neconyd | b5a88df505fe2459ebcdc96a6b718954c0a309268be6c4ce8480dbd9f62633cc

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2024 02:25

Target

b5a88df505fe2459ebcdc96a6b718954c0a309268be6c4ce8480dbd9f62633cc.exe
Size

89KB
MD5

6f27f1875610ee8bb20cfc77568eb4d3
SHA1

dceed00207e3274f42ac67eae55f777b7ff9036c
SHA256

b5a88df505fe2459ebcdc96a6b718954c0a309268be6c4ce8480dbd9f62633cc
SHA512

0c2d81c3961f6fa4d101646e511d076da3d2335cc38ad0d1eb0edc630d0d431e834185cb946a90b15d1858add0af3c20430bb8607b35a19b973c775407e303e0
SSDEEP

768:PMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:PbIvYvZEyFKF6N4yS+AQmZTl/5

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Executes dropped EXE 3 IoCs

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4712 wrote to memory of 4140	4712	b5a88df505fe2459ebcdc96a6b718954c0a309268be6c4ce8480dbd9f62633cc.exe	83
PID 4712 wrote to memory of 4140	4712	b5a88df505fe2459ebcdc96a6b718954c0a309268be6c4ce8480dbd9f62633cc.exe	83
PID 4712 wrote to memory of 4140	4712	b5a88df505fe2459ebcdc96a6b718954c0a309268be6c4ce8480dbd9f62633cc.exe	83
PID 4140 wrote to memory of 5700	4140	omsecor.exe	106
PID 4140 wrote to memory of 5700	4140	omsecor.exe	106
PID 4140 wrote to memory of 5700	4140	omsecor.exe	106
PID 5700 wrote to memory of 5160	5700	omsecor.exe	107
PID 5700 wrote to memory of 5160	5700	omsecor.exe	107
PID 5700 wrote to memory of 5160	5700	omsecor.exe	107

C:\Users\Admin\AppData\Local\Temp\b5a88df505fe2459ebcdc96a6b718954c0a309268be6c4ce8480dbd9f62633cc.exe
"C:\Users\Admin\AppData\Local\Temp\b5a88df505fe2459ebcdc96a6b718954c0a309268be6c4ce8480dbd9f62633cc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4712
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4140
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5700
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      PID:5160

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
89KB

MD5
409593f1b5aba2ae7e4b15429f744697

SHA1
4b943692c804dd49a96ba1d6045eb28456fc8514

SHA256
366a37db0a185655e1b00a4d7db00be9b6d97b89134e8b345cc620e4a1d2b697

SHA512
ba68a65281b99f022da6f3dbb7ca5f3e068d91715492b6ab8100b4ab0b9f0696fd734c7a23b23b5ea8ce112494a246dcb0672db5bfeb564af37488c893a33834

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
89KB

MD5
ed05f7e3a74d3a7ed8e5e1a511b671a3

SHA1
c3332c14e5b496158c136a85a71338204c7fbc8b

SHA256
5461a7fc6dfd63cb994f4b045c619b9b75f8521428b122141b2c80f8cab65c13

SHA512
19cf5df5ca04bdc02fef594fbc7e975b790990a31b958840167e550498efd0c0debf855f292353a7ab2929a7cf6d8579d6053c7d047a005206512b676129803d

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
89KB

MD5
506d44f25551ab41254e4db9c03a67d8

SHA1
7c91209fd4f40888e664b5bc1128c29a8a4c8874

SHA256
22dbbe1400a0fa7d0c306bccfc5bc7c955bf87c1a891acad3b0fa503d02d86ed

SHA512
044a4f6aaeb5e22a3569b023299ca35600cb4d2aa61f26664a1b6b5d47af5b9dad42b47085e331814367e9805967ac9cbce0e52851dd332f4e0448ab42b3db45

Download Submit