neconyd | efa8eb14ba17228526567b6b961b0f3c109877857b21018365356378519759d3

Analysis

max time kernel
145s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28/05/2024, 05:12

Target

33f8440e61cc04482ca7e917802309f0_NeikiAnalytics.exe
Size

68KB
MD5

33f8440e61cc04482ca7e917802309f0
SHA1

8534b50bda505d8521c8775575a3893a84dbaf76
SHA256

efa8eb14ba17228526567b6b961b0f3c109877857b21018365356378519759d3
SHA512

2bbd4ae92086b75e8a11c2d11566928d0dd005e26c7ff2bb4d77447a388a9a7198ec7a04b7707e004cd3bbc28c76f732fb3bc0f6cf527962ee7127b6f5db963f
SSDEEP

1536:Hd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:vdseIOMEZEyFjEOFqTiQm5l/5

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Executes dropped EXE 3 IoCs

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3164 wrote to memory of 4460	3164	33f8440e61cc04482ca7e917802309f0_NeikiAnalytics.exe	83
PID 3164 wrote to memory of 4460	3164	33f8440e61cc04482ca7e917802309f0_NeikiAnalytics.exe	83
PID 3164 wrote to memory of 4460	3164	33f8440e61cc04482ca7e917802309f0_NeikiAnalytics.exe	83
PID 4460 wrote to memory of 3332	4460	omsecor.exe	101
PID 4460 wrote to memory of 3332	4460	omsecor.exe	101
PID 4460 wrote to memory of 3332	4460	omsecor.exe	101
PID 3332 wrote to memory of 1248	3332	omsecor.exe	102
PID 3332 wrote to memory of 1248	3332	omsecor.exe	102
PID 3332 wrote to memory of 1248	3332	omsecor.exe	102

C:\Users\Admin\AppData\Local\Temp\33f8440e61cc04482ca7e917802309f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\33f8440e61cc04482ca7e917802309f0_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3164
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4460
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3332
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      PID:1248

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
68KB

MD5
95892dc50472f391322236c26b0f32e7

SHA1
391a7d86f83ad1148c31919854c60774fc123464

SHA256
045ebccdab5bfc2533e936b0e00c217aeb7bc6cf5b9a5fec85efddced5c9e528

SHA512
a66ce7413755f66adbcc5c5ecc10e9aa094c3a56e2738ccf460e0d7a3929566afda8a0ae0e2e877e25ac04bd36fd2cf1124761c1a16bd12af836e10cce1b7179

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
68KB

MD5
c09780637bda4c52feb947a775962e72

SHA1
2f0dde549f9185211bdfe4a138205885f3b22ea8

SHA256
178aa06cd488c9dbf89de087f4032418131acf85f565f8a0ecd510e796ca54fd

SHA512
bc5e2a4b5bc21dde80b0c4c29493a9f3e0298ce75169ddd18acafd8e1aff9023fa1a51333d1488bc01139f275cd599c054dd9b8495532e0714d32b4aa64bb65f

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
68KB

MD5
22d4bb6f37ad03630630ab314bc7081e

SHA1
e09e4c74d0e80d7251ebd0657a5fa77cc3de7a5e

SHA256
7e53bc4f51e142eefa253ad88bef6ff1cdf7061642b43706f6c9c41753b12905

SHA512
a75f0cd925e17c099a12e5433080693edb63532052e42696cce784b428d0cacd8b02d4935aaca8204b385cd61b9b0206ec5a3aa94a67d83ebc33910b1633fc5c

Download Submit