neconyd | ba44d36d95b532f9c618d838c3dbe162e02c9650d089f95c25d97cd67cdacca1

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20-06-2024 02:22

Target

ba44d36d95b532f9c618d838c3dbe162e02c9650d089f95c25d97cd67cdacca1.exe
Size

76KB
MD5

f9fec490abb95ebaa39ef27f32a38187
SHA1

04c22d99b74a6b82a6d76289c676f8f9d52eb2e5
SHA256

ba44d36d95b532f9c618d838c3dbe162e02c9650d089f95c25d97cd67cdacca1
SHA512

754fe00b45b473e73d6b16face1013676f87541815d9b3c7a4a3c191fcb57ec31fc2947b691d63d1d8ee6b8ab502ccc5bb9c7f40df660c2eb077ff8e32d0ab8d
SSDEEP

768:4MEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAW:4bIvYvZEyFKF6N4yS+AQmZTl/5O

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 3 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exe

pid process

1188 omsecor.exe
1980 omsecor.exe
1548 omsecor.exe
Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

ba44d36d95b532f9c618d838c3dbe162e02c9650d089f95c25d97cd67cdacca1.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 4568 wrote to memory of 1188	4568	ba44d36d95b532f9c618d838c3dbe162e02c9650d089f95c25d97cd67cdacca1.exe	omsecor.exe
PID 4568 wrote to memory of 1188	4568	ba44d36d95b532f9c618d838c3dbe162e02c9650d089f95c25d97cd67cdacca1.exe	omsecor.exe
PID 4568 wrote to memory of 1188	4568	ba44d36d95b532f9c618d838c3dbe162e02c9650d089f95c25d97cd67cdacca1.exe	omsecor.exe
PID 1188 wrote to memory of 1980	1188	omsecor.exe	omsecor.exe
PID 1188 wrote to memory of 1980	1188	omsecor.exe	omsecor.exe
PID 1188 wrote to memory of 1980	1188	omsecor.exe	omsecor.exe
PID 1980 wrote to memory of 1548	1980	omsecor.exe	omsecor.exe
PID 1980 wrote to memory of 1548	1980	omsecor.exe	omsecor.exe
PID 1980 wrote to memory of 1548	1980	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\ba44d36d95b532f9c618d838c3dbe162e02c9650d089f95c25d97cd67cdacca1.exe
"C:\Users\Admin\AppData\Local\Temp\ba44d36d95b532f9c618d838c3dbe162e02c9650d089f95c25d97cd67cdacca1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4568

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
PID:1548

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
76KB

MD5
11254dd14258ba0fec3d4b265918c155

SHA1
43e64da7deb57269f6dffc3d354453618038deb5

SHA256
15e466d5145752e1ba9d815b2177f1ac0f6e21a2e6772e0948b7b4d13b64f078

SHA512
52055f8a302d6b5a2a08248af1b7ded18b22cf9a647fbbef8e6db8838b05da413e2112a95cbad77b37a9f47ed91245412130596ba8ec8d86d34b11a1a7f9866c

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
76KB

MD5
4fd26d096e4300c1d1c8b66043c7494d

SHA1
ea095c0ab2d6e712f27ba5013c418646beebaea8

SHA256
a1f6737ebe01aff242ec731526e293b85ed0c24648e826042dcd1ea95d32e88a

SHA512
ff9db681cc0ab4c2d6ad78bf7a857aa9a3d32d3c7a985393d9eebadf26be4260840dcf6bdcfee09d5c95c97d3d502401e78337d01472b4814a55b530a75aaa15

Download Submit
C:\Windows\SysWOW64\omsecor.exe
Filesize
76KB

MD5
6e809e7dac3a51efdb0a897a8b31cb75

SHA1
194a4042676be295ca961ed26d2da8c04c0720de

SHA256
4401fd62390f1cbdc977a0add989b2517cb030c5c642a3bbf77b6be4da1e6fce

SHA512
e593b2ef53dc0aff16a0893012b1cedd174116f04999d0d2bf739c9388e4689a167b83ed0b077877136db60e9f411e7f0edcb4a52d69d4c4ad523ab0e04dda45

Download Submit