neconyd | 01ba89fcee616b54111283f8cff8d55a85f850ea33fa2fa82d3d3141242c1b57

Analysis

max time kernel
145s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
08-06-2024 04:22

Target

8b422824c12d79d038bf455c8133fcd0_NeikiAnalytics.exe
Size

72KB
MD5

8b422824c12d79d038bf455c8133fcd0
SHA1

931bdd38096808d2ff28e6238fa051570a1fa863
SHA256

01ba89fcee616b54111283f8cff8d55a85f850ea33fa2fa82d3d3141242c1b57
SHA512

6016610cff945e82256b5985d9d5398ecf15650c842411c53f4ba15fa1bcd1e46de46e9dccd2efa5b5a17576dcccb845e8c70165cfb5d0ce1270999ca99815d6
SSDEEP

1536:ud9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5211:2dseIOMEZEyFjEOFqTiQm5l/5211

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 3 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exe

pid process

1512 omsecor.exe
1620 omsecor.exe
2376 omsecor.exe
Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

8b422824c12d79d038bf455c8133fcd0_NeikiAnalytics.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 2308 wrote to memory of 1512	2308	8b422824c12d79d038bf455c8133fcd0_NeikiAnalytics.exe	omsecor.exe
PID 2308 wrote to memory of 1512	2308	8b422824c12d79d038bf455c8133fcd0_NeikiAnalytics.exe	omsecor.exe
PID 2308 wrote to memory of 1512	2308	8b422824c12d79d038bf455c8133fcd0_NeikiAnalytics.exe	omsecor.exe
PID 1512 wrote to memory of 1620	1512	omsecor.exe	omsecor.exe
PID 1512 wrote to memory of 1620	1512	omsecor.exe	omsecor.exe
PID 1512 wrote to memory of 1620	1512	omsecor.exe	omsecor.exe
PID 1620 wrote to memory of 2376	1620	omsecor.exe	omsecor.exe
PID 1620 wrote to memory of 2376	1620	omsecor.exe	omsecor.exe
PID 1620 wrote to memory of 2376	1620	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\8b422824c12d79d038bf455c8133fcd0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8b422824c12d79d038bf455c8133fcd0_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2308

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
PID:2376

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
72KB

MD5
4146c5e8be639079cf4f0c189774d232

SHA1
dc92386d14664c61244b094d6bbb04e28113d749

SHA256
96705aa948a3c0e71098c0f72dd277ba8d83789c22729adec5b872b7e92dbf38

SHA512
ee1906e47a49d7324ec31396c13ff28c5452f20bb33c20257ffbb2ae54aa8a32fdfe8797044a0c3e8827e90d52f3bc0066656d39549c8e08bdf1664e2a18dc61

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
72KB

MD5
e04c858ea1cfc5d2631a66696cf7b786

SHA1
4f3be9ad26cbc0ce9443919e1d3036913170452f

SHA256
9d3c68721100fb5220a00fd8573f09ca2a78ee2388ccb88865ad488b0fcc4d3c

SHA512
f4115603e5f5576e0932fd02b68824520265129935f5f9624f1827820f7688dac78eb02bdb0eb6a4acf9298aee0c503a047b7b08bebfc302018526c8e5800df6

Download Submit
C:\Windows\SysWOW64\omsecor.exe
Filesize
72KB

MD5
ab09c28ef113287804f2ae7da70aa399

SHA1
7d97757539282c3dcab9ce06ff6054bd8aafcf82

SHA256
e6fad8578f5724f49d95f5cca9c66f37f9a86fc6e69dfab78309d85c9d4bfbb2

SHA512
bdcad2d159983b57ced15f5389f499fe2ab6d527fdad67aafe05ef7b752caf52f34d0369e6896964c51f196c1ad2c8069d6bc85806a5f24be5608025f0f913a5

Download Submit