neconyd | b97438ab261c8e334e6d6d20ab8480264b33f0749d991d04694a1de8e291dc73

Analysis

max time kernel
146s
max time network
149s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
17/06/2024, 02:13

Target

34da1b0e0844725559275ea4a55c52b0_NeikiAnalytics.exe
Size

84KB
MD5

34da1b0e0844725559275ea4a55c52b0
SHA1

a691fbc42323ee7bd15a424001093383b1c77c41
SHA256

b97438ab261c8e334e6d6d20ab8480264b33f0749d991d04694a1de8e291dc73
SHA512

5078694fe7c6d73c43e9a351e027dc6aa03b0643ba22f6d3832920a4f159a11a918cdcbd4bfcad598eeffddd2b8511398a9e7d888161bef34354869e5132fc45
SSDEEP

768:UMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:UbIvYvZEyFKF6N4yS+AQmZTl/5

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Executes dropped EXE 3 IoCs

Loads dropped DLL 6 IoCs

pid	Process
1192	34da1b0e0844725559275ea4a55c52b0_NeikiAnalytics.exe
1192	34da1b0e0844725559275ea4a55c52b0_NeikiAnalytics.exe
1244	omsecor.exe
1244	omsecor.exe
1708	omsecor.exe
1708	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1192 wrote to memory of 1244	1192	34da1b0e0844725559275ea4a55c52b0_NeikiAnalytics.exe	28
PID 1192 wrote to memory of 1244	1192	34da1b0e0844725559275ea4a55c52b0_NeikiAnalytics.exe	28
PID 1192 wrote to memory of 1244	1192	34da1b0e0844725559275ea4a55c52b0_NeikiAnalytics.exe	28
PID 1192 wrote to memory of 1244	1192	34da1b0e0844725559275ea4a55c52b0_NeikiAnalytics.exe	28
PID 1244 wrote to memory of 1708	1244	omsecor.exe	32
PID 1244 wrote to memory of 1708	1244	omsecor.exe	32
PID 1244 wrote to memory of 1708	1244	omsecor.exe	32
PID 1244 wrote to memory of 1708	1244	omsecor.exe	32
PID 1708 wrote to memory of 2160	1708	omsecor.exe	33
PID 1708 wrote to memory of 2160	1708	omsecor.exe	33
PID 1708 wrote to memory of 2160	1708	omsecor.exe	33
PID 1708 wrote to memory of 2160	1708	omsecor.exe	33

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
84KB

MD5
324045731cc5e0659c56f82aaa2a1b18

SHA1
479711e87e126c9f300208df4c0ee2a589203d71

SHA256
e6a447dfbe0793b7614da4e68c3eaa1fa40a093cdf9db27140b1287e8e09b085

SHA512
b8f6f042b99aa82a7b9df33ce2b54482d3d0ec9852a30c99e60335203f80d2fd4d5c326770296dd0ff079246eeab9337ef85bd4503b50768c6c8cf93091e2ffb

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
84KB

MD5
dc41fd707b0b6345a88a6d087a6bbea2

SHA1
fe39d783072bd7a2b403740dbf032adee138cfcc

SHA256
570a79117218aeaf2130008b4549fe19b26c6d0a1983a918a2a6874e79b81cda

SHA512
e535f32e631c6cb404c7185c2f2eabbd915e357789fbc6a05f2f24903070bff4392af9833be0a28a70438dd7608aa33c3eb840129e06af8d5a97ad60ea98b173

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
84KB

MD5
70bc118fa367e66e30f60d8a0f898d80

SHA1
6ff4f2e5e3ac974b6065ee74d7aa9a7118d88718

SHA256
356d8334b1b8fa3cfdf6b4b865d728359cac4579d7cb7dee14af230f8f9a4682

SHA512
63a67a8d6acf0093308a0c9ed94d57eb7b8330db403db1f9d9e5a5444db1f5f8ec7fb0385cfaba175a2ece7cbf954399ff414b627799b82e3265a4245d197474

Download Submit