neconyd | 551cb43b20711132594a5b9dd550eb7d3718d0ac9ac3b9e998ddc5a5246d2590

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
08-06-2024 23:41

Target

551cb43b20711132594a5b9dd550eb7d3718d0ac9ac3b9e998ddc5a5246d2590.exe
Size

61KB
MD5

67d61466fc41295f24a7b222723c4f16
SHA1

0bced1b39bfd208e501c979fb924dc5c05bde2fc
SHA256

551cb43b20711132594a5b9dd550eb7d3718d0ac9ac3b9e998ddc5a5246d2590
SHA512

4d233344a13cf2d419341ad9e7f16c7c48a7dd62dc30b10e76ecf4b6f89436fd1e3e5f25cc09143e1177273763063deb86ca7622ae8a92607613612a37372da2
SSDEEP

768:x2MEIvFGvZEr8LFK0ic46N47eSdYAHwmZ7Bp6JXXlaa5uA:x2bIvYvZEyFKF6N4yS+AQmZIl/5

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 3 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exe

pid process

2388 omsecor.exe
2276 omsecor.exe
1748 omsecor.exe
Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

551cb43b20711132594a5b9dd550eb7d3718d0ac9ac3b9e998ddc5a5246d2590.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 4872 wrote to memory of 2388	4872	551cb43b20711132594a5b9dd550eb7d3718d0ac9ac3b9e998ddc5a5246d2590.exe	omsecor.exe
PID 4872 wrote to memory of 2388	4872	551cb43b20711132594a5b9dd550eb7d3718d0ac9ac3b9e998ddc5a5246d2590.exe	omsecor.exe
PID 4872 wrote to memory of 2388	4872	551cb43b20711132594a5b9dd550eb7d3718d0ac9ac3b9e998ddc5a5246d2590.exe	omsecor.exe
PID 2388 wrote to memory of 2276	2388	omsecor.exe	omsecor.exe
PID 2388 wrote to memory of 2276	2388	omsecor.exe	omsecor.exe
PID 2388 wrote to memory of 2276	2388	omsecor.exe	omsecor.exe
PID 2276 wrote to memory of 1748	2276	omsecor.exe	omsecor.exe
PID 2276 wrote to memory of 1748	2276	omsecor.exe	omsecor.exe
PID 2276 wrote to memory of 1748	2276	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\551cb43b20711132594a5b9dd550eb7d3718d0ac9ac3b9e998ddc5a5246d2590.exe
"C:\Users\Admin\AppData\Local\Temp\551cb43b20711132594a5b9dd550eb7d3718d0ac9ac3b9e998ddc5a5246d2590.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4872

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
PID:1748

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
61KB

MD5
02b562414894aa371d73a0e08de9b88a

SHA1
aa030d7a44f8c75e223fda8487f8a3913fd54acb

SHA256
33313c1aff8abecadf80db2b38d784f5ad6e769514f7b23061d9416b904c4206

SHA512
f291be111e8e4513c3a574cb94011f6775fcab93195a55d4aa2a0ce976e0d52e7db9ea1efdd6a15e66ea0985c74e11111c6a0ae42f73c34d3350d1409beb7328

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
61KB

MD5
0d494bca09c9f46732ff362190869edb

SHA1
c91adb2267aa83be8899676c7c6e8838ab2fc3ac

SHA256
bc75036d6188bda2652c95899b7d0dcde75288c32bfa8c2b889ccdaa75c5d683

SHA512
308acf15821e728ebb0c4424a00af8cb87c1aa7dbd62d5ef88094adef60f511c23937791548d0383218772ccb869abaa4f2818ce62b1d1b8fef59a137055b997

Download Submit
C:\Windows\SysWOW64\omsecor.exe
Filesize
61KB

MD5
5eb2c280c34c7b26e831c58e5c30779a

SHA1
62e6021e20537f4b26b40137c23ce1272580df16

SHA256
d3afbadd164106a0e593b3f9366c9399cd994e05b53a5d214ce902c6a9eda45a

SHA512
02f66545979c01b9bbc3fd6bb282f06502fbc8646a1a8d3b7f6f7192bf411a7deccca7f26fc24013df1aa3e70ef5ac3e728f94cd01026ddfafabe3972d41c256

Download Submit