neconyd | ec8b859f6e7e0ad553c484d1dabb1832feee70d0362e60fce49176d763c904de

Analysis

max time kernel
141s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/06/2024, 19:07

Target

ec8b859f6e7e0ad553c484d1dabb1832feee70d0362e60fce49176d763c904de.exe
Size

76KB
MD5

6c91618b400534c4f5023e9e291f2872
SHA1

46731e532f24dd3ec64bd9f0082a6c2ccc8fdcd4
SHA256

ec8b859f6e7e0ad553c484d1dabb1832feee70d0362e60fce49176d763c904de
SHA512

98670f31c3fc0f7655b50aa3867fa89f9d43af2b182a42731e21b30fe0a21437eeb3a666e11ff41e5d7dc62cf2c8ace385d116c884ee3a747ca5d12e46d614b5
SSDEEP

1536:pd9dseIOcE93dIvYvZDyF4EEOF6N4yS+AQmZTl/5R11:pdseIOKEZDyFjEOFqTiQm5l/5R11

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Executes dropped EXE 2 IoCs

pid	Process
4896	omsecor.exe
4672	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3148 wrote to memory of 4896	3148	ec8b859f6e7e0ad553c484d1dabb1832feee70d0362e60fce49176d763c904de.exe	91
PID 3148 wrote to memory of 4896	3148	ec8b859f6e7e0ad553c484d1dabb1832feee70d0362e60fce49176d763c904de.exe	91
PID 3148 wrote to memory of 4896	3148	ec8b859f6e7e0ad553c484d1dabb1832feee70d0362e60fce49176d763c904de.exe	91
PID 4896 wrote to memory of 4672	4896	omsecor.exe	101
PID 4896 wrote to memory of 4672	4896	omsecor.exe	101
PID 4896 wrote to memory of 4672	4896	omsecor.exe	101

C:\Users\Admin\AppData\Local\Temp\ec8b859f6e7e0ad553c484d1dabb1832feee70d0362e60fce49176d763c904de.exe
"C:\Users\Admin\AppData\Local\Temp\ec8b859f6e7e0ad553c484d1dabb1832feee70d0362e60fce49176d763c904de.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3148
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4896
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:4672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4340 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
1⤵
PID:4492

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
a7f31a4455044935b61af7af119c39ec

SHA1
a9e6bb3ade77fd041178f61c79c2445782d16daf

SHA256
d7fc0e31f36dbd4b9feef2a2c644ebf3cea080f179370de88148fc8efd84b719

SHA512
8350b14bde59b349940a53bd2e27581b3bb3d6b37b3d2749d81163fc16f75e401dc8dbae61f4462916cc02ca54c9644506e21c98d9527d4f32b3d844c894bab8

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
a6149556c69e4bc1a7eb37a045a3247d

SHA1
53395412a5cae54b4ee6fcf429153ba637d7f4ec

SHA256
c48e3f8c9607ad4503cefa93a31849c51d993e54d59f48cceea6529364e65ab2

SHA512
c85b14210464c6eebb10f614a7f311b72d6c5ae589f4bbd50164534fd1ff5e35fc7e929a2560cd32e3b666a61b79c376ce6cad40fae2dc2bebf058534a1f7612

Download Submit
memory/3148-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3148-6-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4672-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4672-14-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4896-4-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4896-7-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4896-13-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download