neconyd | 697e1fe49dabfdf5b4bded392fdb6c59bfe8a8e1971343284fcf862ce2b40d3a

Analysis

max time kernel
145s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
05/06/2024, 01:17

Target

24acdcbaccf5ba33155373146d6eada0_NeikiAnalytics.exe
Size

76KB
MD5

24acdcbaccf5ba33155373146d6eada0
SHA1

c619658c5feb0d3272627739ae5348abc2e53235
SHA256

697e1fe49dabfdf5b4bded392fdb6c59bfe8a8e1971343284fcf862ce2b40d3a
SHA512

a9555871aa807103db2b5032516d9c81f7d2ba717ac64ee22bc578cf047cef2fd8fe42d36d4d39246ef3b9f9f873374a4de8f964b3f5be782e96fab9edbcd866
SSDEEP

768:dMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAW:dbIvYvZEyFKF6N4yS+AQmZTl/5O

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Executes dropped EXE 3 IoCs

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4268 wrote to memory of 5084	4268	24acdcbaccf5ba33155373146d6eada0_NeikiAnalytics.exe	83
PID 4268 wrote to memory of 5084	4268	24acdcbaccf5ba33155373146d6eada0_NeikiAnalytics.exe	83
PID 4268 wrote to memory of 5084	4268	24acdcbaccf5ba33155373146d6eada0_NeikiAnalytics.exe	83
PID 5084 wrote to memory of 4164	5084	omsecor.exe	96
PID 5084 wrote to memory of 4164	5084	omsecor.exe	96
PID 5084 wrote to memory of 4164	5084	omsecor.exe	96
PID 4164 wrote to memory of 4624	4164	omsecor.exe	97
PID 4164 wrote to memory of 4624	4164	omsecor.exe	97
PID 4164 wrote to memory of 4624	4164	omsecor.exe	97

C:\Users\Admin\AppData\Local\Temp\24acdcbaccf5ba33155373146d6eada0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\24acdcbaccf5ba33155373146d6eada0_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4268
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:5084
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4164
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      PID:4624

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
b3472c1abaa447fa3ac14a3d958c03e4

SHA1
befa32a83a30804027ffaa081f5d58ebb3cf1030

SHA256
9a27f5e2ea00e4e50d4d9fe509c54ba18e4d8acd17dd5bf73511d180b66287bd

SHA512
d770f44f7752906e535712e7852fea6657ad589bb11a553c398faf5c7309881b7228b07b2f6b21f6ca3e0f378cbd367e75b47fca525aea4e736ba22d3a295903

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
615cbc2af2d6c9b5db5afa489e832457

SHA1
930b86d9be37239b34122669119cc618ecb9df7f

SHA256
0550a3d251db16586e8191358ca3f923d13935f49e51f5de5762a74c28017ebd

SHA512
9575784f6c449c2cf304dc80de7ee6a23f4ca2c4ed81f9726860d872acb8e548e43ac0131f96d2975eb3163c3819a5076f039fb3dd1a650962d6b1e58819bdf2

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
0c64550c8a7cae2b2e167fbd8a099cfc

SHA1
9a8dca1ff2935a5f81b62fffbcfacba7b2290971

SHA256
ec6aca003699a8d50eca654e596622d32e47b529f9b40f24aca15c920495f680

SHA512
10d32454ebd36e791a04d325c467e800e161ed3d20db26c332aa65d07d91e09b11587b1b39fcd3b0b7d20fdd8dd58a6c86914a390f238d43e22f87c7f3cb504e

Download Submit