neconyd | b926ffef81b990a31b74b6d0a9756e9316b6749dd8ac77dd7921d471c2e351a6

Analysis

max time kernel
139s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 02:19

Target

b926ffef81b990a31b74b6d0a9756e9316b6749dd8ac77dd7921d471c2e351a6.exe
Size

68KB
MD5

e5e5158940f5b08bd1560810f2d9b872
SHA1

f3419c747fb6d9a5da0cc98bc99ed292affb2998
SHA256

b926ffef81b990a31b74b6d0a9756e9316b6749dd8ac77dd7921d471c2e351a6
SHA512

16616c2553bd8db6c3e7cd621caa4f791402d75b6309b58e312024a717c4295a99e4a8f330b0293ee4fa3445700c6a382e399f00bbc7a2b78f4c335cc96e731d
SSDEEP

1536:dd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:VdseIOMEZEyFjEOFqTiQm5l/5

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 3 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exe

pid process

3876 omsecor.exe
432 omsecor.exe
5844 omsecor.exe
Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

b926ffef81b990a31b74b6d0a9756e9316b6749dd8ac77dd7921d471c2e351a6.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 2620 wrote to memory of 3876	2620	b926ffef81b990a31b74b6d0a9756e9316b6749dd8ac77dd7921d471c2e351a6.exe	omsecor.exe
PID 2620 wrote to memory of 3876	2620	b926ffef81b990a31b74b6d0a9756e9316b6749dd8ac77dd7921d471c2e351a6.exe	omsecor.exe
PID 2620 wrote to memory of 3876	2620	b926ffef81b990a31b74b6d0a9756e9316b6749dd8ac77dd7921d471c2e351a6.exe	omsecor.exe
PID 3876 wrote to memory of 432	3876	omsecor.exe	omsecor.exe
PID 3876 wrote to memory of 432	3876	omsecor.exe	omsecor.exe
PID 3876 wrote to memory of 432	3876	omsecor.exe	omsecor.exe
PID 432 wrote to memory of 5844	432	omsecor.exe	omsecor.exe
PID 432 wrote to memory of 5844	432	omsecor.exe	omsecor.exe
PID 432 wrote to memory of 5844	432	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\b926ffef81b990a31b74b6d0a9756e9316b6749dd8ac77dd7921d471c2e351a6.exe
"C:\Users\Admin\AppData\Local\Temp\b926ffef81b990a31b74b6d0a9756e9316b6749dd8ac77dd7921d471c2e351a6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2620
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3876
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:432
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      PID:5844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3904 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
1⤵
PID:5508

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
68KB

MD5
e96d4934f0ad4720210b5a7dfabbc2e7

SHA1
f8930f5af3c6e38a9ab5919a0940a954d57a827e

SHA256
7e486b9b1387e8f30d3fbe8c24e517d3926cd7297aaa6da9c2fc1b1f864b36cc

SHA512
e84cb7a546412315168051a18290e8c81260b048f86c59db60bb029bb82f38187e1f202e5799534ce72380984a924dc512493efe8793702eb01efdfd68be0229

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
68KB

MD5
f387b544f8bfbcf11c9ee8cefc9b256e

SHA1
59a2bc3032b44e93b3eea3f73f706280e2db22b7

SHA256
0297917b646e11270e4478c1da4df711cfa5f4ef98a6aa36f540b65390957557

SHA512
bd66feb2da8929252da9d5b1c33864831fbbccc959bb008301729d145c603eac554a22de28298224e64ecf1e89326187305aa0da5de212c6dfefdc141a72467f

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
68KB

MD5
b70cabf61a95dc58b1bb7906b54de825

SHA1
bd014ff82b691e5545ed0cbb672404cbf3a74f2a

SHA256
d376d9ef9c363c1c2e68bb134f8f00da84da6afc2b7d0e9936290c08829db86a

SHA512
1cc89e80883e194c4e56c455c9903ba87c23d648c037db4ad300b59bd45d521b6b2aca55e90c8d69be3b6952736120dd889bdcf497c8555f7bdf5d83a947131b

Download Submit