neconyd | dc7eada2411ef969352ece4534059ab5945a3795d7161d056178ffea53f415ab

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
04/06/2024, 04:01

Target

dc7eada2411ef969352ece4534059ab5945a3795d7161d056178ffea53f415ab.exe
Size

92KB
MD5

8f3fa2efea2f458ff0fe01de23122487
SHA1

cf886d14754740cc502ab4a670cc808564d0b513
SHA256

dc7eada2411ef969352ece4534059ab5945a3795d7161d056178ffea53f415ab
SHA512

dfb7704b5c5c64c22332c38eb6028344dfb3d9d8df813e925ffa8f0ea1e05ae23dc714dc848b093743718cd910c23602e226a539f0e50901521a588e7eb896a9
SSDEEP

768:uMEIvFGvZEr8LFK0ic4PN47eSdYAHwmZNp6JXXlaa5uA:ubIvYvZEyFKFPN4yS+AQmZol/5

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Executes dropped EXE 2 IoCs

pid	Process
2572	omsecor.exe
2352	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1072 wrote to memory of 2572	1072	dc7eada2411ef969352ece4534059ab5945a3795d7161d056178ffea53f415ab.exe	82
PID 1072 wrote to memory of 2572	1072	dc7eada2411ef969352ece4534059ab5945a3795d7161d056178ffea53f415ab.exe	82
PID 1072 wrote to memory of 2572	1072	dc7eada2411ef969352ece4534059ab5945a3795d7161d056178ffea53f415ab.exe	82
PID 2572 wrote to memory of 2352	2572	omsecor.exe	94
PID 2572 wrote to memory of 2352	2572	omsecor.exe	94
PID 2572 wrote to memory of 2352	2572	omsecor.exe	94

C:\Users\Admin\AppData\Local\Temp\dc7eada2411ef969352ece4534059ab5945a3795d7161d056178ffea53f415ab.exe
"C:\Users\Admin\AppData\Local\Temp\dc7eada2411ef969352ece4534059ab5945a3795d7161d056178ffea53f415ab.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1072
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:2352

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
92KB

MD5
515addfc9b7e67959c8ad8428e32fb95

SHA1
bfa921366cc818026676794e0ec12e8f5d035252

SHA256
86cfc771601170448e901675768408cb401bf8a4f8ce332bc82ef657ffc6b526

SHA512
65466a753e4b2a775216821109a8d058a3c6bd3e799b0e74dade461a8ac06e19bc72d32037c9f569b09cc863a9d94f5e1b28f794d8e675d7f0de3a15efdc276c

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
92KB

MD5
e8599e01f57ca24dc27a32803ea8aa9a

SHA1
3e9c1148448c92e400f4f781a3e07f3d21fa7cf2

SHA256
322f3fa4a2218c69155a54b18c2a018e558b304083d24c16d80269aefb8a23f4

SHA512
cbcf8c17db55f9ec9e272358863adb0af591e167b0f35486aabfe5564e0ec2f35a5265f3ff052c11d6bf7b4160830b1043f3cdbb8b717d5adc4e5394a91ea0ea

Download Submit
memory/1072-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1072-5-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2352-13-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2352-14-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2572-6-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2572-7-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2572-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download