neconyd | bb298dc0bd16e09c8e916c339bdebfd12002d645745371d61f27f5dc48f8b7f5

Analysis

max time kernel
146s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 08:32

Target

3dae0b8e7aaa90368482f1c5b475d330_NeikiAnalytics.exe
Size

80KB
MD5

3dae0b8e7aaa90368482f1c5b475d330
SHA1

a72a2487ed1e473b78bab544e56a7582feb0ea88
SHA256

bb298dc0bd16e09c8e916c339bdebfd12002d645745371d61f27f5dc48f8b7f5
SHA512

36fa22d2214d689f2bbf8a0bbf836a72d74ac71172609a05e1138c6364b65375429bac3397814d3f9a35719f8e01d6b4f8368dc220c015fa87277a8259eff61c
SSDEEP

768:zfMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:zfbIvYvZEyFKF6N4yS+AQmZTl/5

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 3 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exe

pid process

408 omsecor.exe
3356 omsecor.exe
3016 omsecor.exe
Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

3dae0b8e7aaa90368482f1c5b475d330_NeikiAnalytics.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 3480 wrote to memory of 408	3480	3dae0b8e7aaa90368482f1c5b475d330_NeikiAnalytics.exe	omsecor.exe
PID 3480 wrote to memory of 408	3480	3dae0b8e7aaa90368482f1c5b475d330_NeikiAnalytics.exe	omsecor.exe
PID 3480 wrote to memory of 408	3480	3dae0b8e7aaa90368482f1c5b475d330_NeikiAnalytics.exe	omsecor.exe
PID 408 wrote to memory of 3356	408	omsecor.exe	omsecor.exe
PID 408 wrote to memory of 3356	408	omsecor.exe	omsecor.exe
PID 408 wrote to memory of 3356	408	omsecor.exe	omsecor.exe
PID 3356 wrote to memory of 3016	3356	omsecor.exe	omsecor.exe
PID 3356 wrote to memory of 3016	3356	omsecor.exe	omsecor.exe
PID 3356 wrote to memory of 3016	3356	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\3dae0b8e7aaa90368482f1c5b475d330_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3dae0b8e7aaa90368482f1c5b475d330_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3480

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
PID:3016

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
80KB

MD5
d57fab3d03ba2c057422b6cadc68d008

SHA1
1e5bd0e2ae3716e51f4e182c7557910b5b536959

SHA256
3a9ca99328a6dcbf319ceeff23809576d187e90e1e735f46884ac32050f03d74

SHA512
8f6edfe7bc42800e0f13c5ac81f161f21f1d0cc90334879921a7d2d9953c3f0c9b465ae674f12291ccfa84cda02fa0674d81bab31ce591d097e6a9e7849e26f5

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
80KB

MD5
2a4a0d460e9d7a1460c538fd54a33af7

SHA1
57296acc3a5fdf9534938272e04f45049087ccdd

SHA256
a5632f961a61ba10cd7995ae9fa87fbf413cc5b090f61d7e977e8840af7b5076

SHA512
298263efe431e59c183c710f08f0046056164d0e095b145279fc66aafee564c1a2420a6990e284b43a86dd05da4e76f2d2877be1dcdf98a2adcb73d881e6e02a

Download Submit
C:\Windows\SysWOW64\omsecor.exe
Filesize
80KB

MD5
36961316c43c8ee6ba6e9896df651986

SHA1
daffbbf0bb5be65e21ace925bc1a2ec31e6661bf

SHA256
8ff26a6d0b07e32ed60749924c440bf7d8f734eda940a31477c93ca85fb5528d

SHA512
de061992b0127071e7613f345a1911dc501c01c23ad437766759746c1b1610159eef0d9e5044db760100bfc0e80ef79070aa88e088b7be2220327c36f0a4e859

Download Submit