neconyd | 7c92140276a5a136c78da4a1dc1ff0dbe0b55c0c57667c1c04fe32f6cae52f52

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
29/05/2024, 04:28

Target

3e75d7ca496cdefa6b7a8eba27ae3550_NeikiAnalytics.exe
Size

65KB
MD5

3e75d7ca496cdefa6b7a8eba27ae3550
SHA1

596ba18b9b25edf3cafc33027466855f9aaaa16b
SHA256

7c92140276a5a136c78da4a1dc1ff0dbe0b55c0c57667c1c04fe32f6cae52f52
SHA512

5dfa95d0a9eb7594116e6d791325cea1ce73d022113575e0bfc3e47ebf78161a631c12e8c0314c4af0d9f311d37577dda575320621f75c9eb1cff5e03b64d07f
SSDEEP

1536:zd9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZcl/5:zdseIO+EZEyFjEOFqTiQmOl/5

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Executes dropped EXE 2 IoCs

pid	Process
4152	omsecor.exe
1836	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 4152	2928	3e75d7ca496cdefa6b7a8eba27ae3550_NeikiAnalytics.exe	84
PID 2928 wrote to memory of 4152	2928	3e75d7ca496cdefa6b7a8eba27ae3550_NeikiAnalytics.exe	84
PID 2928 wrote to memory of 4152	2928	3e75d7ca496cdefa6b7a8eba27ae3550_NeikiAnalytics.exe	84
PID 4152 wrote to memory of 1836	4152	omsecor.exe	97
PID 4152 wrote to memory of 1836	4152	omsecor.exe	97
PID 4152 wrote to memory of 1836	4152	omsecor.exe	97

C:\Users\Admin\AppData\Local\Temp\3e75d7ca496cdefa6b7a8eba27ae3550_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3e75d7ca496cdefa6b7a8eba27ae3550_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4152
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:1836

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
74559b686084acc704853a56c252f6f9

SHA1
a472928fe6c5f2752d666aeb5d064fe60a6938e7

SHA256
954edcf0d4949cf02cfd2e35b6f3e5009709bf3954e17cb2e36d05cf9b49abec

SHA512
0838acd4abc1ab70f943939ebd1c788be6231bcbac09d6de1191ab23175574f89cd0f0e8b21e2ace47899af55451d1a66cd1b6320e2af4e91436d7f4f6b1a1bd

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
65KB

MD5
261583c86c721513dff4066814de631d

SHA1
2a40cc289ee95804bdd37403ac828f7b57a54926

SHA256
1e1ff2e42ca26882dc4fd46bfe02aaee9ce4641eb2f07375c61f879796edcfc3

SHA512
48cc6fb372e2ed1c973d1cf704a546d814e851758e5f4bf6335026e8826360c05f9825524217e6753e8e414d913e2db12da63e751b40fb5a9d734f5d1b7dc4b7

Download Submit
memory/1836-13-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1836-14-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2928-1-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2928-4-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4152-6-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4152-7-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4152-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download