neconyd | fb84b0f63e1a358e8b0d763ed9da8a8f8d0c2f8704d6721e9cfe2a519b5669be

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 20:14

Target

a6ec76bf6a43dba184db64eb1953fbf0_NeikiAnalytics.exe
Size

76KB
MD5

a6ec76bf6a43dba184db64eb1953fbf0
SHA1

0036e3014c4fbe8d6054ab2dc53c0c596450035b
SHA256

fb84b0f63e1a358e8b0d763ed9da8a8f8d0c2f8704d6721e9cfe2a519b5669be
SHA512

6e45d56dd43436ebdae30d1c2171afdf77957d8f7c51d38d33ad29f9f2ad69a731b47bd634952b6215779da5d831ab70bab14687586c01baa3312c9b4c28f575
SSDEEP

768:GMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAW:GbIvYvZEyFKF6N4yS+AQmZTl/5O

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 2 IoCs

Processes:

omsecor.exeomsecor.exe

pid process

1060 omsecor.exe
1748 omsecor.exe
Drops file in System32 directory 2 IoCs

Processes:

omsecor.exeomsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe
File opened for modification C:\Windows\SysWOW64\merocz.xc6 omsecor.exe

pid	process
1060	omsecor.exe
1748	omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

a6ec76bf6a43dba184db64eb1953fbf0_NeikiAnalytics.exeomsecor.exe

description	pid	process	target process
PID 1852 wrote to memory of 1060	1852	a6ec76bf6a43dba184db64eb1953fbf0_NeikiAnalytics.exe	omsecor.exe
PID 1852 wrote to memory of 1060	1852	a6ec76bf6a43dba184db64eb1953fbf0_NeikiAnalytics.exe	omsecor.exe
PID 1852 wrote to memory of 1060	1852	a6ec76bf6a43dba184db64eb1953fbf0_NeikiAnalytics.exe	omsecor.exe
PID 1060 wrote to memory of 1748	1060	omsecor.exe	omsecor.exe
PID 1060 wrote to memory of 1748	1060	omsecor.exe	omsecor.exe
PID 1060 wrote to memory of 1748	1060	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\a6ec76bf6a43dba184db64eb1953fbf0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a6ec76bf6a43dba184db64eb1953fbf0_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1852
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1060
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:1748

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
454189b0b4e22bffc14853278946ad39

SHA1
64feea736e3aadb0188ddc958527ac95cfa2eb1c

SHA256
a65b9663772cdddb64aad2af10c1da4c9c87ea4c0f15ba838eb4665f5934b8e1

SHA512
ec242a9ffcace6b40bb65770960d3ff8ca90035f86fd943da83e3bb8a7e7b8a5f3f9cdec4b2e17d1dc3f6b7a1259e256a48b31b9914d077bf3b9d43b5c2d3016

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
81480af3d1998c1cf204240ed3e7ba77

SHA1
8e328eb1f028412bfc28a2f789f074dc6650bdd6

SHA256
e7e174d102fccf9a2c58d8e0b6d5f1ea58e9698281a058489698d6ff6af75b91

SHA512
6190d19f43fde89131d737fc5719736cee2235fc077164c15cb4c299eca9a6101bda3edb646f4c32302c12c7d7ede23ba12ea0668c2a851e84bbcb53552cd143

Download Submit