neconyd | caad4e0d449f083f66be0075e858b452f5aefb8cf05a8edff32fc17f0762c74f

Analysis

max time kernel
146s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
25/05/2024, 17:21

Target

6cb482fdcf5eafb514dace02f1266020_NeikiAnalytics.exe
Size

72KB
MD5

6cb482fdcf5eafb514dace02f1266020
SHA1

16775995cc52f175c343ab4174e2c6afcfeea569
SHA256

caad4e0d449f083f66be0075e858b452f5aefb8cf05a8edff32fc17f0762c74f
SHA512

7382728b1beefe1945d4c98cac0dbd8dd6dbbefca87a64ee3889a786a59b2d5a31f20fc373a21847e57bfc790d48bc10eca763e09a600fbd210c0959286eefad
SSDEEP

768:MMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAW:MbIvYvZEyFKF6N4yS+AQmZTl/5O

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Executes dropped EXE 3 IoCs

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5108 wrote to memory of 3000	5108	6cb482fdcf5eafb514dace02f1266020_NeikiAnalytics.exe	83
PID 5108 wrote to memory of 3000	5108	6cb482fdcf5eafb514dace02f1266020_NeikiAnalytics.exe	83
PID 5108 wrote to memory of 3000	5108	6cb482fdcf5eafb514dace02f1266020_NeikiAnalytics.exe	83
PID 3000 wrote to memory of 1680	3000	omsecor.exe	98
PID 3000 wrote to memory of 1680	3000	omsecor.exe	98
PID 3000 wrote to memory of 1680	3000	omsecor.exe	98
PID 1680 wrote to memory of 3168	1680	omsecor.exe	99
PID 1680 wrote to memory of 3168	1680	omsecor.exe	99
PID 1680 wrote to memory of 3168	1680	omsecor.exe	99

C:\Users\Admin\AppData\Local\Temp\6cb482fdcf5eafb514dace02f1266020_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6cb482fdcf5eafb514dace02f1266020_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5108
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1680
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      PID:3168

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
ecda00f5a5266acf0d5c74adabbd2cd7

SHA1
7dba25b3cb98c8d2dbda302b1625edd3e7a9afad

SHA256
e256147cfd3d01dfba291580daa1d003f247c82163ab7fdf205f236c449896f6

SHA512
4e035a470974abf0181d4b3b22128c3749afdedbbff3d51609d4a3697f74cefdbb9ed5dd0a562262fca3b60d3e471dbc287d6d8b76e3bb65fecc1595572eed91

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
c2b58aed5b502435639debdedb89a3be

SHA1
be75620f07b1f3ea8deca000389c12cb3165892e

SHA256
d9f31f7764703968d592d8768f8d731ea5fb8505d7fccb29dbda4c68281a1ba6

SHA512
cea465b9187b028b7bb043f278db8dd8581edd5670bb353712c49c1a73379485b793d3c38411adec33b2781cd69831d8efb76373ae357b2615e1510362b8f7b3

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
72KB

MD5
a6c56c7536fdd61295043798cd56681b

SHA1
511da4cd398f02791da1cd5b4730c8d3b262709d

SHA256
f54769c8a30ece53777abac75820e1b520f07c9f2f4a4eff1a604ea2ef077d71

SHA512
427f9f2fd79338097bb194452038eeccf8f0f3e485bc0f342c53c250fcca7432bd7fc3a2a269944f1fee7c3b41cd3b7758027a8a0a639363e641cc39a2752236

Download Submit