neconyd | 10be9207f89cbc7d808698723e9bb229e63f354d3a53b962c97de3a5689a7149

Analysis

max time kernel
145s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11/06/2024, 18:47

Target

10be9207f89cbc7d808698723e9bb229e63f354d3a53b962c97de3a5689a7149.exe
Size

68KB
MD5

39d600ea102b74e8c29822f860a6588f
SHA1

ac3e5914070ce75c6663d966aa0d6a0bd6c2f0ba
SHA256

10be9207f89cbc7d808698723e9bb229e63f354d3a53b962c97de3a5689a7149
SHA512

9b8150df5e84cbdf136642315cd57e0fdbc100fb8fd4eeabdeb251a9f26385eaaf8b809a6cb01c2c495f153c59336a5cae4e427702d5d883e1b1ec704aaec2bc
SSDEEP

1536:Td9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:TdseIOMEZEyFjEOFqTiQm5l/5

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Executes dropped EXE 3 IoCs

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4632 wrote to memory of 1928	4632	10be9207f89cbc7d808698723e9bb229e63f354d3a53b962c97de3a5689a7149.exe	80
PID 4632 wrote to memory of 1928	4632	10be9207f89cbc7d808698723e9bb229e63f354d3a53b962c97de3a5689a7149.exe	80
PID 4632 wrote to memory of 1928	4632	10be9207f89cbc7d808698723e9bb229e63f354d3a53b962c97de3a5689a7149.exe	80
PID 1928 wrote to memory of 3516	1928	omsecor.exe	89
PID 1928 wrote to memory of 3516	1928	omsecor.exe	89
PID 1928 wrote to memory of 3516	1928	omsecor.exe	89
PID 3516 wrote to memory of 2528	3516	omsecor.exe	90
PID 3516 wrote to memory of 2528	3516	omsecor.exe	90
PID 3516 wrote to memory of 2528	3516	omsecor.exe	90

C:\Users\Admin\AppData\Local\Temp\10be9207f89cbc7d808698723e9bb229e63f354d3a53b962c97de3a5689a7149.exe
"C:\Users\Admin\AppData\Local\Temp\10be9207f89cbc7d808698723e9bb229e63f354d3a53b962c97de3a5689a7149.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4632
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1928
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3516
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      PID:2528

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
68KB

MD5
2b6c88eb7a82e1f703479e44cfb3d227

SHA1
a408423b20adf32effe720a89734aa95f76ef4e9

SHA256
f2a5fe8bbaabda177db944f5c9f513b1621cee0d033272732d1d25b371ba9e4e

SHA512
d90630eb73a005d007e7f6260e042125e034005371807a63ec9d5a268c848c614d27a149e025553e81b83a7bab2f171dd0b5cd767b0817b2641e371f98afaf6c

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
68KB

MD5
b3fd6e181cebe1dd4193d3b79c86c467

SHA1
db25371e4788bb7db90a8a54ac5ceebe20995ae2

SHA256
0f671a41ff777b720c73b4d9c0441b3c15078c57b66e01d426f31782a7a6b308

SHA512
f241dba4671ad953efbaf9e3f6a3f215d8677cde76d4e34ff6c80422bfaa8c74c3c27de96f9819bb3f349949d081eb3a7a04577ce881263ca55b456aaa9b896f

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
68KB

MD5
207fdb907fbc0347524dce90fd1bcbb5

SHA1
51279480b87ec471364feb87b26b952d6c939293

SHA256
961dacc669f1285684e922f143a29421eae358004ed29663ec9d07c3a453fbca

SHA512
24ecf734f3c35893721e7b3c873b200ddc24b28f212a0da15f4d357c514a1df1cd5ecee159217c2e468598685f40fac87b9a3b2f9f00df6cc47afe11dc9bda24

Download Submit