neconyd | 12d49b38e64fcf5fdd3c4252a9f74e5840ce7ba40c1b9655174a6cd26750cd78

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30-05-2024 19:00

Target

12d49b38e64fcf5fdd3c4252a9f74e5840ce7ba40c1b9655174a6cd26750cd78.exe
Size

76KB
MD5

52d431afd5444972c8e6a6899594069c
SHA1

fad3a794109e065e4f506f5a7bf2c20e13768e24
SHA256

12d49b38e64fcf5fdd3c4252a9f74e5840ce7ba40c1b9655174a6cd26750cd78
SHA512

effc45a9a07949b497f368bbcac62c863710ad1c69cb73520bd78fb12ed79ff8589fe93821a9101548efb44ae327739f0f20e01d2068dc6d38dba288c271df02
SSDEEP

1536:zd9dseIOcE93jIvYvZEyF4EEOF6N4yS+AQmZTl/5Z11:zdseIOUEZEyFjEOFqTiQm5l/5Z11

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Executes dropped EXE 2 IoCs

pid	Process
3700	omsecor.exe
4780	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4344 wrote to memory of 3700	4344	12d49b38e64fcf5fdd3c4252a9f74e5840ce7ba40c1b9655174a6cd26750cd78.exe	82
PID 4344 wrote to memory of 3700	4344	12d49b38e64fcf5fdd3c4252a9f74e5840ce7ba40c1b9655174a6cd26750cd78.exe	82
PID 4344 wrote to memory of 3700	4344	12d49b38e64fcf5fdd3c4252a9f74e5840ce7ba40c1b9655174a6cd26750cd78.exe	82
PID 3700 wrote to memory of 4780	3700	omsecor.exe	99
PID 3700 wrote to memory of 4780	3700	omsecor.exe	99
PID 3700 wrote to memory of 4780	3700	omsecor.exe	99

C:\Users\Admin\AppData\Local\Temp\12d49b38e64fcf5fdd3c4252a9f74e5840ce7ba40c1b9655174a6cd26750cd78.exe
"C:\Users\Admin\AppData\Local\Temp\12d49b38e64fcf5fdd3c4252a9f74e5840ce7ba40c1b9655174a6cd26750cd78.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4344
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3700
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:4780

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
95ad57406250e58fd37ce98e8ca104de

SHA1
07d9409a25b1787ecb85a586daf2f6ea28f4c8fc

SHA256
50506b04b52265632238f1124b849cbb3e31f4f73031763313ad66937bfb982e

SHA512
c675f434f4bcc184d5470c0fde4d56d670990221284eeebac28fa67e7bb85bf62982be7dea782aa8210743d123d09e613811f3bf48a86e3ebef4beb822acccb7

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
090d71ee1d4a79bdbabf3bca05281c7f

SHA1
d76db1bde1de5555e08dd7ccab178966be92ea47

SHA256
76552e530b128a2cc56c7fefbc2a3567434885cbb437a764b1a4792c1ddc1a58

SHA512
f1059fd7e42dc302407a79997250601362cae99f393967e806cbbcc8bef2c37c34ecef8f536378ca05220d6546e994691603e6f5fd49ee625c4538cf9c446229

Download Submit
memory/3700-4-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3700-7-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3700-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4344-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4344-5-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4780-13-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4780-14-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download