neconyd | d4e8a6ec2fde6198aa5d419fe5dbbb1c1ffae952d4827256fc7ea0411dfea158

Analysis

max time kernel
145s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09-06-2024 10:47

Target

d4e8a6ec2fde6198aa5d419fe5dbbb1c1ffae952d4827256fc7ea0411dfea158.exe
Size

61KB
MD5

cd34a7b180bc9d2d70c78d096e4addb8
SHA1

bc28dd6f224cc1680b8a7304d73ae77b36676867
SHA256

d4e8a6ec2fde6198aa5d419fe5dbbb1c1ffae952d4827256fc7ea0411dfea158
SHA512

3474ab4a44db8066734f57c348b3d9328ef024697a7e40ed8243c4d056cef250d225260ab5df4281805da72db37181e7502b5515e06245c1bd14efdd141890af
SSDEEP

1536:Pd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZml/5:ndseIOMEZEyFjEOFqTiQmAl/5

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 3 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exe

pid process

1564 omsecor.exe
2364 omsecor.exe
3756 omsecor.exe
Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

d4e8a6ec2fde6198aa5d419fe5dbbb1c1ffae952d4827256fc7ea0411dfea158.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 3592 wrote to memory of 1564	3592	d4e8a6ec2fde6198aa5d419fe5dbbb1c1ffae952d4827256fc7ea0411dfea158.exe	omsecor.exe
PID 3592 wrote to memory of 1564	3592	d4e8a6ec2fde6198aa5d419fe5dbbb1c1ffae952d4827256fc7ea0411dfea158.exe	omsecor.exe
PID 3592 wrote to memory of 1564	3592	d4e8a6ec2fde6198aa5d419fe5dbbb1c1ffae952d4827256fc7ea0411dfea158.exe	omsecor.exe
PID 1564 wrote to memory of 2364	1564	omsecor.exe	omsecor.exe
PID 1564 wrote to memory of 2364	1564	omsecor.exe	omsecor.exe
PID 1564 wrote to memory of 2364	1564	omsecor.exe	omsecor.exe
PID 2364 wrote to memory of 3756	2364	omsecor.exe	omsecor.exe
PID 2364 wrote to memory of 3756	2364	omsecor.exe	omsecor.exe
PID 2364 wrote to memory of 3756	2364	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\d4e8a6ec2fde6198aa5d419fe5dbbb1c1ffae952d4827256fc7ea0411dfea158.exe
"C:\Users\Admin\AppData\Local\Temp\d4e8a6ec2fde6198aa5d419fe5dbbb1c1ffae952d4827256fc7ea0411dfea158.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3592

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
PID:3756

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
61KB

MD5
24c9b2049ce901b171f2f6d549f8c450

SHA1
1cc6bc4032c8fcd963f1ce6f7c24bbeacebbbee0

SHA256
7d67ab611aaeafb6edbaca39ae6472b935d1938dcfba6520865adbd35fee15f0

SHA512
f439f5d71db8f2cf2227bf7cb36e5550bf0e571e59090df948704a7100432cfe70c0cff83129f557b3fc7805b70bf09aaeb8de6ea05a7ce136debba1b5158d4f

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
61KB

MD5
fb1f219782a642c767a805bc122b018c

SHA1
d57f4b2db148139254d797d0f65d46a409ddff81

SHA256
46c62020da2d9ff8b2ac5dc0c93b9abf5ece2cb386533195f6e17b6bedf33d9a

SHA512
53705c4552747ed886d55be6ce24e31baf669e82e833faaeed0e36db7dedd9372dc72399654e1899353b755c99870164cda8d5d925cd1d4ee5a9451405c44da0

Download Submit
C:\Windows\SysWOW64\omsecor.exe
Filesize
61KB

MD5
c1f85589d82d61bf9921e7fcf6f65508

SHA1
328cea658bd70e228ac896dd65bee9f69e1726bf

SHA256
f2e0d44daacc249118ecb1076730476c724decc3184f722fa01bfa672775915a

SHA512
bceeb480a6e2f6c290a1aa01b76e97ec97a93d70f0ba3ad6f8954c329c61b36c1526f35f73ca86bf4b851b6444e375f3e74d206f2faef2a8fd044646af45dd52

Download Submit