neconyd | e6a26302099d5295c27a34970f49129410cd1312b0e882a006e07e8a8b5326d9

Analysis

max time kernel
148s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/06/2024, 18:51

Target

e6a26302099d5295c27a34970f49129410cd1312b0e882a006e07e8a8b5326d9.exe
Size

92KB
MD5

38dc38927f71c69e1834afa5b89f63ae
SHA1

bb4958c6dfdda98cf2a819ea5f81c1c4cddb84e0
SHA256

e6a26302099d5295c27a34970f49129410cd1312b0e882a006e07e8a8b5326d9
SHA512

4830fae68028449ddd372dae0b81153b8f465cd18e0816e77781cd87e652df425d3a451a034d7a65747718f6a8ab7d610dc6b5212b157e6e8cab0053c3b1ce5a
SSDEEP

1536:Dd9dseIOcEr3bIvYvZEyF4EEOF6N4yS+AQmZTl/5:jdseIOyEZEyFjEOFqTiQm5l/5

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Executes dropped EXE 2 IoCs

pid	Process
2940	omsecor.exe
1620	omsecor.exe

Loads dropped DLL 4 IoCs

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 2940	2776	e6a26302099d5295c27a34970f49129410cd1312b0e882a006e07e8a8b5326d9.exe	28
PID 2776 wrote to memory of 2940	2776	e6a26302099d5295c27a34970f49129410cd1312b0e882a006e07e8a8b5326d9.exe	28
PID 2776 wrote to memory of 2940	2776	e6a26302099d5295c27a34970f49129410cd1312b0e882a006e07e8a8b5326d9.exe	28
PID 2776 wrote to memory of 2940	2776	e6a26302099d5295c27a34970f49129410cd1312b0e882a006e07e8a8b5326d9.exe	28
PID 2940 wrote to memory of 1620	2940	omsecor.exe	32
PID 2940 wrote to memory of 1620	2940	omsecor.exe	32
PID 2940 wrote to memory of 1620	2940	omsecor.exe	32
PID 2940 wrote to memory of 1620	2940	omsecor.exe	32

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
92KB

MD5
8cf7a285319bbc56e89e7ba1f887399c

SHA1
92508908e574bfe7182ca73d7a647c4da964c250

SHA256
bba74ee7bbc9871c786744af018f0c5136d9a94ef3cd5554df5d650824b4b298

SHA512
adc22f6cd8cc9ca9a8e36bd36ee6c6ac8c4a8e14151373133b9ba96407b8561b16ff83487c11c49d968dffd7269ef803fa0e2849f6c04e62f21f11492cdd518a

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
92KB

MD5
6a3312be1c9581a07d67efe25348c8c1

SHA1
76e3bf36ba763a67f600841ced0df0f3b14c4fba

SHA256
457ff7f79f0c36cf597af477384c56bae32aaf169cca3adbbb16656dbc544a1f

SHA512
e6925959c7973adabd806206688b79f2fcfc3d443c6d638cff59afa071dea51d9c9d74181125cd49caf5fb4b94a08f99b5cceb510fe8a2332afcde4ec4dba56c

Download Submit
memory/1620-27-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2776-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2776-8-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2940-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2940-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2940-17-0x00000000003C0000-0x00000000003EB000-memory.dmp

Filesize
172KB

Download
memory/2940-23-0x00000000003C0000-0x00000000003EB000-memory.dmp

Filesize
172KB

Download
memory/2940-26-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download