neconyd | 84b72edaca20b6e15da980233756e3bb151cc772209ebdd1236d07179f1b3880

Analysis

max time kernel
145s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09-06-2024 03:41

Target

84b72edaca20b6e15da980233756e3bb151cc772209ebdd1236d07179f1b3880.exe
Size

61KB
MD5

d3a1e5b18165eea6485bddaa8ee14eb4
SHA1

e52ddf7d7d636b37fcea271bbb870a53cb5001ba
SHA256

84b72edaca20b6e15da980233756e3bb151cc772209ebdd1236d07179f1b3880
SHA512

fb076edf27d4b1fd7abe7b7629e95a07189422425f7c2d30307cf8f04eda80784aa2504358e215e2cb3e426fc1a2a9e11d6f07ecfc65118463e9b3530a16f760
SSDEEP

1536:Td9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZml/5:TdseIOMEZEyFjEOFqTiQmAl/5

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 2 IoCs

Processes:

omsecor.exeomsecor.exe

pid process

4468 omsecor.exe
4012 omsecor.exe
Drops file in System32 directory 2 IoCs

Processes:

omsecor.exeomsecor.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\merocz.xc6 omsecor.exe
File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

pid	process
4468	omsecor.exe
4012	omsecor.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

84b72edaca20b6e15da980233756e3bb151cc772209ebdd1236d07179f1b3880.exeomsecor.exe

description	pid	process	target process
PID 3836 wrote to memory of 4468	3836	84b72edaca20b6e15da980233756e3bb151cc772209ebdd1236d07179f1b3880.exe	omsecor.exe
PID 3836 wrote to memory of 4468	3836	84b72edaca20b6e15da980233756e3bb151cc772209ebdd1236d07179f1b3880.exe	omsecor.exe
PID 3836 wrote to memory of 4468	3836	84b72edaca20b6e15da980233756e3bb151cc772209ebdd1236d07179f1b3880.exe	omsecor.exe
PID 4468 wrote to memory of 4012	4468	omsecor.exe	omsecor.exe
PID 4468 wrote to memory of 4012	4468	omsecor.exe	omsecor.exe
PID 4468 wrote to memory of 4012	4468	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\84b72edaca20b6e15da980233756e3bb151cc772209ebdd1236d07179f1b3880.exe
"C:\Users\Admin\AppData\Local\Temp\84b72edaca20b6e15da980233756e3bb151cc772209ebdd1236d07179f1b3880.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3836

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
61KB

MD5
cd34a7b180bc9d2d70c78d096e4addb8

SHA1
bc28dd6f224cc1680b8a7304d73ae77b36676867

SHA256
d4e8a6ec2fde6198aa5d419fe5dbbb1c1ffae952d4827256fc7ea0411dfea158

SHA512
3474ab4a44db8066734f57c348b3d9328ef024697a7e40ed8243c4d056cef250d225260ab5df4281805da72db37181e7502b5515e06245c1bd14efdd141890af

Download Submit
C:\Windows\SysWOW64\omsecor.exe
Filesize
61KB

MD5
e5ad19d6ee79324c200127fc64c75ac5

SHA1
4f5ae890ba1a1cbfb5a8c311d64785693b70a520

SHA256
7f8106b7f500ac54311a5d225709b900ac1038671343658ea52788790feeb5e4

SHA512
f9a5dc0be3810834898419356bcd6dc136b21114dd2a648280066ff5cbfc3fab4f75bf5fe7d55dbddfb31210a5801216622b8a805b5d8a1559da905c36f9349d

Download Submit