neconyd | 0bfdf009acefcc18b0e7077b1f7ecdad84cdaa546b792e7376ea9c26f5fdf920

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
08-06-2024 02:28

Target

83c735b8f1208ad86319bf6bb265c340_NeikiAnalytics.exe
Size

88KB
MD5

83c735b8f1208ad86319bf6bb265c340
SHA1

cca7c9df5fa8e1883ddba8466a17470908d90456
SHA256

0bfdf009acefcc18b0e7077b1f7ecdad84cdaa546b792e7376ea9c26f5fdf920
SHA512

8eee015b259190cfd33bcc4bc258e87469263c5ca6548148553aee8f339539b417761d5d39cd6088f4950953a507bfc77bc1977b69b49447d0ad5162b9b4cb8f
SSDEEP

768:GMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:GbIvYvZEyFKF6N4yS+AQmZTl/5

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 3 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exe

pid process

2852 omsecor.exe
4320 omsecor.exe
4232 omsecor.exe
Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

83c735b8f1208ad86319bf6bb265c340_NeikiAnalytics.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 4948 wrote to memory of 2852	4948	83c735b8f1208ad86319bf6bb265c340_NeikiAnalytics.exe	omsecor.exe
PID 4948 wrote to memory of 2852	4948	83c735b8f1208ad86319bf6bb265c340_NeikiAnalytics.exe	omsecor.exe
PID 4948 wrote to memory of 2852	4948	83c735b8f1208ad86319bf6bb265c340_NeikiAnalytics.exe	omsecor.exe
PID 2852 wrote to memory of 4320	2852	omsecor.exe	omsecor.exe
PID 2852 wrote to memory of 4320	2852	omsecor.exe	omsecor.exe
PID 2852 wrote to memory of 4320	2852	omsecor.exe	omsecor.exe
PID 4320 wrote to memory of 4232	4320	omsecor.exe	omsecor.exe
PID 4320 wrote to memory of 4232	4320	omsecor.exe	omsecor.exe
PID 4320 wrote to memory of 4232	4320	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\83c735b8f1208ad86319bf6bb265c340_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\83c735b8f1208ad86319bf6bb265c340_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4948

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
PID:4232

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
88KB

MD5
c6b181f080d8adc829d0f602b9bfcb48

SHA1
8e88b19a0a26a5f3863e7219b07a3efbf14e06e0

SHA256
00e2b4511480aeab1794f1d8eaedec3aa157ac060ed42b169d03f20b40d10be0

SHA512
48d80dfb202bf36f0805fd6f7d56058d6cbb48236df385e639c106981a8bda46f056e3c908725240ff320324f127247ce3dc579db1e6a15da54ee80eaf376fab

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
88KB

MD5
eb940aa1bc3be9a55183f507eff5da82

SHA1
dccbf1a03912833661c3e1f12def53265b65d327

SHA256
469449f9ed73d3c7eb99e4b011eab00188a4d95073cc9f2e60cf9494b519c332

SHA512
4f9727a81196efbea9888f06d2b06c262606a25dde8f361012f5d1945e155ae96551290174534cdb86ebd2d1934980be605a01fb7cbdad5942f792baf445e644

Download Submit
C:\Windows\SysWOW64\omsecor.exe
Filesize
88KB

MD5
afef870bbd76a4a326b75abcb3137133

SHA1
db849faaa96a36ac9f223b3c23e17c798290126f

SHA256
c358e19f27493ea563e71835d7ef7d77e9bde0ae1f2120306fbbe4dbb7610a28

SHA512
eb9079795680104251179e591efb316ce2908b96393cd8c52eb2027989da99f6448b7080884b2d222cd40775444945f95f1b2e3909d75c0ae4de44d0674deaa2

Download Submit