6afff926ff7c13
SHA1

146dbfd3fb32ae87a576e3cb6a9e88686d880152
SHA256

8c2b4ff60f386cc6f64fb0567c0b2fc87704f14f699939943c94a0a287516837
SHA512

cfadc86fafd7df42e8ad775c088d66e5f2e7872b43c2ca2a625338cb04d10c8c981df7ac38c8ad3a5de09f8fa6cf687fe9d5b6936163384f1a34461d363f184c
SSDEEP

1536:Cd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:ydseIOMEZEyFjEOFqTiQm5l/5

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Executes dropped EXE 3 IoCs

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4980 wrote to memory of 5032	4980	8c2b4ff60f386cc6f64fb0567c0b2fc87704f14f699939943c94a0a287516837.exe	82
PID 4980 wrote to memory of 5032	4980	8c2b4ff60f386cc6f64fb0567c0b2fc87704f14f699939943c94a0a287516837.exe	82
PID 4980 wrote to memory of 5032	4980	8c2b4ff60f386cc6f64fb0567c0b2fc87704f14f699939943c94a0a287516837.exe	82
PID 5032 wrote to memory of 4364	5032	omsecor.exe	100
PID 5032 wrote to memory of 4364	5032	omsecor.exe	100
PID 5032 wrote to memory of 4364	5032	omsecor.exe	100
PID 4364 wrote to memory of 4244	4364	omsecor.exe	101
PID 4364 wrote to memory of 4244	4364	omsecor.exe	101
PID 4364 wrote to memory of 4244	4364	omsecor.exe	101

C:\Users\Admin\AppData\Local\Temp\8c2b4ff60f386cc6f64fb0567c0b2fc87704f14f699939943c94a0a287516837.exe
"C:\Users\Admin\AppData\Local\Temp\8c2b4ff60f386cc6f64fb0567c0b2fc87704f14f699939943c94a0a287516837.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4980
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:5032
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4364
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      PID:4244

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
84KB

MD5
67a0066c41f97ca6074b57e709bcaa1e

SHA1
9f475da129582484e2aa33bd7feba5d9f999dacd

SHA256
4bf1965317700d3360584996ffbc8b6be053c26ebbf31093ca1c5fa60af641d1

SHA512
99e21f79397c525cd58990b27018455becc73e6fb5b61441426bacb5e0d8c76d2b2d26d73f9755d6c038dedcd7e9ce2d79b2350655b296df19e494f307302bd1

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
84KB

MD5
ea8c34b74f3b6d1ebe552c7353debddf

SHA1
f7f251b6588b78f42763f29c9a7f2858a0cddf41

SHA256
78760c99e14822e23613fde7380159d5595de2530f99aa865d00e0a10e1c3504

SHA512
a140d66a26ccbeaa735f7a1cbb2a7db99e345e4a05ad147c1148bb06576fcd9926e9fbd7dec43b4553fac8115684c7b47923c09ed12e7ca40d94a847f8b099a4

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
84KB

MD5
a86c216913af1b6cafaa1946bf096fa7

SHA1
ddf705acce40f871c77693ed1d917a0f7264011e

SHA256
adef3942ad031dd0caf537551206ec3bcd1e5440884eed09b09313066fd82f0a

SHA512
3bc981e8800b67e176460f67fd1687bbcfea5097d03d778a4a88fe9c6e4924c63fc99622759af3e859aa83c74791d443e5b75a6cfe43dd93f565bcb600297ad4

Download Submit