neconyd | d726a02838b1ea97c309055f6c8e6cf51cbcc3dee07f53646682e5eb52bf8f17

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 08:11

Target

d726a02838b1ea97c309055f6c8e6cf51cbcc3dee07f53646682e5eb52bf8f17.exe
Size

76KB
MD5

9bf9991c94bf9af2935e453bc8885ca7
SHA1

ba2d8ae3c8810009f6fee4c2d44fb3a973d07d6b
SHA256

d726a02838b1ea97c309055f6c8e6cf51cbcc3dee07f53646682e5eb52bf8f17
SHA512

f7db2057c5d6594d58676e75cc99ab9babe30c6096f85b73890256cdb7a9b0955fff4478e39719db957c740c1e87811d45fadbd24735086494bfa176eb3965be
SSDEEP

768:zMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAW:zbIvYvZEyFKF6N4yS+AQmZTl/5O

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Executes dropped EXE 2 IoCs

pid	Process
4968	omsecor.exe
4972	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4644 wrote to memory of 4968	4644	d726a02838b1ea97c309055f6c8e6cf51cbcc3dee07f53646682e5eb52bf8f17.exe	82
PID 4644 wrote to memory of 4968	4644	d726a02838b1ea97c309055f6c8e6cf51cbcc3dee07f53646682e5eb52bf8f17.exe	82
PID 4644 wrote to memory of 4968	4644	d726a02838b1ea97c309055f6c8e6cf51cbcc3dee07f53646682e5eb52bf8f17.exe	82
PID 4968 wrote to memory of 4972	4968	omsecor.exe	98
PID 4968 wrote to memory of 4972	4968	omsecor.exe	98
PID 4968 wrote to memory of 4972	4968	omsecor.exe	98

C:\Users\Admin\AppData\Local\Temp\d726a02838b1ea97c309055f6c8e6cf51cbcc3dee07f53646682e5eb52bf8f17.exe
"C:\Users\Admin\AppData\Local\Temp\d726a02838b1ea97c309055f6c8e6cf51cbcc3dee07f53646682e5eb52bf8f17.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4644
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4968
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:4972

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
a5e33943d8064b6db399cf7534bd65cd

SHA1
6dcb38fbb2e35153fe016598d6ef675b038db71e

SHA256
48176186f82671f61df941d889671dd5578bafc160a5fb23d633dd88421a61bf

SHA512
c7d3962af2836b7915b5e73f7ba5678e5aacae1ba37c5f711e474549638300aa58ba195b7b429b5aba57d6d61212d6d39e8e85e789e551e58a6f895037d53e0a

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
cc88e75dc8893ebd1ac3549f3d0b48a5

SHA1
b44d70ffbb38f2fd76a754cd8c3c19dff75c2a16

SHA256
948d570b0d366083ce368ee8462feac9699cc98dde6d0e7bd9adde051d6bc93b

SHA512
26cd87873149ffc50e04feee1192f477c66f3f6a36aff9f631e57c864a4cf1ce0812fa9400d753cf3214bc1a030824ca8932f1ef30c1c94b237e4486088ab92d

Download Submit