neconyd | 94715f5fa671f0dfa29eba6ecee76ac1eec3c36dfb87991f285b8581297ef0e2

Analysis

max time kernel
139s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 01:47

Target

70ff0a388a2f4b11613b8e14915caf80_NeikiAnalytics.exe
Size

72KB
MD5

70ff0a388a2f4b11613b8e14915caf80
SHA1

979b71a89232da68f34423dd3d59d87c17b2c07a
SHA256

94715f5fa671f0dfa29eba6ecee76ac1eec3c36dfb87991f285b8581297ef0e2
SHA512

8ad803e0b73781b63ba02d0c65e87a5e96ecffbb981b0d623d85725352059f9638a6c574e587f3e13fc4f2f48310c7cda988b05b6c0d79ccb68443196840ab42
SSDEEP

1536:Id9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5211:4dseIOMEZEyFjEOFqTiQm5l/5211

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 2 IoCs

Processes:

omsecor.exeomsecor.exe

pid process

532 omsecor.exe
2120 omsecor.exe
Drops file in System32 directory 2 IoCs

Processes:

omsecor.exeomsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe
File opened for modification C:\Windows\SysWOW64\merocz.xc6 omsecor.exe

pid	process
532	omsecor.exe
2120	omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

70ff0a388a2f4b11613b8e14915caf80_NeikiAnalytics.exeomsecor.exe

description	pid	process	target process
PID 4112 wrote to memory of 532	4112	70ff0a388a2f4b11613b8e14915caf80_NeikiAnalytics.exe	omsecor.exe
PID 4112 wrote to memory of 532	4112	70ff0a388a2f4b11613b8e14915caf80_NeikiAnalytics.exe	omsecor.exe
PID 4112 wrote to memory of 532	4112	70ff0a388a2f4b11613b8e14915caf80_NeikiAnalytics.exe	omsecor.exe
PID 532 wrote to memory of 2120	532	omsecor.exe	omsecor.exe
PID 532 wrote to memory of 2120	532	omsecor.exe	omsecor.exe
PID 532 wrote to memory of 2120	532	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\70ff0a388a2f4b11613b8e14915caf80_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\70ff0a388a2f4b11613b8e14915caf80_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3984 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
1⤵
PID:2704

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
72KB

MD5
66d88d261c2449bf09783438ea9f3b4a

SHA1
8b408014293c1b66f6f06f9e19e95fb91031b364

SHA256
b28a52ee5ebde7c7335ad2428ee4c7e26cc8fba026645f4825e969e447963cc9

SHA512
362a18575d0098434e0e706dc208412d0ebad63e5f2e6cfbe9335dba49e4beb28690ca51a40ee2299f4a97351ea298d16ac2e92dfc996e4b44d92f67726b2b65

Download Submit
C:\Windows\SysWOW64\omsecor.exe
Filesize
72KB

MD5
01caff62c64eca4aca27696a8a9de999

SHA1
ecc8b4dc0dfac22ef8edfcbbdb0fd855c6d782d5

SHA256
4fb4f376cb7603ff7e19d571d65a84055c8dfe25880c18ff58cf07c439220070

SHA512
a2a0cd95001b7d1cb697757f0e6c7217dcbb0c910389072c3baee37f14abb444288148f457015f1940c6c82d331d7f0a7d7e3ce817186e2a5a27db0060bd7352

Download Submit