neconyd | 34e5eca202fb1ff2d75c174c801e738fa74f7e5eae8ba5c71568d383e62a095e

Analysis

max time kernel
145s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04-06-2024 23:54

Target

19be287e4d2fba32fb8ac6f00b436730_NeikiAnalytics.exe
Size

62KB
MD5

19be287e4d2fba32fb8ac6f00b436730
SHA1

7a8747273ed8e78b1bc529d22bb3092a1f617e11
SHA256

34e5eca202fb1ff2d75c174c801e738fa74f7e5eae8ba5c71568d383e62a095e
SHA512

8337f6c959fce2a86e97219e9bf3639dd73d83973f327be92c10a7cda9fac8f17428c7c78b4cb640f3cce096b7d112efe89366ba22674cdbd78551e44f3e8d83
SSDEEP

768:HMEIvFGvZEr8LFK0ic46N47eSdYAHwmZQp6JXXlaa5uA:HbIvYvZEyFKF6N4yS+AQmZtl/5

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Executes dropped EXE 3 IoCs

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4456 wrote to memory of 3516	4456	19be287e4d2fba32fb8ac6f00b436730_NeikiAnalytics.exe	84
PID 4456 wrote to memory of 3516	4456	19be287e4d2fba32fb8ac6f00b436730_NeikiAnalytics.exe	84
PID 4456 wrote to memory of 3516	4456	19be287e4d2fba32fb8ac6f00b436730_NeikiAnalytics.exe	84
PID 3516 wrote to memory of 2124	3516	omsecor.exe	101
PID 3516 wrote to memory of 2124	3516	omsecor.exe	101
PID 3516 wrote to memory of 2124	3516	omsecor.exe	101
PID 2124 wrote to memory of 3808	2124	omsecor.exe	102
PID 2124 wrote to memory of 3808	2124	omsecor.exe	102
PID 2124 wrote to memory of 3808	2124	omsecor.exe	102

C:\Users\Admin\AppData\Local\Temp\19be287e4d2fba32fb8ac6f00b436730_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\19be287e4d2fba32fb8ac6f00b436730_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4456
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3516
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2124
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      PID:3808

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
62KB

MD5
08a0c3c5845e5eb0f06a9c223ea39537

SHA1
1132351365206fe06f28efa7730c0d7ee98d5224

SHA256
c90d8ab5a5ccb6dab262c5e871bb35025799ee54afd82fced3273a9b9cbf079a

SHA512
96cf69fe76df3d3291659dab14863cfbb7a8a54df373411c4288fc651a0583b1f74fd4b582c53bfb7d94b221d85a10283b0672386d4eeb1d0e98a3da70b68c4b

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
62KB

MD5
d0cebd688a2a2fb17875e7b9a17c6d80

SHA1
d04721b9c7d3c86fb67a0bb7ce1e6b68898b232b

SHA256
62f0e24e5e3c529caba1635df8561bbec5c7a6cf2455e0cc9aefe2acc0ca4ec9

SHA512
a9a4cdfc70f8cfad3053aa3702d846e2cd2692563c22e202f55a1cbb2f6703c9189a999a43da2a0d88756092cb975c3da1e1e97e3c4839260ac7af096c1d8eef

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
62KB

MD5
ca9b24f0608be810ef05327767166e11

SHA1
6f75bf0455c87f5f4b47e0fc9f88a0a31df41cd9

SHA256
70e37f50816270103b463383a4186543c2efbbf83433e9f5f6cf445e5eb4c552

SHA512
1c91b4994e39230edd265d8dd1e06485f4138d9b36d995e8f9dd07f445e1736552580cafc002c86c9b9c0fd4296000a7bc0d22f5c6ecc139d598c9b00286d10f

Download Submit