neconyd | bb298dc0bd16e09c8e916c339bdebfd12002d645745371d61f27f5dc48f8b7f5

Analysis

max time kernel
147s
max time network
147s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 08:32

Target

3dae0b8e7aaa90368482f1c5b475d330_NeikiAnalytics.exe
Size

80KB
MD5

3dae0b8e7aaa90368482f1c5b475d330
SHA1

a72a2487ed1e473b78bab544e56a7582feb0ea88
SHA256

bb298dc0bd16e09c8e916c339bdebfd12002d645745371d61f27f5dc48f8b7f5
SHA512

36fa22d2214d689f2bbf8a0bbf836a72d74ac71172609a05e1138c6364b65375429bac3397814d3f9a35719f8e01d6b4f8368dc220c015fa87277a8259eff61c
SSDEEP

768:zfMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:zfbIvYvZEyFKF6N4yS+AQmZTl/5

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 3 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exe

pid process

1236 omsecor.exe
2772 omsecor.exe
1640 omsecor.exe

Loads dropped DLL 6 IoCs

Processes:

3dae0b8e7aaa90368482f1c5b475d330_NeikiAnalytics.exeomsecor.exeomsecor.exe

pid	process
1548	3dae0b8e7aaa90368482f1c5b475d330_NeikiAnalytics.exe
1548	3dae0b8e7aaa90368482f1c5b475d330_NeikiAnalytics.exe
1236	omsecor.exe
1236	omsecor.exe
2772	omsecor.exe
2772	omsecor.exe

Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

3dae0b8e7aaa90368482f1c5b475d330_NeikiAnalytics.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 1548 wrote to memory of 1236	1548	3dae0b8e7aaa90368482f1c5b475d330_NeikiAnalytics.exe	omsecor.exe
PID 1548 wrote to memory of 1236	1548	3dae0b8e7aaa90368482f1c5b475d330_NeikiAnalytics.exe	omsecor.exe
PID 1548 wrote to memory of 1236	1548	3dae0b8e7aaa90368482f1c5b475d330_NeikiAnalytics.exe	omsecor.exe
PID 1548 wrote to memory of 1236	1548	3dae0b8e7aaa90368482f1c5b475d330_NeikiAnalytics.exe	omsecor.exe
PID 1236 wrote to memory of 2772	1236	omsecor.exe	omsecor.exe
PID 1236 wrote to memory of 2772	1236	omsecor.exe	omsecor.exe
PID 1236 wrote to memory of 2772	1236	omsecor.exe	omsecor.exe
PID 1236 wrote to memory of 2772	1236	omsecor.exe	omsecor.exe
PID 2772 wrote to memory of 1640	2772	omsecor.exe	omsecor.exe
PID 2772 wrote to memory of 1640	2772	omsecor.exe	omsecor.exe
PID 2772 wrote to memory of 1640	2772	omsecor.exe	omsecor.exe
PID 2772 wrote to memory of 1640	2772	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
PID:1640

\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
80KB

MD5
d57fab3d03ba2c057422b6cadc68d008

SHA1
1e5bd0e2ae3716e51f4e182c7557910b5b536959

SHA256
3a9ca99328a6dcbf319ceeff23809576d187e90e1e735f46884ac32050f03d74

SHA512
8f6edfe7bc42800e0f13c5ac81f161f21f1d0cc90334879921a7d2d9953c3f0c9b465ae674f12291ccfa84cda02fa0674d81bab31ce591d097e6a9e7849e26f5

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
80KB

MD5
00e231e402542677f82b4c994ac8efb5

SHA1
50509377533586ef33521ded483e0df4bbe7f53b

SHA256
d9510f47fdc11e52b3509c1c263960b13adc5608d9960d34595a4133719a812d

SHA512
34472f9b87ea34ce397145c6ebe71fc62df2ccbe1ca623578851c1cf6bbc3eeb4367b175c9d79efdc2e7bd8d273df313d51de1688fe5156771e98c614d1e6194

Download Submit
\Windows\SysWOW64\omsecor.exe
Filesize
80KB

MD5
7f0afb356eb4b826e648a789807e40c3

SHA1
30f636ca5dcda94af6bad191f2db47f649950872

SHA256
d32159a9767a3f0cb30e802c51a18f262ddefb88d38f12ddf4d695648ce4dcce

SHA512
b7a235acb930566e5bb6e470fd0701a6a845609a70998bf1fc3247044b138681d9ab001725408cf8cdbed2825c76bc49a271004e8b711448bae7da5a45f95d32

Download Submit