neconyd | 8cc5952323d33d54ab6a02333ed87f0e598133b9ac607c287f1e9aa4b64ff3a6

Analysis

max time kernel
146s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
17-05-2024 03:25

Target

9884ca4816c2dec04fda5f3ae6484370_NeikiAnalytics.exe
Size

89KB
MD5

9884ca4816c2dec04fda5f3ae6484370
SHA1

b9912a1513c4d850a4ce82f4ba09bf5486d83b3f
SHA256

8cc5952323d33d54ab6a02333ed87f0e598133b9ac607c287f1e9aa4b64ff3a6
SHA512

35bfb998c460ff6f94c4ad00e2be3d53e3dfe88038a7c80e5d38209a386911a9829f699de54c67d03d4a1aed5947316c8914786c6858259b632d8c7341e2ea71
SSDEEP

768:kMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:kbIvYvZEyFKF6N4yS+AQmZTl/5

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Executes dropped EXE 3 IoCs

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5032 wrote to memory of 768	5032	9884ca4816c2dec04fda5f3ae6484370_NeikiAnalytics.exe	82
PID 5032 wrote to memory of 768	5032	9884ca4816c2dec04fda5f3ae6484370_NeikiAnalytics.exe	82
PID 5032 wrote to memory of 768	5032	9884ca4816c2dec04fda5f3ae6484370_NeikiAnalytics.exe	82
PID 768 wrote to memory of 3508	768	omsecor.exe	99
PID 768 wrote to memory of 3508	768	omsecor.exe	99
PID 768 wrote to memory of 3508	768	omsecor.exe	99
PID 3508 wrote to memory of 5008	3508	omsecor.exe	100
PID 3508 wrote to memory of 5008	3508	omsecor.exe	100
PID 3508 wrote to memory of 5008	3508	omsecor.exe	100

C:\Users\Admin\AppData\Local\Temp\9884ca4816c2dec04fda5f3ae6484370_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9884ca4816c2dec04fda5f3ae6484370_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5032
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:768
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3508
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      PID:5008

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
89KB

MD5
066ed2ebddf53ea328b7b8a8d8ad2482

SHA1
25edcb891a057ede70b749b53e3f92de4f0ddb46

SHA256
956ca45fa9f0e71f84e051f2853f6ab5f9b91c8923eca8ede1a423062ac5789c

SHA512
22ca0740191752d093786c8ddb5f2b6c02564ff4c68d8be4c62348d837e98a7e1e48c2dfcb9403f5a3285d7812518804b4d4ae96e517de3f120c432d73537786

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
89KB

MD5
aeab40b561f779cf24c622387ab9331d

SHA1
be9c33866639731c2329c25a6c7a2269ec286754

SHA256
f1a6bd3fe2e13f72816e29c03c462f2a558479af6b270d65c05540534e105f3c

SHA512
e747dba10f2fae692673cfa34e9d6500454e2a0a6bedff4f5c0e5e78e01ab6aae72b135367545e4c24fa206e9cc6af2642a7c53ae89613d7c6ba20b12918c44a

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
89KB

MD5
2e7de4e98cbf7d0a13b112099dad0f6d

SHA1
1d75cb57df74b781ce838f2303df44298e009dd2

SHA256
fe27f9bfb01b368e7ecc79955326ba2a27c9859cfcb1f700c2db61c70e8e7857

SHA512
8eef68a575ff9c19082e92f6f80000f054a9830802b4ff8a5e25b971f1b05632a67ecc004fd588a909133292aff7f1d4ad41943de8b23b80fb0721c3a3886a2a

Download Submit