neconyd | 55fd85a42d6c863cd78087f34922df33c0b80eaa53a907d2c8968de9029c67ef

Analysis

max time kernel
146s
max time network
152s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
20-06-2024 22:14

Target

55fd85a42d6c863cd78087f34922df33c0b80eaa53a907d2c8968de9029c67ef.exe
Size

72KB
MD5

caedc4dcf07fa727086b369c69d7bad3
SHA1

dd1146e8f4bf9d62ec96135a2cbaf1f3b2c6c11e
SHA256

55fd85a42d6c863cd78087f34922df33c0b80eaa53a907d2c8968de9029c67ef
SHA512

4bbdf4f1686603685dd0250263505435ab5e4a526bd765d01935cbe99d86ee3c4209897dc1172e5b4ca5b49041668095850dda7eead34f160ee24db5ef234c1c
SSDEEP

768:4MEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAW:4bIvYvZEyFKF6N4yS+AQmZTl/5O

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 2 IoCs

Processes:

omsecor.exeomsecor.exe

pid process

2692 omsecor.exe
2116 omsecor.exe

pid	process
2692	omsecor.exe
2116	omsecor.exe

Loads dropped DLL 4 IoCs

Processes:

55fd85a42d6c863cd78087f34922df33c0b80eaa53a907d2c8968de9029c67ef.exeomsecor.exe

pid	process
2852	55fd85a42d6c863cd78087f34922df33c0b80eaa53a907d2c8968de9029c67ef.exe
2852	55fd85a42d6c863cd78087f34922df33c0b80eaa53a907d2c8968de9029c67ef.exe
2692	omsecor.exe
2692	omsecor.exe

Drops file in System32 directory 2 IoCs

Processes:

omsecor.exeomsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe
File opened for modification C:\Windows\SysWOW64\merocz.xc6 omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

55fd85a42d6c863cd78087f34922df33c0b80eaa53a907d2c8968de9029c67ef.exeomsecor.exe

description	pid	process	target process
PID 2852 wrote to memory of 2692	2852	55fd85a42d6c863cd78087f34922df33c0b80eaa53a907d2c8968de9029c67ef.exe	omsecor.exe
PID 2852 wrote to memory of 2692	2852	55fd85a42d6c863cd78087f34922df33c0b80eaa53a907d2c8968de9029c67ef.exe	omsecor.exe
PID 2852 wrote to memory of 2692	2852	55fd85a42d6c863cd78087f34922df33c0b80eaa53a907d2c8968de9029c67ef.exe	omsecor.exe
PID 2852 wrote to memory of 2692	2852	55fd85a42d6c863cd78087f34922df33c0b80eaa53a907d2c8968de9029c67ef.exe	omsecor.exe
PID 2692 wrote to memory of 2116	2692	omsecor.exe	omsecor.exe
PID 2692 wrote to memory of 2116	2692	omsecor.exe	omsecor.exe
PID 2692 wrote to memory of 2116	2692	omsecor.exe	omsecor.exe
PID 2692 wrote to memory of 2116	2692	omsecor.exe	omsecor.exe

\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
72KB

MD5
a7b84bdcd2a91e84ca55c027087f74f4

SHA1
3bfbdffae72dc6355c50ab7782313646560b759c

SHA256
1766a9f8a538544bc7793e7fe7c9b0b020eda640e6b77f021ac4b34dfefbe086

SHA512
e5c2975bd2536dd4c9600a8333dcff16516bd7b0d5f2aefe0f2d81761f2d1eed334a59e462bae4636b899ab1d131386b720354fbef08e2cc932117847c1fc443

Download Submit
\Windows\SysWOW64\omsecor.exe
Filesize
72KB

MD5
3c0a2122b9bcf609d172dd731caead9c

SHA1
e979e3f3431c5ee0b8f5156c2f78c9242b050e78

SHA256
90964ff15ec3decb1ca3dcf7cd860080c1f59a08fedfbe928adf3456ebfdcf9b

SHA512
b71d8b934cf5d6686f65c6b9160639948ecfe04ba05f1b3e0b99e76c1e9d5952c26ebef17f93b0288489ed3217979cc195d4b8c2494610393b096584349477d9

Download Submit