neconyd | a93dc0df74c3802331cb3071a6b6fede81223aab056e9c54f72522816d4b65be

Analysis

max time kernel
145s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26/05/2024, 09:12

Target

a3c865f8aaebac9423eaacfa147e5b10_NeikiAnalytics.exe
Size

88KB
MD5

a3c865f8aaebac9423eaacfa147e5b10
SHA1

c2d70c2edee43c9e8d7cbaf29abeba333b838033
SHA256

a93dc0df74c3802331cb3071a6b6fede81223aab056e9c54f72522816d4b65be
SHA512

a192e7a046bef5c53475748e03bd24db95a7e4874a55606ea622f123f105e15965022a1f16ea239521f96f296439473108be993a2918b892e8ea7d2fa2ffe438
SSDEEP

768:+MEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:+bIvYvZEyFKF6N4yS+AQmZTl/5

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Executes dropped EXE 2 IoCs

pid	Process
4268	omsecor.exe
2420	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3176 wrote to memory of 4268	3176	a3c865f8aaebac9423eaacfa147e5b10_NeikiAnalytics.exe	83
PID 3176 wrote to memory of 4268	3176	a3c865f8aaebac9423eaacfa147e5b10_NeikiAnalytics.exe	83
PID 3176 wrote to memory of 4268	3176	a3c865f8aaebac9423eaacfa147e5b10_NeikiAnalytics.exe	83
PID 4268 wrote to memory of 2420	4268	omsecor.exe	96
PID 4268 wrote to memory of 2420	4268	omsecor.exe	96
PID 4268 wrote to memory of 2420	4268	omsecor.exe	96

C:\Users\Admin\AppData\Local\Temp\a3c865f8aaebac9423eaacfa147e5b10_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a3c865f8aaebac9423eaacfa147e5b10_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3176
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4268
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:2420

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
88KB

MD5
2504d2a7777077f3afb7fb7df1ec343e

SHA1
c26d2abec5b105256d029b5c4698a51365b418d4

SHA256
f62894e7bad95d59d5878c2dbd7c156190007222c17931d2e4be6698ec5b7dba

SHA512
b13d014e232c9b1bbdded3d7dca2b41f6d16e7198ea4138f213f4129d7f8ae78c15169a5dbcea6bb826ec8707859fe6d84b767ce2a61f673244fe6537785b6e9

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
88KB

MD5
0147a181755e8bcae6d5603ca1c83f1e

SHA1
f331af87555af98b162e6a45b0de80403a5a278c

SHA256
5bad44109ae494a32c2ce8c5d2b896a7e83e8e2c1654849da17b59cbc8069c8b

SHA512
debe18a8a9f6c05f2bf7aa58c05f8d7014066900d52264e90db4786253fe9b9c16768cfb3702e5ba6e81b12f8aaeb0c4db9a281eee4451b13cf1b8fa5dbbe76c

Download Submit