neconyd | 2ed200c727811e5fd928848a6d0131618e2e59195b945d076a04b47bd2d98bfe

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09-06-2024 04:26

Target

0f33803ad4a6eab18c108a93e8ed6e00_NeikiAnalytics.exe
Size

80KB
MD5

0f33803ad4a6eab18c108a93e8ed6e00
SHA1

3941d0edc42225618382d04cf0e18d608e5fc5a2
SHA256

2ed200c727811e5fd928848a6d0131618e2e59195b945d076a04b47bd2d98bfe
SHA512

5ed531712a797a5d8f35ceb0a464b8c16bb9370d907454f7561706655b00f6c4b77028635f6f6a5a11cc527e8620a7fb1eb7647fcea006a580326b6f478c94de
SSDEEP

768:RfMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:RfbIvYvZEyFKF6N4yS+AQmZTl/5

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 2 IoCs

Processes:

omsecor.exeomsecor.exe

pid process

2580 omsecor.exe
3048 omsecor.exe
Drops file in System32 directory 2 IoCs

Processes:

omsecor.exeomsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe
File opened for modification C:\Windows\SysWOW64\merocz.xc6 omsecor.exe

pid	process
2580	omsecor.exe
3048	omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

0f33803ad4a6eab18c108a93e8ed6e00_NeikiAnalytics.exeomsecor.exe

description	pid	process	target process
PID 4364 wrote to memory of 2580	4364	0f33803ad4a6eab18c108a93e8ed6e00_NeikiAnalytics.exe	omsecor.exe
PID 4364 wrote to memory of 2580	4364	0f33803ad4a6eab18c108a93e8ed6e00_NeikiAnalytics.exe	omsecor.exe
PID 4364 wrote to memory of 2580	4364	0f33803ad4a6eab18c108a93e8ed6e00_NeikiAnalytics.exe	omsecor.exe
PID 2580 wrote to memory of 3048	2580	omsecor.exe	omsecor.exe
PID 2580 wrote to memory of 3048	2580	omsecor.exe	omsecor.exe
PID 2580 wrote to memory of 3048	2580	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\0f33803ad4a6eab18c108a93e8ed6e00_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0f33803ad4a6eab18c108a93e8ed6e00_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4364

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
80KB

MD5
84886f634019a6e8697756417f103e44

SHA1
b4ed1ba65002f222596c4ed010a01342d739a7ba

SHA256
94de9aad899088e368a87b84edc0e1a1d70213f86b5f34a8e0bbca0924c759ea

SHA512
16f18947e085e91eb5c41e7f7360907f9fec0549892b241d909d44a5a88e5f0237dccc7ef5181afa5b36548043bfb4a97d4a1b8b8c821f11d0800f6183b40825

Download Submit
C:\Windows\SysWOW64\omsecor.exe
Filesize
80KB

MD5
32c78a437f970901fd855e9b4918fbac

SHA1
9d663a18889d25a4749aa005973348fc09204978

SHA256
3f136b3b1e2575154b4c7ce1bfa1bc97c383e159fa5b6e0c89e084ea709f3c01

SHA512
d709725f9ab304df0434bd50defd98714fe4f31463af311cfa77286edd764bb9544c43ec15b2896cc9f2762c242d0dcfddd71cc6df00d81754667b683b85bf94

Download Submit