neconyd | 6591c343a1b5912089950087d6c926cae3f7ee46d521170311eab844fe59e2ec

Analysis

max time kernel
140s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29/05/2024, 23:09

Target

59cd4a7353fe28d1e68e3e6a7f23a5f0_NeikiAnalytics.exe
Size

76KB
MD5

59cd4a7353fe28d1e68e3e6a7f23a5f0
SHA1

0084d644c8f8f0e117b8861520dbed60ad27e6cc
SHA256

6591c343a1b5912089950087d6c926cae3f7ee46d521170311eab844fe59e2ec
SHA512

4ebf2d809c20203c71163587c52bda1619cbe5a76057d202b9b5bab21c65645c26fe0787104b4c1cf649e690d33087c0169e108d9bc3960ce7040776606a21dc
SSDEEP

1536:Ud9dseIOcE93dIvYvZEyF4EEOF6N4yS+AQmZTl/5R11:sdseIOKEZEyFjEOFqTiQm5l/5R11

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Executes dropped EXE 2 IoCs

pid	Process
4564	omsecor.exe
4472	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 380 wrote to memory of 4564	380	59cd4a7353fe28d1e68e3e6a7f23a5f0_NeikiAnalytics.exe	91
PID 380 wrote to memory of 4564	380	59cd4a7353fe28d1e68e3e6a7f23a5f0_NeikiAnalytics.exe	91
PID 380 wrote to memory of 4564	380	59cd4a7353fe28d1e68e3e6a7f23a5f0_NeikiAnalytics.exe	91
PID 4564 wrote to memory of 4472	4564	omsecor.exe	101
PID 4564 wrote to memory of 4472	4564	omsecor.exe	101
PID 4564 wrote to memory of 4472	4564	omsecor.exe	101

C:\Users\Admin\AppData\Local\Temp\59cd4a7353fe28d1e68e3e6a7f23a5f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\59cd4a7353fe28d1e68e3e6a7f23a5f0_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:380
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4564
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:4472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4072 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8
1⤵
PID:404

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
5ed3bf388bdcce2e7aee14ac529eecc9

SHA1
7c92c7f89e60f3db52c63cf2bdb88fd8bdf7e6b0

SHA256
c5adb4934aeca136437e555268bd544f51841340e4836eb2821df297631e2af3

SHA512
1839ffc38c4e9d01052c3ea239dfaac959add3c0f37ccc02fb7c4b05261584df466d80ee308210cf1560eb166cbcc36fb6f9b5f5b13cd54611be2c47cb761414

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
27413198a7a340fdd1ac1a8a14782450

SHA1
e455076974fd45b17d3d4e86b3dab03f57bccbe5

SHA256
25323883586972162b79bf74b0e156e77d9ee11569d69af09a80610bc9b5fab6

SHA512
51cf2ac84e1d7bf50dfe1799b4ca5dd371b5532383cd16082d6a289c395a8948292ade8138104521e3ad500da895ea8e4117567cf43dc0dff7027d5762206983

Download Submit
memory/380-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/380-6-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4472-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4472-14-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4564-4-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4564-7-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4564-13-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download