neconyd | 1a3418fc1339eee339bb1b55e612e3682ce3cfcd78bcca9740772207883d43b2

Analysis

max time kernel
145s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23/05/2024, 20:39

Target

7e912409ad2b9e57be9f5dccb7460a80_NeikiAnalytics.exe
Size

72KB
MD5

7e912409ad2b9e57be9f5dccb7460a80
SHA1

2af793b7f844c2257ce787541e969c7624c91174
SHA256

1a3418fc1339eee339bb1b55e612e3682ce3cfcd78bcca9740772207883d43b2
SHA512

39356f541eadfb1977d7954362256c2b22c7985438b6f0bea162a0bf1a464519aadf3d4f77a73d31efc0c77ef7b6297f64fe1357dbf3e454b8fdbc48f697c8ee
SSDEEP

768:qMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAW:qbIvYvZEyFKF6N4yS+AQmZTl/5O

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Executes dropped EXE 2 IoCs

pid	Process
2156	omsecor.exe
4692	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2156	2648	7e912409ad2b9e57be9f5dccb7460a80_NeikiAnalytics.exe	83
PID 2648 wrote to memory of 2156	2648	7e912409ad2b9e57be9f5dccb7460a80_NeikiAnalytics.exe	83
PID 2648 wrote to memory of 2156	2648	7e912409ad2b9e57be9f5dccb7460a80_NeikiAnalytics.exe	83
PID 2156 wrote to memory of 4692	2156	omsecor.exe	101
PID 2156 wrote to memory of 4692	2156	omsecor.exe	101
PID 2156 wrote to memory of 4692	2156	omsecor.exe	101

C:\Users\Admin\AppData\Local\Temp\7e912409ad2b9e57be9f5dccb7460a80_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7e912409ad2b9e57be9f5dccb7460a80_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:4692

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
80017cc0320965e0660ff692dfe41245

SHA1
2064dc46eef83ec686ea57a4b4f7bd2fbb39d945

SHA256
7a9aa5d12b693b4c67e89f7e38762581a63be7c50087e6a6b8e6ebe441ff4211

SHA512
6a90f3261724c1297fabee0f478cd94a57ffd2a7763e6e841ab4eb42d6572edb6b7efde8da8d40c1df9951a437f9208c016c8ea284084638aec9ba6b455bd869

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
72KB

MD5
196fa81478c606b00b383ea6daca995c

SHA1
dd537feecee6fa49189c7e3309bc75e69f453c0c

SHA256
b7f567efae1560fab500e29d538051a95f130c63ac721e5d69acbe715312368c

SHA512
a085d5eb94c6d97be29b2973ce0c27d8b5579784c7ec65275f92f24633fd0246f280adbc5f3cbf62c3cd17042b00093331a422ae2ef520c48b465bc1c95f0fe7

Download Submit