neconyd | f3f0a313306e331089a062918b7e24ca0aeb07ebaf1d0895ec8df9a8654d2f75

Analysis

max time kernel
145s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 07:41

Target

1889f9d2380a0b437839229a58a57910_NeikiAnalytics.exe
Size

64KB
MD5

1889f9d2380a0b437839229a58a57910
SHA1

e36286ca074f0ecc71523a7a332ea48f332a26b3
SHA256

f3f0a313306e331089a062918b7e24ca0aeb07ebaf1d0895ec8df9a8654d2f75
SHA512

165a935b7ddec438fad4cc749ec0e3191e51a515cf28b67b2394d9b059fd03f12fc49a817b96674772f8b5991d9a3bfadf8779201ef6eeef32d31ae505331fa9
SSDEEP

768:SMEIvFGvZEr8LFK0ic46N47eSdYAHwmZwSp6JXXlaa5uA:SbIvYvZEyFKF6N4yS+AQmZcl/5

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 3 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exe

pid process

3140 omsecor.exe
3168 omsecor.exe
3596 omsecor.exe
Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

1889f9d2380a0b437839229a58a57910_NeikiAnalytics.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 4128 wrote to memory of 3140	4128	1889f9d2380a0b437839229a58a57910_NeikiAnalytics.exe	omsecor.exe
PID 4128 wrote to memory of 3140	4128	1889f9d2380a0b437839229a58a57910_NeikiAnalytics.exe	omsecor.exe
PID 4128 wrote to memory of 3140	4128	1889f9d2380a0b437839229a58a57910_NeikiAnalytics.exe	omsecor.exe
PID 3140 wrote to memory of 3168	3140	omsecor.exe	omsecor.exe
PID 3140 wrote to memory of 3168	3140	omsecor.exe	omsecor.exe
PID 3140 wrote to memory of 3168	3140	omsecor.exe	omsecor.exe
PID 3168 wrote to memory of 3596	3168	omsecor.exe	omsecor.exe
PID 3168 wrote to memory of 3596	3168	omsecor.exe	omsecor.exe
PID 3168 wrote to memory of 3596	3168	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\1889f9d2380a0b437839229a58a57910_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1889f9d2380a0b437839229a58a57910_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4128

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
PID:3596

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
64KB

MD5
a1765f2f554a070bcf671e91c91d3e31

SHA1
db72151e98bad7f6d99554c88d8bf47a95bd98f4

SHA256
c57610f0f14d60015bf9303657ee31ef6d8ffac9bdc80ff439dbfe61412be66b

SHA512
3be1c2efdf19a155da8a2d8bd9bcc34b463a949f42943729df6341eb5d90f4b05595c5c77b5286fcadcfbcc778c292e259112e29f0dfceb1316fd7a0bc0c2de3

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
64KB

MD5
c664366df778b7cb9af2defa43904937

SHA1
1877cad278216c47993f20d324c62ba2f7424120

SHA256
1c099876cab02618c6542a209d18711d558661cd03eb96e40603355d2fcf1d73

SHA512
1b615aede976e2972d2bed26e73dd068c293fb931dd972b0bd2ab7864984af8affef82394c5f751d43bec03c6bbf77930539f4fec50d388549d83dc2c97c2559

Download Submit
C:\Windows\SysWOW64\omsecor.exe
Filesize
64KB

MD5
c01461b4ffbc538b8e3b3b570c142f5b

SHA1
36da84b63d89159b0a03ebe61929584dbda67d1d

SHA256
41dee656b5226921150815e37d3b8a2d110c3e76bc4d3c2c54c8077a987e1ebd

SHA512
754e53aa8c45fa6587a0401caa9e8abdf2e6a9f87a8edd985ac2e3f97e80707278cfdfccfe181ed98a8751b4d3f3d957f7739f1a06cd5c7baa448e1b5858744c

Download Submit