neconyd | 1f8af6dc294105a4346c258efd75a778026217cc0dbefc8bbbd484c00e7d21e4

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
07/06/2024, 22:15

Target

71f0658fb586d3e6c81daac0faf02d30_NeikiAnalytics.exe
Size

84KB
MD5

71f0658fb586d3e6c81daac0faf02d30
SHA1

41c8999a79e745988a8e748dd0b3e35ebacc0c1a
SHA256

1f8af6dc294105a4346c258efd75a778026217cc0dbefc8bbbd484c00e7d21e4
SHA512

6d60717f6caae2077e7177f1d742b30469468b67ed089da26df6505c01d8bf4a8aa10672774a348165a3c93107d6fb8d398aea36d4d601969e2cbec14535aabf
SSDEEP

1536:Zd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:5dseIOMEZEyFjEOFqTiQm5l/5

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Executes dropped EXE 3 IoCs

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4888 wrote to memory of 3088	4888	71f0658fb586d3e6c81daac0faf02d30_NeikiAnalytics.exe	81
PID 4888 wrote to memory of 3088	4888	71f0658fb586d3e6c81daac0faf02d30_NeikiAnalytics.exe	81
PID 4888 wrote to memory of 3088	4888	71f0658fb586d3e6c81daac0faf02d30_NeikiAnalytics.exe	81
PID 3088 wrote to memory of 3108	3088	omsecor.exe	94
PID 3088 wrote to memory of 3108	3088	omsecor.exe	94
PID 3088 wrote to memory of 3108	3088	omsecor.exe	94
PID 3108 wrote to memory of 4580	3108	omsecor.exe	95
PID 3108 wrote to memory of 4580	3108	omsecor.exe	95
PID 3108 wrote to memory of 4580	3108	omsecor.exe	95

C:\Users\Admin\AppData\Local\Temp\71f0658fb586d3e6c81daac0faf02d30_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\71f0658fb586d3e6c81daac0faf02d30_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4888
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3088
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3108
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      PID:4580

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
84KB

MD5
e34ebfd281d5a2b7bc7955d5ad65c9d1

SHA1
27c452c05f361d6633e717cc21213bf48eb0cb7a

SHA256
aaf9bcfb300f552d8c73e3ed428baa73202bd442fc4a173aa022c7bedcd3ea72

SHA512
18e5a86aa146db24f98383b0085fb60871751138b48c50e1dc18016279a641b0580c4b75028523be2f9363f514e3dc883df970c23fc550296b747bb5307a92bc

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
84KB

MD5
7aef4598776cfd36ec8ede00f7665def

SHA1
4e118ebf5e7540f1f2453c2c7f57269eec7065e9

SHA256
c0a52d6878a33b372328fbf46d61bdec4a7ccbf60ff5fb77bf1e8f470444d315

SHA512
fae51c720506b8d9d31fc7e8344799b417e1fb6bfe9dc97df75b6708e080e75e7b092f85c877c8ce72aaec01f7e4b6cb4c75298242de3124d86188f059c71e43

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
84KB

MD5
191f5a4f81537c0783160b1c07cac249

SHA1
1f39bbebb40ed0e400e120b50f93d09fab24b4e1

SHA256
d128af6f19298d31164b0c8ded0e7677b2f5c74a363dac92d0dc0d36c4dc727e

SHA512
f617c828b13e1465e207331c12e8b030a67f03203883bf7b0e2cf6a398c493c72c95314fefc99854e483b6af47571d3111f3f64cd416b3d28df2f6f4629744ac

Download Submit