neconyd | ad73863dc9726bbe6cf6c7d2433f9cde1896d8198a51e7e03f3cf1ec26f78929

Analysis

max time kernel
145s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
09-06-2024 02:30

Target

6dadb6fc1f598dfc9ebb7aa087046b40.exe
Size

72KB
MD5

6dadb6fc1f598dfc9ebb7aa087046b40
SHA1

a1783a5676d47dabc025d3823e7783e119cecdde
SHA256

ad73863dc9726bbe6cf6c7d2433f9cde1896d8198a51e7e03f3cf1ec26f78929
SHA512

c105bde5564c74770f29e9d8fa8440bdcbc34794545335a046505d00a3bae61ddc5bacd3b349e12d98f57188d6e5f29e8ef7792f3ef7106cfa51e48cc655bccf
SSDEEP

1536:jd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5211:DdseIOMEZEyFjEOFqTiQm5l/5211

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 3 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exe

pid process

4972 omsecor.exe
3564 omsecor.exe
344 omsecor.exe
Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

6dadb6fc1f598dfc9ebb7aa087046b40.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 2676 wrote to memory of 4972	2676	6dadb6fc1f598dfc9ebb7aa087046b40.exe	omsecor.exe
PID 2676 wrote to memory of 4972	2676	6dadb6fc1f598dfc9ebb7aa087046b40.exe	omsecor.exe
PID 2676 wrote to memory of 4972	2676	6dadb6fc1f598dfc9ebb7aa087046b40.exe	omsecor.exe
PID 4972 wrote to memory of 3564	4972	omsecor.exe	omsecor.exe
PID 4972 wrote to memory of 3564	4972	omsecor.exe	omsecor.exe
PID 4972 wrote to memory of 3564	4972	omsecor.exe	omsecor.exe
PID 3564 wrote to memory of 344	3564	omsecor.exe	omsecor.exe
PID 3564 wrote to memory of 344	3564	omsecor.exe	omsecor.exe
PID 3564 wrote to memory of 344	3564	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\6dadb6fc1f598dfc9ebb7aa087046b40.exe
"C:\Users\Admin\AppData\Local\Temp\6dadb6fc1f598dfc9ebb7aa087046b40.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2676

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
PID:344

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
72KB

MD5
bb825a818153d363cf75b3767d5c2d54

SHA1
e7bf70d244f140b6fc5ba155e67c831abae52b72

SHA256
d1b7fb60b63d00369dc42e35878bde73a1d3ee43d1843b73946c1ce6f3127664

SHA512
7f154cb3eed3f53e22308f88bd529a451b8dff20283e2f57c8b2ceb3de22eb2096cde8e34357e5da92969fadc33e001356c82c99bdf8c58b02c346951d45283e

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
72KB

MD5
096514828731d6b4e1ca1eefd56a2fc5

SHA1
9bfa57e952573f2fdbcd6b9467f8c467fde73ccb

SHA256
569fce08924a54f440efbe7edb1535f08e87987f35e52d85dd8fa850c5050f4e

SHA512
b966e5c7de921f5fae9ea0bb252278be06f92a0396c9b3382ce6383d793f682d50163fa965517c8e88f9cb0774b249981c73ac7ed8c915f11e1afc3c253917c4

Download Submit
C:\Windows\SysWOW64\omsecor.exe
Filesize
72KB

MD5
eb108ba62c2229657f9efbb2c1135111

SHA1
c95f25226d905d6354e42ea8e7b5b386a9c52a30

SHA256
23ce87543fb609b8a1e3bd1739a353017bd3cab78be40239d5798c35d5ccd369

SHA512
7c0d2ead9f7e9ae50a1f9cdcbca7f54dbd8ce40984caba12119b0dd0fcff61f7f536d2c92986d020adf8a69505b8a6ef2ccb6a8678df53fbb0fbf5f860cf4ce2

Download Submit