neconyd | e68c40371975dd0c13314b7e51ae4a64738a5f77c4ddf9709194cb94b4b6ed85

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 00:38

Target

63b80b78b63f5395cec182e54926d640_NeikiAnalytics.exe
Size

88KB
MD5

63b80b78b63f5395cec182e54926d640
SHA1

cb2a5edfdc7172d4080a5d63055c5c28a80cfd09
SHA256

e68c40371975dd0c13314b7e51ae4a64738a5f77c4ddf9709194cb94b4b6ed85
SHA512

b3d0a9ac632499c3493f0049ec128a29ac7b5f6eb65387a74e6db394e499873ca38c4e9e6f8dbb401d088c06b83025437f44eb6a3f3972f2d8fe277d8f3399bd
SSDEEP

1536:zd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:zdseIOMEZEyFjEOFqTiQm5l/5

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 2 IoCs

Processes:

omsecor.exeomsecor.exe

pid process

1804 omsecor.exe
3904 omsecor.exe
Drops file in System32 directory 2 IoCs

Processes:

omsecor.exeomsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe
File opened for modification C:\Windows\SysWOW64\merocz.xc6 omsecor.exe

pid	process
1804	omsecor.exe
3904	omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

63b80b78b63f5395cec182e54926d640_NeikiAnalytics.exeomsecor.exe

description	pid	process	target process
PID 5064 wrote to memory of 1804	5064	63b80b78b63f5395cec182e54926d640_NeikiAnalytics.exe	omsecor.exe
PID 5064 wrote to memory of 1804	5064	63b80b78b63f5395cec182e54926d640_NeikiAnalytics.exe	omsecor.exe
PID 5064 wrote to memory of 1804	5064	63b80b78b63f5395cec182e54926d640_NeikiAnalytics.exe	omsecor.exe
PID 1804 wrote to memory of 3904	1804	omsecor.exe	omsecor.exe
PID 1804 wrote to memory of 3904	1804	omsecor.exe	omsecor.exe
PID 1804 wrote to memory of 3904	1804	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\63b80b78b63f5395cec182e54926d640_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\63b80b78b63f5395cec182e54926d640_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5064

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
88KB

MD5
b8c56e0fdc4837f16918af417eac64b9

SHA1
724db549af5582a3704fa3f9e8dcebc6151503da

SHA256
4c70e245e85212c4c1b5952d97ec84c1df7354a1d69b98911f57feefc08f26d3

SHA512
37aaf2379fe9271ba9a250e28b4ff28efd8f02c8150531e901b8319f4290e6e297db7c85a742cab954b6009a2349e797d8ede05b2657632c6042d727a042658d

Download Submit
C:\Windows\SysWOW64\omsecor.exe
Filesize
88KB

MD5
f702a9bd27e5148dd3494d244b951c2e

SHA1
5ceceb82d31403ac83c4d1162f175fcf4d44073e

SHA256
c0449a31ce1dcedeea0a7b03d31ffe090211880d433d7317ee24284fefcf834a

SHA512
3188343ceb6e33fcc43222550114a46d09e393a30c3798bb294c31d43b07f012e2e98ca0291688c32665437bc530303f4006a38660280c75facb35f828257708

Download Submit