neconyd | d726a02838b1ea97c309055f6c8e6cf51cbcc3dee07f53646682e5eb52bf8f17

Analysis

max time kernel
145s
max time network
146s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22/05/2024, 08:11

Target

d726a02838b1ea97c309055f6c8e6cf51cbcc3dee07f53646682e5eb52bf8f17.exe
Size

76KB
MD5

9bf9991c94bf9af2935e453bc8885ca7
SHA1

ba2d8ae3c8810009f6fee4c2d44fb3a973d07d6b
SHA256

d726a02838b1ea97c309055f6c8e6cf51cbcc3dee07f53646682e5eb52bf8f17
SHA512

f7db2057c5d6594d58676e75cc99ab9babe30c6096f85b73890256cdb7a9b0955fff4478e39719db957c740c1e87811d45fadbd24735086494bfa176eb3965be
SSDEEP

768:zMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAW:zbIvYvZEyFKF6N4yS+AQmZTl/5O

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Executes dropped EXE 3 IoCs

Loads dropped DLL 6 IoCs

pid	Process
1984	d726a02838b1ea97c309055f6c8e6cf51cbcc3dee07f53646682e5eb52bf8f17.exe
1984	d726a02838b1ea97c309055f6c8e6cf51cbcc3dee07f53646682e5eb52bf8f17.exe
2636	omsecor.exe
2636	omsecor.exe
1704	omsecor.exe
1704	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 2636	1984	d726a02838b1ea97c309055f6c8e6cf51cbcc3dee07f53646682e5eb52bf8f17.exe	28
PID 1984 wrote to memory of 2636	1984	d726a02838b1ea97c309055f6c8e6cf51cbcc3dee07f53646682e5eb52bf8f17.exe	28
PID 1984 wrote to memory of 2636	1984	d726a02838b1ea97c309055f6c8e6cf51cbcc3dee07f53646682e5eb52bf8f17.exe	28
PID 1984 wrote to memory of 2636	1984	d726a02838b1ea97c309055f6c8e6cf51cbcc3dee07f53646682e5eb52bf8f17.exe	28
PID 2636 wrote to memory of 1704	2636	omsecor.exe	32
PID 2636 wrote to memory of 1704	2636	omsecor.exe	32
PID 2636 wrote to memory of 1704	2636	omsecor.exe	32
PID 2636 wrote to memory of 1704	2636	omsecor.exe	32
PID 1704 wrote to memory of 1004	1704	omsecor.exe	33
PID 1704 wrote to memory of 1004	1704	omsecor.exe	33
PID 1704 wrote to memory of 1004	1704	omsecor.exe	33
PID 1704 wrote to memory of 1004	1704	omsecor.exe	33

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
a5e33943d8064b6db399cf7534bd65cd

SHA1
6dcb38fbb2e35153fe016598d6ef675b038db71e

SHA256
48176186f82671f61df941d889671dd5578bafc160a5fb23d633dd88421a61bf

SHA512
c7d3962af2836b7915b5e73f7ba5678e5aacae1ba37c5f711e474549638300aa58ba195b7b429b5aba57d6d61212d6d39e8e85e789e551e58a6f895037d53e0a

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
e1e514cd1a47ea054571440cd501b379

SHA1
b59e07ee87e7cd4960899a6f8f1eee944df05c3b

SHA256
c9400e7c843a5781d1aeb9647a019432be5c3ee1e4f0a981157fca11942ca90a

SHA512
8ce8f15595919bcaccc7104d554cd0f6d7106bb9a96d634c341a319733b6b47d3ebc340e6ea513f58e92ba591160e4f6e8777014fd4198416f8e957e62b67d1e

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
75e4e2b30776a266dfc95612f9f65cfc

SHA1
6bcf354dc6413f232a195a2d67b8bd8b6a4ab67a

SHA256
58ae4545f12b5c67ec4cf6e04ff11719ba73605cc847df0085e773525fe6c5e5

SHA512
53ea840be63f2a0d2fac9dbf01324eafe81ea9ea419e720cb8493f49ea68b433cb8aa456d6bd4a50f450e7782eb0b27c41b8121c98eb9c7d7ff65b1f7ea9e41c

Download Submit