neconyd | 4f0bbbb25ad1dc81b80719b0f0b83672fe398bffad82b06f1b118d21a3441418

Analysis

max time kernel
146s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
20-06-2024 21:59

Target

4f0bbbb25ad1dc81b80719b0f0b83672fe398bffad82b06f1b118d21a3441418.exe
Size

92KB
MD5

48039238819621273dd529161aeb486b
SHA1

dd984aa2b189d1fefc1da2a70bce8ff9d7ad6b63
SHA256

4f0bbbb25ad1dc81b80719b0f0b83672fe398bffad82b06f1b118d21a3441418
SHA512

54c28a20fb544796a4cd779bb8b1ae79aed6e1f52d1cfb23520e067f9f407b8e6d2a35b1cce9ba2bedbf094e350c790b3bf405d940ce176b393b4fe5fa4f0de2
SSDEEP

768:iMEIvFGvoEr8LFK0ic46N47eSvYAHwmZGp6JXXlaa5uA:ibIvYvoEyFKF6N4ySAAQmZTl/5

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 2 IoCs

Processes:

omsecor.exeomsecor.exe

pid process

2876 omsecor.exe
804 omsecor.exe
Drops file in System32 directory 2 IoCs

Processes:

omsecor.exeomsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe
File opened for modification C:\Windows\SysWOW64\merocz.xc6 omsecor.exe

pid	process
2876	omsecor.exe
804	omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

4f0bbbb25ad1dc81b80719b0f0b83672fe398bffad82b06f1b118d21a3441418.exeomsecor.exe

description	pid	process	target process
PID 3964 wrote to memory of 2876	3964	4f0bbbb25ad1dc81b80719b0f0b83672fe398bffad82b06f1b118d21a3441418.exe	omsecor.exe
PID 3964 wrote to memory of 2876	3964	4f0bbbb25ad1dc81b80719b0f0b83672fe398bffad82b06f1b118d21a3441418.exe	omsecor.exe
PID 3964 wrote to memory of 2876	3964	4f0bbbb25ad1dc81b80719b0f0b83672fe398bffad82b06f1b118d21a3441418.exe	omsecor.exe
PID 2876 wrote to memory of 804	2876	omsecor.exe	omsecor.exe
PID 2876 wrote to memory of 804	2876	omsecor.exe	omsecor.exe
PID 2876 wrote to memory of 804	2876	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\4f0bbbb25ad1dc81b80719b0f0b83672fe398bffad82b06f1b118d21a3441418.exe
"C:\Users\Admin\AppData\Local\Temp\4f0bbbb25ad1dc81b80719b0f0b83672fe398bffad82b06f1b118d21a3441418.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3964

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
92KB

MD5
a2864cedce63bbee3b3e9e92db69953d

SHA1
74b64a87b2d73fa162009fc4554b612dcce8dedb

SHA256
77e72fb7e9b511e876ace38a895819cde78433bfe62423fcc6ad7c978eaa2397

SHA512
4a519bf03f4a6c2a10b17cf2a5810270bb94b95f0863b043c69e49042e5e9461b22af2efa2ff56d90c6deaf6841103877c0f161cd8f0cb5f3eb13b4e7b9bf40f

Download Submit
C:\Windows\SysWOW64\omsecor.exe
Filesize
92KB

MD5
63facc42e359ec34e3e9d28fe7615494

SHA1
0c7d112dfb6298e63a56315bc36dc8ec215df326

SHA256
be6afe4e202bd0bfa10e0b725d9118144e8045771218561b571b2da8da52735f

SHA512
100f0f19be4fb94bb4ac799349c760ef63adcf5a3ce241050099c015c64e513938081917afcf263e145487e33e28f65e746a507a4a79dd8982fdab328a5fc4d5

Download Submit
memory/804-13-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/804-14-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2876-6-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2876-7-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2876-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3964-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3964-4-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download