neconyd | 2d258b57b0125ffb2a18af4446d8865ce8540f4f490379f4ef162fbf0fd44a9f

Analysis

max time kernel
145s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
07/06/2024, 11:46

Target

54bce660915caeec32b0702692de1dd0_NeikiAnalytics.exe
Size

84KB
MD5

54bce660915caeec32b0702692de1dd0
SHA1

0808f6da79a2021a80cd16213341edd67ffb5e40
SHA256

2d258b57b0125ffb2a18af4446d8865ce8540f4f490379f4ef162fbf0fd44a9f
SHA512

388e81cd1ca2ce0b6bb1f75c7f2ea24695fd79bb2a8d7ab16788a4133f17543fd9be9e44aa5b454392565dd27079d9739e1c4ef65af7f3482666752210ce0720
SSDEEP

768:IMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:IbIvYvZEyFKF6N4yS+AQmZTl/5

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Executes dropped EXE 3 IoCs

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4332 wrote to memory of 1816	4332	54bce660915caeec32b0702692de1dd0_NeikiAnalytics.exe	90
PID 4332 wrote to memory of 1816	4332	54bce660915caeec32b0702692de1dd0_NeikiAnalytics.exe	90
PID 4332 wrote to memory of 1816	4332	54bce660915caeec32b0702692de1dd0_NeikiAnalytics.exe	90
PID 1816 wrote to memory of 2472	1816	omsecor.exe	107
PID 1816 wrote to memory of 2472	1816	omsecor.exe	107
PID 1816 wrote to memory of 2472	1816	omsecor.exe	107
PID 2472 wrote to memory of 4188	2472	omsecor.exe	108
PID 2472 wrote to memory of 4188	2472	omsecor.exe	108
PID 2472 wrote to memory of 4188	2472	omsecor.exe	108

C:\Users\Admin\AppData\Local\Temp\54bce660915caeec32b0702692de1dd0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\54bce660915caeec32b0702692de1dd0_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4332
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1816
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2472
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      PID:4188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3744,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=3148 /prefetch:8
1⤵
PID:3444

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
84KB

MD5
628b3b5f335a950ba4f1e47e33087a35

SHA1
d7bba7cead2c4b0b16a911b26c055a307a0bb148

SHA256
705764ce5e25ff75a5850dd50521bed5be475b4f62d4ea46f756cbed5ad3e3dc

SHA512
7100e82c560ac92dab42868023f094e46101e89d24c8d0fabde77d5777f4f8272ca6f0f6dc6cb6b0e1c5d3e39ce31033c998a765b13cbb2d8490b0b57a295797

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
84KB

MD5
68cdd576ea5b3c5728b0884d6f82f736

SHA1
4d24e45cd6585ef627565a348aa9b863f33b6a6f

SHA256
dd4dfefce6c35b1adc5d691408ec122d23acf2625460724ed194824f64c0898a

SHA512
71f82843324a321b42f9eaeaf22fe11ffc6418256c6fee060071e52f5a8ccc51522f6427a2a0cd342d31d68ee1d9f7e7ab1bf5843cc60f1e2847d7bf341c0d64

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
84KB

MD5
17eb72c320a5d68e21d4a3470ed9c3a6

SHA1
783fa475a38ad9db30857f2a06621b758a83811c

SHA256
c1c81f32f1f53b261f6cc7b17f9ad1fa8b64089eafaafb03341f71cb1a5baadc

SHA512
d2cb3978b467204ae6cc56266dcb7be83ed1d79235b5434f7e264ef9a369264301a2c65f01166e6f57220d2aedd5f7c8c611cb26fc2ba9da34a9c084f9330f3d

Download Submit