neconyd | 148b42cbac20244f46eac251c26b4ecbd74cf0502739379ccca73750ddf1f43b

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
08-06-2024 02:41

Target

84963f4bd0a886ad6170a4d3ae6eaf60_NeikiAnalytics.exe
Size

88KB
MD5

84963f4bd0a886ad6170a4d3ae6eaf60
SHA1

1773f7dd07f27223504d30ee50695643ab7da319
SHA256

148b42cbac20244f46eac251c26b4ecbd74cf0502739379ccca73750ddf1f43b
SHA512

78a72e63636d7f0270006b18b075671c6ec59056c9fed38c4b0acffeead8f1a69ac71cfeba8ab38d2f072eb64619ab6b3e14c062bfaa7cccfdc6ae70a37452dd
SSDEEP

1536:sd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:UdseIOMEZEyFjEOFqTiQm5l/5

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 3 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exe

pid process

860 omsecor.exe
4808 omsecor.exe
3628 omsecor.exe
Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

84963f4bd0a886ad6170a4d3ae6eaf60_NeikiAnalytics.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 1676 wrote to memory of 860	1676	84963f4bd0a886ad6170a4d3ae6eaf60_NeikiAnalytics.exe	omsecor.exe
PID 1676 wrote to memory of 860	1676	84963f4bd0a886ad6170a4d3ae6eaf60_NeikiAnalytics.exe	omsecor.exe
PID 1676 wrote to memory of 860	1676	84963f4bd0a886ad6170a4d3ae6eaf60_NeikiAnalytics.exe	omsecor.exe
PID 860 wrote to memory of 4808	860	omsecor.exe	omsecor.exe
PID 860 wrote to memory of 4808	860	omsecor.exe	omsecor.exe
PID 860 wrote to memory of 4808	860	omsecor.exe	omsecor.exe
PID 4808 wrote to memory of 3628	4808	omsecor.exe	omsecor.exe
PID 4808 wrote to memory of 3628	4808	omsecor.exe	omsecor.exe
PID 4808 wrote to memory of 3628	4808	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\84963f4bd0a886ad6170a4d3ae6eaf60_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\84963f4bd0a886ad6170a4d3ae6eaf60_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1676

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
PID:3628

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
88KB

MD5
4e51956d11110f85f9b19806077aebdd

SHA1
ef758c2cf4b829dd1c15b28a58124acce66991f0

SHA256
e3f6765a1ac10ec513527035028a0b3b9cb4ff573d5e3eff2c627b1164311295

SHA512
d3b0eb0b471813ae8eb262af38cce0290f913561ef85cf94cb4dc9b91a68db70033146389b7c122663ed2bd9c0745b645f9a0fd3a3b5e683b7e97cdf1822ddd4

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
88KB

MD5
a147ba4658821c6f22ad5535b73dbe01

SHA1
c1ad90d69781e8232e96fd78b9d20bffd68199ce

SHA256
1be07bb1840d0207b31b2f612887854e43f5bcc6895a7fea22318a204d764d1f

SHA512
8f32e67213183db91caaaafef25ceea3173114b77ed2ec70a5c1f9e46bc0b348be8629db04bbfd1050b76305853fed93b517c6dcdb3d49b14bd6e8412fda6b54

Download Submit
C:\Windows\SysWOW64\omsecor.exe
Filesize
88KB

MD5
cdac701294f1986f71fe2d1b149faa5b

SHA1
f33e3dd269a04b07be7121acf84732ee6f20e73e

SHA256
cade0f821e31380bbf729a5b89c90e8270be46956849883532131800e70cebde

SHA512
485f98c2e292d72c4593d80f60830eda1b960c94dfcad429a5472de8ec8a9ba28592272db02ec8d0ad00d9868e5bba382b73a7638bba4881c86ff607ac2db6c6

Download Submit