neconyd | ba44d36d95b532f9c618d838c3dbe162e02c9650d089f95c25d97cd67cdacca1

Analysis

max time kernel
145s
max time network
147s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
20-06-2024 02:22

Target

ba44d36d95b532f9c618d838c3dbe162e02c9650d089f95c25d97cd67cdacca1.exe
Size

76KB
MD5

f9fec490abb95ebaa39ef27f32a38187
SHA1

04c22d99b74a6b82a6d76289c676f8f9d52eb2e5
SHA256

ba44d36d95b532f9c618d838c3dbe162e02c9650d089f95c25d97cd67cdacca1
SHA512

754fe00b45b473e73d6b16face1013676f87541815d9b3c7a4a3c191fcb57ec31fc2947b691d63d1d8ee6b8ab502ccc5bb9c7f40df660c2eb077ff8e32d0ab8d
SSDEEP

768:4MEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAW:4bIvYvZEyFKF6N4yS+AQmZTl/5O

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 3 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exe

pid process

2792 omsecor.exe
2684 omsecor.exe
1660 omsecor.exe

Loads dropped DLL 6 IoCs

Processes:

ba44d36d95b532f9c618d838c3dbe162e02c9650d089f95c25d97cd67cdacca1.exeomsecor.exeomsecor.exe

pid	process
2036	ba44d36d95b532f9c618d838c3dbe162e02c9650d089f95c25d97cd67cdacca1.exe
2036	ba44d36d95b532f9c618d838c3dbe162e02c9650d089f95c25d97cd67cdacca1.exe
2792	omsecor.exe
2792	omsecor.exe
2684	omsecor.exe
2684	omsecor.exe

Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

ba44d36d95b532f9c618d838c3dbe162e02c9650d089f95c25d97cd67cdacca1.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 2036 wrote to memory of 2792	2036	ba44d36d95b532f9c618d838c3dbe162e02c9650d089f95c25d97cd67cdacca1.exe	omsecor.exe
PID 2036 wrote to memory of 2792	2036	ba44d36d95b532f9c618d838c3dbe162e02c9650d089f95c25d97cd67cdacca1.exe	omsecor.exe
PID 2036 wrote to memory of 2792	2036	ba44d36d95b532f9c618d838c3dbe162e02c9650d089f95c25d97cd67cdacca1.exe	omsecor.exe
PID 2036 wrote to memory of 2792	2036	ba44d36d95b532f9c618d838c3dbe162e02c9650d089f95c25d97cd67cdacca1.exe	omsecor.exe
PID 2792 wrote to memory of 2684	2792	omsecor.exe	omsecor.exe
PID 2792 wrote to memory of 2684	2792	omsecor.exe	omsecor.exe
PID 2792 wrote to memory of 2684	2792	omsecor.exe	omsecor.exe
PID 2792 wrote to memory of 2684	2792	omsecor.exe	omsecor.exe
PID 2684 wrote to memory of 1660	2684	omsecor.exe	omsecor.exe
PID 2684 wrote to memory of 1660	2684	omsecor.exe	omsecor.exe
PID 2684 wrote to memory of 1660	2684	omsecor.exe	omsecor.exe
PID 2684 wrote to memory of 1660	2684	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
PID:1660

\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
76KB

MD5
4fd26d096e4300c1d1c8b66043c7494d

SHA1
ea095c0ab2d6e712f27ba5013c418646beebaea8

SHA256
a1f6737ebe01aff242ec731526e293b85ed0c24648e826042dcd1ea95d32e88a

SHA512
ff9db681cc0ab4c2d6ad78bf7a857aa9a3d32d3c7a985393d9eebadf26be4260840dcf6bdcfee09d5c95c97d3d502401e78337d01472b4814a55b530a75aaa15

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
76KB

MD5
8a78968eca8580088ce1adc12edf12f4

SHA1
d3b3b54ec73b49766697e04a8c254b76b5fe231b

SHA256
1a652e5fb1571f285195485e3fac137504df448c636daa873d1240ddf9136834

SHA512
c80480c78ca4a376faee485841d7eeee5a0af82721c8a98fd22c62367461820989d3e4b7c5357f2b4621d7f4351db7a26285c8b2040ce6e37ecae3f23ea2d7d3

Download Submit
\Windows\SysWOW64\omsecor.exe
Filesize
76KB

MD5
41fa32c8593c610b2069bcc4fb34c4d3

SHA1
e4f99099d998f9dfe2d52aba6add7524f59d2584

SHA256
5abad2dc3edb7b16638f15bc715ca5af1681e792ced84580644dd813d9bd74f6

SHA512
2255f271103f0a4620b1e411013a0e8e2e6dc6a6bed4cf5279c2052fbb8c4d616735eef58c3e3d127239210de532fcd6c2237b9c5050761f43edc05b3c5c52ad

Download Submit