neconyd | 51eae04e5b7984ec441c4547b585b69ea300ca2867be45aad2fe9048f6f77b1a

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 22:55

Target

51eae04e5b7984ec441c4547b585b69ea300ca2867be45aad2fe9048f6f77b1a.exe
Size

72KB
MD5

213f1b0494eab73df3f4b3f74aa097a0
SHA1

a7623ecc1e9096fb042e1f1ca10f16fd7f8d72bd
SHA256

51eae04e5b7984ec441c4547b585b69ea300ca2867be45aad2fe9048f6f77b1a
SHA512

ab150280068ad49fa94ce959ecf97f8165f2590a2a40209ff0ab693c70155e096524857f638acaf5b32ef5ede919560a931533f85f0da78baafad72f648a3f1a
SSDEEP

768:NMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAW:NbIvYvZEyFKF6N4yS+AQmZTl/5O

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 3 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exe

pid process

4988 omsecor.exe
212 omsecor.exe
3860 omsecor.exe
Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

51eae04e5b7984ec441c4547b585b69ea300ca2867be45aad2fe9048f6f77b1a.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 1800 wrote to memory of 4988	1800	51eae04e5b7984ec441c4547b585b69ea300ca2867be45aad2fe9048f6f77b1a.exe	omsecor.exe
PID 1800 wrote to memory of 4988	1800	51eae04e5b7984ec441c4547b585b69ea300ca2867be45aad2fe9048f6f77b1a.exe	omsecor.exe
PID 1800 wrote to memory of 4988	1800	51eae04e5b7984ec441c4547b585b69ea300ca2867be45aad2fe9048f6f77b1a.exe	omsecor.exe
PID 4988 wrote to memory of 212	4988	omsecor.exe	omsecor.exe
PID 4988 wrote to memory of 212	4988	omsecor.exe	omsecor.exe
PID 4988 wrote to memory of 212	4988	omsecor.exe	omsecor.exe
PID 212 wrote to memory of 3860	212	omsecor.exe	omsecor.exe
PID 212 wrote to memory of 3860	212	omsecor.exe	omsecor.exe
PID 212 wrote to memory of 3860	212	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\51eae04e5b7984ec441c4547b585b69ea300ca2867be45aad2fe9048f6f77b1a.exe
"C:\Users\Admin\AppData\Local\Temp\51eae04e5b7984ec441c4547b585b69ea300ca2867be45aad2fe9048f6f77b1a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1800

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
PID:3860

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
072df889c5a66363ec36cc8c6c8e0102

SHA1
cc3255f2a85f1020746549338910ff2d76730d15

SHA256
7f1fb07c82d6ebf12ebf555394aecca17d7679a18628d9710b9f5074b6464883

SHA512
fe0d6cae38fa771fe6bc2c108e780586408904e4ad31f3e7e8a386f85a95aa5a03fccec205a2dfa6f563052ed6c4058c0733cc2e6fbd9c46b52a1f1dbd521bdc

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
9dbe632100ac9c08c77cd3f86df58db1

SHA1
8645ca0750c1c44dc52228c2f6055a11079169d7

SHA256
4519ff8061372cb0b16eb75153991b4036a97516bb75400f8b80addef05304c2

SHA512
d899999c10702ac4950e1494c95ff8caf151de1b5d24574451be55ce44e66cd23c0f33eea494b5d99cbdc3c2e3691cd1b6d6e074dcd9ea4963c7f6d540d5c55d

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
72KB

MD5
14a39979cf6b683ff854c4f565c6a796

SHA1
35b4ba01f5753e45f6ad136afb91f564dbfa8804

SHA256
ff618b16a49b67d38960ded2496df5c730460f82260cf01f36f8a71ba857214a

SHA512
444ce4a0788fb6b5cd89b2e40918d6e1ca985095c4593561910ba570611ea3a3b63e09198cd62343ce56307df9adae3be3c841d3e88b725bc021bc678990837e

Download Submit