neconyd | 14921464e306818bf8f00c15755d11d7ffdfe0fac41d2171acf05cd96fcc8776

Analysis

max time kernel
145s
max time network
146s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 02:29

Target

14921464e306818bf8f00c15755d11d7ffdfe0fac41d2171acf05cd96fcc8776.exe
Size

84KB
MD5

0789034351c8c03365bcdb1425bcb720
SHA1

105cd5e2e0aa963a9fb040fb00a2221e7a96d5b7
SHA256

14921464e306818bf8f00c15755d11d7ffdfe0fac41d2171acf05cd96fcc8776
SHA512

b6933c88f395728f22d7d0941520b65c90a332d2e61340d6275b0bd02cd8e7b619e23f321e1e3f75123c1fb2c904bd81f526697e6a6a6cc0d66a9ba6b4d49fc5
SSDEEP

1536:Td9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:TdseIOMEZEyFjEOFqTiQm5l/5

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 3 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exe

pid process

3024 omsecor.exe
2828 omsecor.exe
328 omsecor.exe

Loads dropped DLL 6 IoCs

Processes:

14921464e306818bf8f00c15755d11d7ffdfe0fac41d2171acf05cd96fcc8776.exeomsecor.exeomsecor.exe

pid	process
2100	14921464e306818bf8f00c15755d11d7ffdfe0fac41d2171acf05cd96fcc8776.exe
2100	14921464e306818bf8f00c15755d11d7ffdfe0fac41d2171acf05cd96fcc8776.exe
3024	omsecor.exe
3024	omsecor.exe
2828	omsecor.exe
2828	omsecor.exe

Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

14921464e306818bf8f00c15755d11d7ffdfe0fac41d2171acf05cd96fcc8776.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 2100 wrote to memory of 3024	2100	14921464e306818bf8f00c15755d11d7ffdfe0fac41d2171acf05cd96fcc8776.exe	omsecor.exe
PID 2100 wrote to memory of 3024	2100	14921464e306818bf8f00c15755d11d7ffdfe0fac41d2171acf05cd96fcc8776.exe	omsecor.exe
PID 2100 wrote to memory of 3024	2100	14921464e306818bf8f00c15755d11d7ffdfe0fac41d2171acf05cd96fcc8776.exe	omsecor.exe
PID 2100 wrote to memory of 3024	2100	14921464e306818bf8f00c15755d11d7ffdfe0fac41d2171acf05cd96fcc8776.exe	omsecor.exe
PID 3024 wrote to memory of 2828	3024	omsecor.exe	omsecor.exe
PID 3024 wrote to memory of 2828	3024	omsecor.exe	omsecor.exe
PID 3024 wrote to memory of 2828	3024	omsecor.exe	omsecor.exe
PID 3024 wrote to memory of 2828	3024	omsecor.exe	omsecor.exe
PID 2828 wrote to memory of 328	2828	omsecor.exe	omsecor.exe
PID 2828 wrote to memory of 328	2828	omsecor.exe	omsecor.exe
PID 2828 wrote to memory of 328	2828	omsecor.exe	omsecor.exe
PID 2828 wrote to memory of 328	2828	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
PID:328

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
84KB

MD5
e9d56f4dc84dbcd469d308b2e492f84e

SHA1
a1e2c71b608544264fa322898efbd3972c3e21d6

SHA256
98a4075a6a9814f99c6ac464a1ab85ecbee786beb76d87131861b69631c475ab

SHA512
999f6abcb284811005942af1d7853e00c9f8fdd3350e5f41f9695bad08625674d4422fab2010cebeb124f990c11fab72f9ced6069b5e28492e108816c483b0e9

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
84KB

MD5
7800b3222e27273c3b7b3fa23f42ed80

SHA1
f98b742148109a437dd8ded0dd4aabb1dc968015

SHA256
e7c8cf21ee4a9e654493ebb76954aaf9e767d8df09ea7584b75d7354db316c46

SHA512
5ef4f45bd7d915a7f6cf563ef806d7689bd5c5d714de1698a063cc7e0841a26dc0957e61b92fddf3cb49a264b4953e32627bafbc6c2b4b69941d3f42e90a7baf

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
84KB

MD5
cc13e00e4531211f0e9a81b1fe95b7a1

SHA1
da68cb09a858e7e4f026da2c7bd19361a00441a0

SHA256
19c99c9cc7828a155f058e5d57fa0b2d93137387ac08e66c2feb488e95de3315

SHA512
d3a78db1b1bfd7396424f00bc75cb2985f5de2fa43e057880c629d775f5527f492527c12ccef0f1361ee24262abcc4c8bbb8ca9a8eb1f542052a916c984c14e4

Download Submit