neconyd | 50278bf37d78e519739479949085e4109b5272460948d9bbb3e7b8958784bfce

Analysis

max time kernel
145s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
08-06-2024 23:18

Target

50278bf37d78e519739479949085e4109b5272460948d9bbb3e7b8958784bfce.exe
Size

72KB
MD5

efa71cb9ad8a61e610054887015740a3
SHA1

dabbefd99a1af75822e4df7d38dd133c72505264
SHA256

50278bf37d78e519739479949085e4109b5272460948d9bbb3e7b8958784bfce
SHA512

3f0ffb5a9f574ddac1721eaaaf8d0005ef54fc2a8b7b52394dab7ba3d6ffad0c910b15e91aa5267e8363ccdaedf042e56a37923d310e2d50ad06f9caa9bd4977
SSDEEP

768:8MEIvFGvoEr8LFK0ic46N47eSvYAHwmZGp6JXXlaa5uA:8bIvYvoEyFKF6N4ySAAQmZTl/5

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 2 IoCs

Processes:

omsecor.exeomsecor.exe

pid process

5104 omsecor.exe
816 omsecor.exe
Drops file in System32 directory 2 IoCs

Processes:

omsecor.exeomsecor.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\merocz.xc6 omsecor.exe
File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

pid	process
5104	omsecor.exe
816	omsecor.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

50278bf37d78e519739479949085e4109b5272460948d9bbb3e7b8958784bfce.exeomsecor.exe

description	pid	process	target process
PID 1448 wrote to memory of 5104	1448	50278bf37d78e519739479949085e4109b5272460948d9bbb3e7b8958784bfce.exe	omsecor.exe
PID 1448 wrote to memory of 5104	1448	50278bf37d78e519739479949085e4109b5272460948d9bbb3e7b8958784bfce.exe	omsecor.exe
PID 1448 wrote to memory of 5104	1448	50278bf37d78e519739479949085e4109b5272460948d9bbb3e7b8958784bfce.exe	omsecor.exe
PID 5104 wrote to memory of 816	5104	omsecor.exe	omsecor.exe
PID 5104 wrote to memory of 816	5104	omsecor.exe	omsecor.exe
PID 5104 wrote to memory of 816	5104	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\50278bf37d78e519739479949085e4109b5272460948d9bbb3e7b8958784bfce.exe
"C:\Users\Admin\AppData\Local\Temp\50278bf37d78e519739479949085e4109b5272460948d9bbb3e7b8958784bfce.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1448

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
72KB

MD5
2e3a04c7437f52b16f134cf7a56f2961

SHA1
bc2dc3ce8cbae3f2625c4dea1b12f81468f5c3a1

SHA256
16eecd31e364d097bac9c975f13f6163b2a80cf251364561a6c1cab33ee10db0

SHA512
2db0788feb00a4170d7cb080b5677c5fa7baa19dc1d8ca624cd85de200452a06f86592eec3e061c81bc278f4e4528847c40c877430d4d0b7da2d45dba04b8c62

Download Submit
C:\Windows\SysWOW64\omsecor.exe
Filesize
72KB

MD5
4a556c31348147f486aeb974128aaafb

SHA1
9177e7b4e3c7f0068418b0a9489cbe408becbc0d

SHA256
eb4a836eb58e64d0c0adce053c304509df64ddc3b627009882579c80a1ef4bb6

SHA512
399260c9be7c3ae9e5831584b0b1dbb4bb0a6c43f303bc4a99684ba0e01cc120d5b3a2847e7250be516ce0aea8d887a6d7573d022c302878463c4952f4115405

Download Submit
memory/816-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/816-13-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1448-1-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5104-5-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5104-6-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5104-10-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download