neconyd | 14921464e306818bf8f00c15755d11d7ffdfe0fac41d2171acf05cd96fcc8776

Analysis

max time kernel
145s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 02:29

Target

14921464e306818bf8f00c15755d11d7ffdfe0fac41d2171acf05cd96fcc8776.exe
Size

84KB
MD5

0789034351c8c03365bcdb1425bcb720
SHA1

105cd5e2e0aa963a9fb040fb00a2221e7a96d5b7
SHA256

14921464e306818bf8f00c15755d11d7ffdfe0fac41d2171acf05cd96fcc8776
SHA512

b6933c88f395728f22d7d0941520b65c90a332d2e61340d6275b0bd02cd8e7b619e23f321e1e3f75123c1fb2c904bd81f526697e6a6a6cc0d66a9ba6b4d49fc5
SSDEEP

1536:Td9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:TdseIOMEZEyFjEOFqTiQm5l/5

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 3 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exe

pid process

4276 omsecor.exe
3216 omsecor.exe
4160 omsecor.exe
Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

14921464e306818bf8f00c15755d11d7ffdfe0fac41d2171acf05cd96fcc8776.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 2432 wrote to memory of 4276	2432	14921464e306818bf8f00c15755d11d7ffdfe0fac41d2171acf05cd96fcc8776.exe	omsecor.exe
PID 2432 wrote to memory of 4276	2432	14921464e306818bf8f00c15755d11d7ffdfe0fac41d2171acf05cd96fcc8776.exe	omsecor.exe
PID 2432 wrote to memory of 4276	2432	14921464e306818bf8f00c15755d11d7ffdfe0fac41d2171acf05cd96fcc8776.exe	omsecor.exe
PID 4276 wrote to memory of 3216	4276	omsecor.exe	omsecor.exe
PID 4276 wrote to memory of 3216	4276	omsecor.exe	omsecor.exe
PID 4276 wrote to memory of 3216	4276	omsecor.exe	omsecor.exe
PID 3216 wrote to memory of 4160	3216	omsecor.exe	omsecor.exe
PID 3216 wrote to memory of 4160	3216	omsecor.exe	omsecor.exe
PID 3216 wrote to memory of 4160	3216	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\14921464e306818bf8f00c15755d11d7ffdfe0fac41d2171acf05cd96fcc8776.exe
"C:\Users\Admin\AppData\Local\Temp\14921464e306818bf8f00c15755d11d7ffdfe0fac41d2171acf05cd96fcc8776.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2432

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
PID:4160

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
84KB

MD5
eba5ad7b9322cf4da53c1526b95ebd61

SHA1
bba5614f73380729ebf4cc4e654f1039668f05f4

SHA256
2ba9b5ec56574fc2454fca9906c25b3df93c38ea4f2a53e4f30eb74a74bf5747

SHA512
60b3fee2fb3b3f95fb29f5812e80a8c54d8898c2071f8a30c818bbbe5cfffff27e49dea90386475d9801a785d9c9848068dc8100d136e4a3f3ee1113b312c394

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
84KB

MD5
e9d56f4dc84dbcd469d308b2e492f84e

SHA1
a1e2c71b608544264fa322898efbd3972c3e21d6

SHA256
98a4075a6a9814f99c6ac464a1ab85ecbee786beb76d87131861b69631c475ab

SHA512
999f6abcb284811005942af1d7853e00c9f8fdd3350e5f41f9695bad08625674d4422fab2010cebeb124f990c11fab72f9ced6069b5e28492e108816c483b0e9

Download Submit
C:\Windows\SysWOW64\omsecor.exe
Filesize
84KB

MD5
45ca35139769a8664885c4862bdf1328

SHA1
7043f4c223f4332a7d1eb90934e2d79f9a290e47

SHA256
acc329c293773d5cdb6435cdb17046535999e6bfade6de30fcb6069242619507

SHA512
f1bc79f4dc274c28af28239d5650f66707454fa54332bd5107a14b79cd5385119ac42bb7d1f2a69112f3f1de3e2cc89911acc7cc4255f366ebe4f281c718cfec

Download Submit