neconyd | 2881d0b1f21dba86c8663c988b715c9744c6360ae364809356245ecddcc6978f

Analysis

max time kernel
145s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10-06-2024 04:49

Target

2881d0b1f21dba86c8663c988b715c9744c6360ae364809356245ecddcc6978f.exe
Size

80KB
MD5

4879096f99fe8a9fe19d5726fd278d1b
SHA1

4276ec956286d56b45fb1bcb8bfefc1fce0d00e4
SHA256

2881d0b1f21dba86c8663c988b715c9744c6360ae364809356245ecddcc6978f
SHA512

c224cfceb972d71661fada90b2ed6f94b0a3084cfba9c9cfbe002ecb88f954bb5c1f7e570a5533de41854a72d0fd77725e889dbb28b76436b5c763bacf79fff4
SSDEEP

768:SfMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:SfbIvYvZEyFKF6N4yS+AQmZTl/5

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 3 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exe

pid process

1416 omsecor.exe
1248 omsecor.exe
964 omsecor.exe
Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

2881d0b1f21dba86c8663c988b715c9744c6360ae364809356245ecddcc6978f.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 1696 wrote to memory of 1416	1696	2881d0b1f21dba86c8663c988b715c9744c6360ae364809356245ecddcc6978f.exe	omsecor.exe
PID 1696 wrote to memory of 1416	1696	2881d0b1f21dba86c8663c988b715c9744c6360ae364809356245ecddcc6978f.exe	omsecor.exe
PID 1696 wrote to memory of 1416	1696	2881d0b1f21dba86c8663c988b715c9744c6360ae364809356245ecddcc6978f.exe	omsecor.exe
PID 1416 wrote to memory of 1248	1416	omsecor.exe	omsecor.exe
PID 1416 wrote to memory of 1248	1416	omsecor.exe	omsecor.exe
PID 1416 wrote to memory of 1248	1416	omsecor.exe	omsecor.exe
PID 1248 wrote to memory of 964	1248	omsecor.exe	omsecor.exe
PID 1248 wrote to memory of 964	1248	omsecor.exe	omsecor.exe
PID 1248 wrote to memory of 964	1248	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\2881d0b1f21dba86c8663c988b715c9744c6360ae364809356245ecddcc6978f.exe
"C:\Users\Admin\AppData\Local\Temp\2881d0b1f21dba86c8663c988b715c9744c6360ae364809356245ecddcc6978f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1696

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
PID:964

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
80KB

MD5
b35b62c9b709d516c0c1f2a33dc6a138

SHA1
e89247b1ebe4cb7080db0bacea491fa7dbf237da

SHA256
f30eee431defa81a149a44bef4f0cce289190d8ff70c67ccaf8cbdf99666cb10

SHA512
2fc63edf3fb081cc3772a3ba9fb822b6959544713edd4facda45475e9d48b40a1512b73d43fa73b6f20f85646c5aa407442a52f7fa4134ec9bd0d2c2cd0f3329

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
80KB

MD5
4a280581dcd4af788580c2042f34b3d4

SHA1
537c91f4ca7a42741cc17e87951eac353296059e

SHA256
e7b9c61e9ec14b3531371193b0d06bbad94703bb69a790bba9ee63c5e23cec42

SHA512
af81a41003b9630295d76eb82ed95fc94c631d45bbaedb7e6377ad26ef025142cc59b35936f07a6ca5c4b76117358cf54c6d4ff09cf373e3872f517d3257f4a5

Download Submit
C:\Windows\SysWOW64\omsecor.exe
Filesize
80KB

MD5
da8cc74b924ecea8f8a886c91f6344cd

SHA1
f47bc797731cea801d12c75e754d59579c35d564

SHA256
0d7fa6d56a604707d521ffcb66945e342acee8df06ce23321226e682fc0bd200

SHA512
fe6ce8cc50d1a9bfb71f6ac17de0454b515fab1511b4b0ddf2e31fd364020ef3a8b72753608a03398c75f51fd35140ed03df4b9f03019b0b71473100d4d0c4d8

Download Submit