neconyd | f30a8d427c4c28190bcc32d49775ad9516e41245274a3595b4d3cd5dd0c885e6

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
17/05/2024, 02:45

Target

8ebbd3d745f86b079c1fbb4a00f8c790_NeikiAnalytics.exe
Size

84KB
MD5

8ebbd3d745f86b079c1fbb4a00f8c790
SHA1

408e3edc19e34b28fbe8bbf6e1eb0b69ebd2c4f6
SHA256

f30a8d427c4c28190bcc32d49775ad9516e41245274a3595b4d3cd5dd0c885e6
SHA512

ebafea98a99ea5aa6c8677398d4f3b8fa282a9091327514412b0bae6a67f4309fd4de0d5c4e32f5dfcbb898515fccfbef64e169b14c1ab010ebbd7ebc2cb90a7
SSDEEP

768:RMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:RbIvYvZEyFKF6N4yS+AQmZTl/5

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Executes dropped EXE 2 IoCs

pid	Process
2576	omsecor.exe
1836	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 2576	3032	8ebbd3d745f86b079c1fbb4a00f8c790_NeikiAnalytics.exe	83
PID 3032 wrote to memory of 2576	3032	8ebbd3d745f86b079c1fbb4a00f8c790_NeikiAnalytics.exe	83
PID 3032 wrote to memory of 2576	3032	8ebbd3d745f86b079c1fbb4a00f8c790_NeikiAnalytics.exe	83
PID 2576 wrote to memory of 1836	2576	omsecor.exe	97
PID 2576 wrote to memory of 1836	2576	omsecor.exe	97
PID 2576 wrote to memory of 1836	2576	omsecor.exe	97

C:\Users\Admin\AppData\Local\Temp\8ebbd3d745f86b079c1fbb4a00f8c790_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8ebbd3d745f86b079c1fbb4a00f8c790_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:1836

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
84KB

MD5
fc32a8fdcede9a83cdfc196acf719755

SHA1
ac69fa6d520a7e2a70617bbe9e10cc2e7dc54253

SHA256
03a77381491b6192a71211f21c0fca765c9278104efeb4d7fa38869a1b860024

SHA512
ff7ff082fcc9ecd76cb40f6c696216e2bb99cd88543f99dede01558fa2419367d388e6a81f2ca5fa9e13c90189db028a7e7031cd6d62523766c815466b0ec7ec

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
84KB

MD5
4b1416ef5c900915587f397751260765

SHA1
096fc88e54e8b6d6bb92386643ac1ff83411779b

SHA256
92a5e7649bed9bd01c3761af82eae32f96b74aaceffbef67648c25ec7dd27b75

SHA512
b65ebf186042e719f0932da2416eba470a486970957330f9bfb5fc94fca7d7ad58388205cd44fadfe76cb03e72a3d59d65b1b3d88d9ff6a9318714428b3b887c

Download Submit