neconyd | 290714ed433f7e77c1d985f1232580a8928b149900450ca7a2831e092ea43dd1

Analysis

max time kernel
145s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10-06-2024 04:52

Target

290714ed433f7e77c1d985f1232580a8928b149900450ca7a2831e092ea43dd1.exe
Size

64KB
MD5

ed238f3d3a197b90e594c4b3a595f5c0
SHA1

24a229dc0336f8f2a0315b00c4134e5ae7d23fac
SHA256

290714ed433f7e77c1d985f1232580a8928b149900450ca7a2831e092ea43dd1
SHA512

e97cbc696a09ae4bd6f2505647970ecd7c18a366ae2bf9fcfd6e02e38d4f6973d2742541427a33bb67a2860a887a36ad0cc1342aa559f0f6ada66c2422fdc13e
SSDEEP

768:eMEIvFGvZEr8LFK0ic46N47eSdYAHwmZwSp6JXXlaa5uA:ebIvYvZEyFKF6N4yS+AQmZcl/5

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 3 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exe

pid process

4876 omsecor.exe
392 omsecor.exe
1792 omsecor.exe
Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

290714ed433f7e77c1d985f1232580a8928b149900450ca7a2831e092ea43dd1.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 2540 wrote to memory of 4876	2540	290714ed433f7e77c1d985f1232580a8928b149900450ca7a2831e092ea43dd1.exe	omsecor.exe
PID 2540 wrote to memory of 4876	2540	290714ed433f7e77c1d985f1232580a8928b149900450ca7a2831e092ea43dd1.exe	omsecor.exe
PID 2540 wrote to memory of 4876	2540	290714ed433f7e77c1d985f1232580a8928b149900450ca7a2831e092ea43dd1.exe	omsecor.exe
PID 4876 wrote to memory of 392	4876	omsecor.exe	omsecor.exe
PID 4876 wrote to memory of 392	4876	omsecor.exe	omsecor.exe
PID 4876 wrote to memory of 392	4876	omsecor.exe	omsecor.exe
PID 392 wrote to memory of 1792	392	omsecor.exe	omsecor.exe
PID 392 wrote to memory of 1792	392	omsecor.exe	omsecor.exe
PID 392 wrote to memory of 1792	392	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\290714ed433f7e77c1d985f1232580a8928b149900450ca7a2831e092ea43dd1.exe
"C:\Users\Admin\AppData\Local\Temp\290714ed433f7e77c1d985f1232580a8928b149900450ca7a2831e092ea43dd1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2540

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
PID:1792

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
64KB

MD5
63a5b3b0a24fe57b009e0964775c5f44

SHA1
605719c673241a1433d9895668ede64d78546c2c

SHA256
412ab92e233a436d0d9d0c912141d5b90ca408dd931c658c912e62b4841ff86b

SHA512
04af7f80ffb1995b2f056bdfb1121b79db553ed95ca40bd92134d3d0e48057913f4a900fb44ac22038605e23b23ea57d680ab8ef36f6d7539b4bc4ebc9263924

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
64KB

MD5
d7550bbbf87c0a2b62ea71b8121412d2

SHA1
09b1999812e5df3c5f61453924d39089d553bd24

SHA256
20431ee18dde0ce45a445f734f0cff53f218f4bbc4f4317f066327bd35fa7aa4

SHA512
a65f5716059e07562bd6f46a3f540f888dfebdfb63b2aa4496491747509b04c901a1bf57d92cb65c9125fba89f3dfb6ed9074c8bdd0f36500da1bf7dc85d7bf4

Download Submit
C:\Windows\SysWOW64\omsecor.exe
Filesize
64KB

MD5
9763e7a73905592878cabf4f5ccd0521

SHA1
7d2c855d8da30a1fbe96f355e2a06e8a5beb401c

SHA256
8c936d484b0881a5b1a086ee7773f43aaa05e50f22a95b41fdd42462b8ede4b4

SHA512
480bfb0b205f02fcb53d9cd1ed36c7ef589630c7b5696ac9b0d0885bb81f437bcf35c93aba63e4e8993ab469b6bf53111bec3d5596af379bef68d74a2340c9cb

Download Submit