neconyd | 327fdaee5209f50e7612cc936993700416eb241d3a2888d2746bd9ff86180d10

Analysis

max time kernel
145s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 03:48

Target

16ea67cd322a3192fba2492d5a681b50_NeikiAnalytics.exe
Size

88KB
MD5

16ea67cd322a3192fba2492d5a681b50
SHA1

7d537c73a336ba181b7769935c2fd336a173f563
SHA256

327fdaee5209f50e7612cc936993700416eb241d3a2888d2746bd9ff86180d10
SHA512

2689666764bfd91b11656953b41751ec88e88708f84af2acaba1f80841b07ffdd7de650185c0cc8ba7cc531598a8d831465a30692442b9d357638877cab1af81
SSDEEP

1536:Vd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:ddseIOMEZEyFjEOFqTiQm5l/5

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 3 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exe

pid process

4728 omsecor.exe
4352 omsecor.exe
4212 omsecor.exe
Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

16ea67cd322a3192fba2492d5a681b50_NeikiAnalytics.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 3588 wrote to memory of 4728	3588	16ea67cd322a3192fba2492d5a681b50_NeikiAnalytics.exe	omsecor.exe
PID 3588 wrote to memory of 4728	3588	16ea67cd322a3192fba2492d5a681b50_NeikiAnalytics.exe	omsecor.exe
PID 3588 wrote to memory of 4728	3588	16ea67cd322a3192fba2492d5a681b50_NeikiAnalytics.exe	omsecor.exe
PID 4728 wrote to memory of 4352	4728	omsecor.exe	omsecor.exe
PID 4728 wrote to memory of 4352	4728	omsecor.exe	omsecor.exe
PID 4728 wrote to memory of 4352	4728	omsecor.exe	omsecor.exe
PID 4352 wrote to memory of 4212	4352	omsecor.exe	omsecor.exe
PID 4352 wrote to memory of 4212	4352	omsecor.exe	omsecor.exe
PID 4352 wrote to memory of 4212	4352	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\16ea67cd322a3192fba2492d5a681b50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\16ea67cd322a3192fba2492d5a681b50_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3588

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
PID:4212

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
88KB

MD5
b7bf4f3a1274384cf43f56a36a90d1ba

SHA1
0d67c9de69241056a0f404226ab0d9258f64f60e

SHA256
d16bbbbe1a8e54988e6a489b43230ad52852a728992373806061e595e687b516

SHA512
6b2799632ac00267ed7916762fff1c080992d60eabac186757e630d49f06b37d3ae04b926a14b5a7b817836cbe2f8fb4cdc3d1ecb7cce74ab176c616739874b2

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
88KB

MD5
2ae8c8f771932553f9a2a2c5807cdbb5

SHA1
1b91bfe2d79ef26dd7e85b309b55264a879552da

SHA256
e2d1accf00e0f48979f3dc397f4aee24ab91df28b227f7d81f58f5b546e3f254

SHA512
410a6cda90cec47bfdf792e5a1723da6f0d9597961bac4450ee83efcc6eb3de438a33f9d28e3e1f18f71dd1fc8ac14356b889b6f3f9e3c9c2b760f4abf76bd85

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
88KB

MD5
9ba4e839e154ea8e530b2f63d3d05579

SHA1
383eb8b6d731a57dad577159f2b486f9a02d65c8

SHA256
dc6fb781e59bae2f49fe7db4312af5ca443b37fbef0032cc72d1a6215d6a33f4

SHA512
c9bab727d7414048eadffb60e2b17fd6d72b198529e3451e6030da48ee03977d4aac04ef351d9343082383ccb5148cae2995b5f1ac31e8f5cd767a9a0cb25845

Download Submit