neconyd | 1f8af6dc294105a4346c258efd75a778026217cc0dbefc8bbbd484c00e7d21e4

Analysis

max time kernel
146s
max time network
148s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07/06/2024, 22:15

Target

71f0658fb586d3e6c81daac0faf02d30_NeikiAnalytics.exe
Size

84KB
MD5

71f0658fb586d3e6c81daac0faf02d30
SHA1

41c8999a79e745988a8e748dd0b3e35ebacc0c1a
SHA256

1f8af6dc294105a4346c258efd75a778026217cc0dbefc8bbbd484c00e7d21e4
SHA512

6d60717f6caae2077e7177f1d742b30469468b67ed089da26df6505c01d8bf4a8aa10672774a348165a3c93107d6fb8d398aea36d4d601969e2cbec14535aabf
SSDEEP

1536:Zd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:5dseIOMEZEyFjEOFqTiQm5l/5

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Executes dropped EXE 3 IoCs

Loads dropped DLL 6 IoCs

pid	Process
1940	71f0658fb586d3e6c81daac0faf02d30_NeikiAnalytics.exe
1940	71f0658fb586d3e6c81daac0faf02d30_NeikiAnalytics.exe
2064	omsecor.exe
2064	omsecor.exe
2788	omsecor.exe
2788	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 2064	1940	71f0658fb586d3e6c81daac0faf02d30_NeikiAnalytics.exe	28
PID 1940 wrote to memory of 2064	1940	71f0658fb586d3e6c81daac0faf02d30_NeikiAnalytics.exe	28
PID 1940 wrote to memory of 2064	1940	71f0658fb586d3e6c81daac0faf02d30_NeikiAnalytics.exe	28
PID 1940 wrote to memory of 2064	1940	71f0658fb586d3e6c81daac0faf02d30_NeikiAnalytics.exe	28
PID 2064 wrote to memory of 2788	2064	omsecor.exe	32
PID 2064 wrote to memory of 2788	2064	omsecor.exe	32
PID 2064 wrote to memory of 2788	2064	omsecor.exe	32
PID 2064 wrote to memory of 2788	2064	omsecor.exe	32
PID 2788 wrote to memory of 2204	2788	omsecor.exe	33
PID 2788 wrote to memory of 2204	2788	omsecor.exe	33
PID 2788 wrote to memory of 2204	2788	omsecor.exe	33
PID 2788 wrote to memory of 2204	2788	omsecor.exe	33

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
84KB

MD5
7aef4598776cfd36ec8ede00f7665def

SHA1
4e118ebf5e7540f1f2453c2c7f57269eec7065e9

SHA256
c0a52d6878a33b372328fbf46d61bdec4a7ccbf60ff5fb77bf1e8f470444d315

SHA512
fae51c720506b8d9d31fc7e8344799b417e1fb6bfe9dc97df75b6708e080e75e7b092f85c877c8ce72aaec01f7e4b6cb4c75298242de3124d86188f059c71e43

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
84KB

MD5
8ff1bb33d7829cec7784f9bbb462874d

SHA1
88d0d845ff643d2222151c18c692fbb0e51528e0

SHA256
f29debb29ead2af9eb9ebcf48aa497a7a0df8095f727476936fed91b1009c9d2

SHA512
1f264dd38d886de2fda6e127805ca379c5e6d9efebd2198306b8562896db6d55355b093565e85e21927f4e3c7ca6a886e01168d19a92d99ec4153be70bba62dd

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
84KB

MD5
657b2c61808e8d39f3a5a345a75ada20

SHA1
56d67ecb200eae91db716266aff2c68048f53fee

SHA256
f94fbb13b407ef2902c6cf98bff32f54e9407ecd1d649cc22281d71bd9d2b166

SHA512
17d3d90dc79ebed2b7b96e1963889246122eb51963cc832fab497ed04d8203ac7048f0f35a168e87bab975e7d4f469c9c98282d97f584b95c026a1af616966ab

Download Submit