neconyd | 73f21e7b2f4c2847f7123d76bd43feb7f237eab5612bc5f45fe9e0e7e89a6910

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09-06-2024 02:12

Target

73f21e7b2f4c2847f7123d76bd43feb7f237eab5612bc5f45fe9e0e7e89a6910.exe
Size

80KB
MD5

571ef3f20a7e4eb4071c1ef5a761fc59
SHA1

91e5e12ce1c01e84692d51e5bc9839cba139fccb
SHA256

73f21e7b2f4c2847f7123d76bd43feb7f237eab5612bc5f45fe9e0e7e89a6910
SHA512

0ecfca4fe110757ce1bfe8947dae854c6a8bf2ad07c4031cdb7c4f02c4e731bf7d321bf5db73f143fca87d27baafd82acb6612eddf3947e289e6d6c21c3bd80b
SSDEEP

768:6fMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:6fbIvYvZEyFKF6N4yS+AQmZTl/5

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 3 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exe

pid process

4072 omsecor.exe
2184 omsecor.exe
4488 omsecor.exe
Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

73f21e7b2f4c2847f7123d76bd43feb7f237eab5612bc5f45fe9e0e7e89a6910.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 2280 wrote to memory of 4072	2280	73f21e7b2f4c2847f7123d76bd43feb7f237eab5612bc5f45fe9e0e7e89a6910.exe	omsecor.exe
PID 2280 wrote to memory of 4072	2280	73f21e7b2f4c2847f7123d76bd43feb7f237eab5612bc5f45fe9e0e7e89a6910.exe	omsecor.exe
PID 2280 wrote to memory of 4072	2280	73f21e7b2f4c2847f7123d76bd43feb7f237eab5612bc5f45fe9e0e7e89a6910.exe	omsecor.exe
PID 4072 wrote to memory of 2184	4072	omsecor.exe	omsecor.exe
PID 4072 wrote to memory of 2184	4072	omsecor.exe	omsecor.exe
PID 4072 wrote to memory of 2184	4072	omsecor.exe	omsecor.exe
PID 2184 wrote to memory of 4488	2184	omsecor.exe	omsecor.exe
PID 2184 wrote to memory of 4488	2184	omsecor.exe	omsecor.exe
PID 2184 wrote to memory of 4488	2184	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\73f21e7b2f4c2847f7123d76bd43feb7f237eab5612bc5f45fe9e0e7e89a6910.exe
"C:\Users\Admin\AppData\Local\Temp\73f21e7b2f4c2847f7123d76bd43feb7f237eab5612bc5f45fe9e0e7e89a6910.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2280

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
PID:4488

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
80KB

MD5
ca4b7e9cde5913bbfa47fa90f056ebca

SHA1
135cef0fd7cdd8de006de82215d3021af72f70c8

SHA256
e1d90623eb3addd04effd51d0b9c6bcaf805e98ac07f3acf2e0282cf4f138ea4

SHA512
906537456f44ed5d571498bf109e2f202f1f37302c3a853319e7ac6f4ed3683a3204621cff6295b44ad18f7aace91d4b459daca4f15b25a650b32818435fb1b6

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
80KB

MD5
e211d2ea1767dca3af915d18598f8cab

SHA1
05c7e79107bfff36afbc05187940b9f3ec0788d8

SHA256
1fc22615248d9c796ab0784c05a829dcf962ee8b8c94dd92916a05a07c039c67

SHA512
8a95e10ee9f186dc66113162fbdf9e557fba3d554bb45fbc50cf8510387dcfc66da568b143dba11684a4266871c7780394019a72d4acf85ebbc41dd3367e8065

Download Submit
C:\Windows\SysWOW64\omsecor.exe
Filesize
80KB

MD5
d4e2d6ae394ab55cfc6ce552f637026e

SHA1
59834da11ee0675bbcf1a29b0b371de92783dcb3

SHA256
4e465420ff96bcd159e2d1f1b3889c49136cf4a88f0a07f707294aa24aa874ec

SHA512
9b2cce26472687be10ffd2591279cb1d54d4c9046c5f1c5f7f24e1031e155f781a22a5e71e671a6e3c555ad65fe91053adc1cc6ad0b29716e56a7897826842cb

Download Submit