neconyd | b9ae3f7c1c219bf84e862d9588da9d34f68f1bbbff242b86c814dcbf4c1b1707

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
09-06-2024 03:03

Target

0cbf8a08556a92c3a9b8be1a0d423a20_NeikiAnalytics.exe
Size

92KB
MD5

0cbf8a08556a92c3a9b8be1a0d423a20
SHA1

1563c750b2fb0ab92b3e61124f56ba4021fcdac8
SHA256

b9ae3f7c1c219bf84e862d9588da9d34f68f1bbbff242b86c814dcbf4c1b1707
SHA512

9c08c107a479eaf3f95ff8bcb7406fb88e69118793b7174939bfc1b34bf2bead3ca21041addcb331f90f5b8fc12d6b6a9e3009a6d6dff90dc4c15e8a29dfe875
SSDEEP

768:wMTIvFGvZEh8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:wUIvYvZEgFKF6N4yS+AQmZTl/5

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 2 IoCs

Processes:

omsecor.exeomsecor.exe

pid process

3032 omsecor.exe
3844 omsecor.exe
Drops file in System32 directory 2 IoCs

Processes:

omsecor.exeomsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe
File opened for modification C:\Windows\SysWOW64\merocz.xc6 omsecor.exe

pid	process
3032	omsecor.exe
3844	omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

0cbf8a08556a92c3a9b8be1a0d423a20_NeikiAnalytics.exeomsecor.exe

description	pid	process	target process
PID 3020 wrote to memory of 3032	3020	0cbf8a08556a92c3a9b8be1a0d423a20_NeikiAnalytics.exe	omsecor.exe
PID 3020 wrote to memory of 3032	3020	0cbf8a08556a92c3a9b8be1a0d423a20_NeikiAnalytics.exe	omsecor.exe
PID 3020 wrote to memory of 3032	3020	0cbf8a08556a92c3a9b8be1a0d423a20_NeikiAnalytics.exe	omsecor.exe
PID 3032 wrote to memory of 3844	3032	omsecor.exe	omsecor.exe
PID 3032 wrote to memory of 3844	3032	omsecor.exe	omsecor.exe
PID 3032 wrote to memory of 3844	3032	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\0cbf8a08556a92c3a9b8be1a0d423a20_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0cbf8a08556a92c3a9b8be1a0d423a20_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3020

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
92KB

MD5
66666358dc85a10bb342681b6811942f

SHA1
ba53910509bc01f73a9a97aab3a66e935774f55d

SHA256
c302add7b955f5381fc1a3c1eeac1f54e6929d38e12caa15ccbb130a50356eda

SHA512
68d7392288d667759aaa520c32cab2bdfb37826f9d32f3834f96fd3adc07715beb779e8ccd46d5586cf7f1b698ad971e217acba1e10a51bdea8718b0c134a942

Download Submit
C:\Windows\SysWOW64\omsecor.exe
Filesize
92KB

MD5
ec9297108db0b0729a7f656009ee53be

SHA1
f8d6a3279893a43c79731bda31691006e3bb43af

SHA256
511ee3bc0daf8331249374323f1b489782768d85f9eb05d1037805fea0231681

SHA512
1142dd43ce9a2fd0b7db09b5752e1ab781cb4157b32c90b9dbd6e2a1ec7ef27ca928d61b6eadd1772d16be536af60b694ce233a12efd816561e30c8792e3f076

Download Submit
memory/3020-4-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3020-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3032-6-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3032-7-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3032-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3844-13-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3844-14-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download