neconyd | e3292a72e6e5471304f53e2a0525fa776e27b1624e862f98103b24cf4a45f36e

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
30/05/2024, 04:14

Target

e3292a72e6e5471304f53e2a0525fa776e27b1624e862f98103b24cf4a45f36e.exe
Size

84KB
MD5

27b3f3d330c1676819c043ccfcbeac42
SHA1

fa115d0f9ac440a69245c02259affafb40e605d3
SHA256

e3292a72e6e5471304f53e2a0525fa776e27b1624e862f98103b24cf4a45f36e
SHA512

71fffe1679166438901b4dc6927a217255c9d8033f18741b4edf2d6556daed8427bef17f2010d3bb271f424e2719cdeab01f3c5abe6a0ab2cf118bd756119fa2
SSDEEP

1536:Dd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:jdseIOMEZEyFjEOFqTiQm5l/5

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Executes dropped EXE 3 IoCs

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4384 wrote to memory of 4320	4384	e3292a72e6e5471304f53e2a0525fa776e27b1624e862f98103b24cf4a45f36e.exe	81
PID 4384 wrote to memory of 4320	4384	e3292a72e6e5471304f53e2a0525fa776e27b1624e862f98103b24cf4a45f36e.exe	81
PID 4384 wrote to memory of 4320	4384	e3292a72e6e5471304f53e2a0525fa776e27b1624e862f98103b24cf4a45f36e.exe	81
PID 4320 wrote to memory of 3828	4320	omsecor.exe	93
PID 4320 wrote to memory of 3828	4320	omsecor.exe	93
PID 4320 wrote to memory of 3828	4320	omsecor.exe	93
PID 3828 wrote to memory of 432	3828	omsecor.exe	94
PID 3828 wrote to memory of 432	3828	omsecor.exe	94
PID 3828 wrote to memory of 432	3828	omsecor.exe	94

C:\Users\Admin\AppData\Local\Temp\e3292a72e6e5471304f53e2a0525fa776e27b1624e862f98103b24cf4a45f36e.exe
"C:\Users\Admin\AppData\Local\Temp\e3292a72e6e5471304f53e2a0525fa776e27b1624e862f98103b24cf4a45f36e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4384
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4320
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3828
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      PID:432

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
84KB

MD5
5034a8a62e2fced1893b4b66793f1bad

SHA1
2081aa9897b9ee9af8dc8241f2652bb179feb1fb

SHA256
e85fa958adf935e80bc7a718e5844a8b9eda2577b782d4f96eb9c6d9f886bbc2

SHA512
5ea2c2637bc3abb19f01080cd79c464cd388b5f0027c2c4e2bf1544e5ed69ee18a33e1a98f6b00fc4f08df4ba9570c86faf317ae03815ad703b9b7c653132ea4

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
84KB

MD5
bd589bac32e49f2e91aabdbe9f6cc7b8

SHA1
41d3b1144e96a41fd3317cd66d8a1233c040e7da

SHA256
ffca99c3b9f2a6d66d2e0259cc59e2c14c3e6947e93ed7bc48c0babdff20df5f

SHA512
78db8425f6f549398e67a12631715b324dd3fe111e205f84a51ebd6e0565295be3a4c08a945d893811d411405d437f96244131b11342f0ae4824782f4509ecb7

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
84KB

MD5
4bb748021e612c976680e110f148d28c

SHA1
e9168659109a0e41490bace01282972ca7979f7a

SHA256
ea9d796920d7819dfdfe052b84170e01116af3087ac2be92f9c63309cafc1e3c

SHA512
31e58db717852f3c5a1f8986aea3ef0dd627daae71d310c74c73281fa3f2ddcd52726ec45b209ac59968feaf2fddc8ae3888ac7d65f66893db96c6d9004ffb37

Download Submit