neconyd | 84b72edaca20b6e15da980233756e3bb151cc772209ebdd1236d07179f1b3880

Analysis

max time kernel
145s
max time network
146s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
09-06-2024 03:41

Target

84b72edaca20b6e15da980233756e3bb151cc772209ebdd1236d07179f1b3880.exe
Size

61KB
MD5

d3a1e5b18165eea6485bddaa8ee14eb4
SHA1

e52ddf7d7d636b37fcea271bbb870a53cb5001ba
SHA256

84b72edaca20b6e15da980233756e3bb151cc772209ebdd1236d07179f1b3880
SHA512

fb076edf27d4b1fd7abe7b7629e95a07189422425f7c2d30307cf8f04eda80784aa2504358e215e2cb3e426fc1a2a9e11d6f07ecfc65118463e9b3530a16f760
SSDEEP

1536:Td9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZml/5:TdseIOMEZEyFjEOFqTiQmAl/5

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 3 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exe

pid process

1804 omsecor.exe
2972 omsecor.exe
2712 omsecor.exe

Loads dropped DLL 6 IoCs

Processes:

84b72edaca20b6e15da980233756e3bb151cc772209ebdd1236d07179f1b3880.exeomsecor.exeomsecor.exe

pid	process
1256	84b72edaca20b6e15da980233756e3bb151cc772209ebdd1236d07179f1b3880.exe
1256	84b72edaca20b6e15da980233756e3bb151cc772209ebdd1236d07179f1b3880.exe
1804	omsecor.exe
1804	omsecor.exe
2972	omsecor.exe
2972	omsecor.exe

Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

84b72edaca20b6e15da980233756e3bb151cc772209ebdd1236d07179f1b3880.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 1256 wrote to memory of 1804	1256	84b72edaca20b6e15da980233756e3bb151cc772209ebdd1236d07179f1b3880.exe	omsecor.exe
PID 1256 wrote to memory of 1804	1256	84b72edaca20b6e15da980233756e3bb151cc772209ebdd1236d07179f1b3880.exe	omsecor.exe
PID 1256 wrote to memory of 1804	1256	84b72edaca20b6e15da980233756e3bb151cc772209ebdd1236d07179f1b3880.exe	omsecor.exe
PID 1256 wrote to memory of 1804	1256	84b72edaca20b6e15da980233756e3bb151cc772209ebdd1236d07179f1b3880.exe	omsecor.exe
PID 1804 wrote to memory of 2972	1804	omsecor.exe	omsecor.exe
PID 1804 wrote to memory of 2972	1804	omsecor.exe	omsecor.exe
PID 1804 wrote to memory of 2972	1804	omsecor.exe	omsecor.exe
PID 1804 wrote to memory of 2972	1804	omsecor.exe	omsecor.exe
PID 2972 wrote to memory of 2712	2972	omsecor.exe	omsecor.exe
PID 2972 wrote to memory of 2712	2972	omsecor.exe	omsecor.exe
PID 2972 wrote to memory of 2712	2972	omsecor.exe	omsecor.exe
PID 2972 wrote to memory of 2712	2972	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
PID:2712

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
61KB

MD5
7959b597282b91fcae967e4ba43fa338

SHA1
be74b4f002834cf986ad73694b9a623331511709

SHA256
1d2920245831e3c1834fd2ea334a08da2b56f62c1ef3d0cf8ed64ecb4bbd22eb

SHA512
84c5957dbb6608db2dfd32c390489bb42df02d0eacae9a0c7380d8e6186d77b08741b05660c5d612dd2f21e563e909f4372b323df5c16c5ce6c92f26345661f4

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
61KB

MD5
cd34a7b180bc9d2d70c78d096e4addb8

SHA1
bc28dd6f224cc1680b8a7304d73ae77b36676867

SHA256
d4e8a6ec2fde6198aa5d419fe5dbbb1c1ffae952d4827256fc7ea0411dfea158

SHA512
3474ab4a44db8066734f57c348b3d9328ef024697a7e40ed8243c4d056cef250d225260ab5df4281805da72db37181e7502b5515e06245c1bd14efdd141890af

Download Submit
\Windows\SysWOW64\omsecor.exe
Filesize
61KB

MD5
0115bb1d512186abc5ef6056c5953670

SHA1
208cbff0914ba89b02788ed808a5eb6eff873da3

SHA256
e16718e837f07c9178fb90cbfd121613c6f4ee1538acbde53edfed153ea226ca

SHA512
711c2f5ba051628df61c8c780cad0c93e7bba807f2db55d6ef087d6551ce69c6b81b6c4a4db8bbf257e23c1ed596482e73ab38b7eabe7b8e4b3a01b4538baa24

Download Submit