neconyd | f5c25fcca2bcf2cd2c68dc7bf354c81941dba2f11235aeedd0913ce10ebd4a8d

Analysis

max time kernel
146s
max time network
153s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
20-06-2024 05:30

Target

f5c25fcca2bcf2cd2c68dc7bf354c81941dba2f11235aeedd0913ce10ebd4a8d.exe
Size

61KB
MD5

66a69566b110ea0447649d0b566fd205
SHA1

e435b237e620e9ff5d517669835172ec776d9cab
SHA256

f5c25fcca2bcf2cd2c68dc7bf354c81941dba2f11235aeedd0913ce10ebd4a8d
SHA512

f1a8ae297e59c8075e18d254abfeb046461fe75a29bd30ee30cdbb340bf88a4ca0774f22ac09fa3473223a860a77c93a6afce6731eb64dca97d76defa49c8320
SSDEEP

1536:Vd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZIl/5:ddseIOMEZEyFjEOFqTiQm+l/5

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 3 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exe

pid process

2952 omsecor.exe
1540 omsecor.exe
2576 omsecor.exe

Loads dropped DLL 6 IoCs

Processes:

f5c25fcca2bcf2cd2c68dc7bf354c81941dba2f11235aeedd0913ce10ebd4a8d.exeomsecor.exeomsecor.exe

pid	process
2188	f5c25fcca2bcf2cd2c68dc7bf354c81941dba2f11235aeedd0913ce10ebd4a8d.exe
2188	f5c25fcca2bcf2cd2c68dc7bf354c81941dba2f11235aeedd0913ce10ebd4a8d.exe
2952	omsecor.exe
2952	omsecor.exe
1540	omsecor.exe
1540	omsecor.exe

Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

f5c25fcca2bcf2cd2c68dc7bf354c81941dba2f11235aeedd0913ce10ebd4a8d.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 2188 wrote to memory of 2952	2188	f5c25fcca2bcf2cd2c68dc7bf354c81941dba2f11235aeedd0913ce10ebd4a8d.exe	omsecor.exe
PID 2188 wrote to memory of 2952	2188	f5c25fcca2bcf2cd2c68dc7bf354c81941dba2f11235aeedd0913ce10ebd4a8d.exe	omsecor.exe
PID 2188 wrote to memory of 2952	2188	f5c25fcca2bcf2cd2c68dc7bf354c81941dba2f11235aeedd0913ce10ebd4a8d.exe	omsecor.exe
PID 2188 wrote to memory of 2952	2188	f5c25fcca2bcf2cd2c68dc7bf354c81941dba2f11235aeedd0913ce10ebd4a8d.exe	omsecor.exe
PID 2952 wrote to memory of 1540	2952	omsecor.exe	omsecor.exe
PID 2952 wrote to memory of 1540	2952	omsecor.exe	omsecor.exe
PID 2952 wrote to memory of 1540	2952	omsecor.exe	omsecor.exe
PID 2952 wrote to memory of 1540	2952	omsecor.exe	omsecor.exe
PID 1540 wrote to memory of 2576	1540	omsecor.exe	omsecor.exe
PID 1540 wrote to memory of 2576	1540	omsecor.exe	omsecor.exe
PID 1540 wrote to memory of 2576	1540	omsecor.exe	omsecor.exe
PID 1540 wrote to memory of 2576	1540	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
PID:2576

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
61KB

MD5
5c5e385e1c19583a9ba84d5d654d2c6e

SHA1
03916f08126fb293a58bf72b03a3851406aaa0b1

SHA256
d84bd68d9ecedbe280bf64c7890e96e9111573eccf9c71f818385512766de38e

SHA512
fe1d8d0dbdd8fac206d5885bda2dc92a3e9892b60f831f3a4e48a57b94a72fde17137e624f763e30cbc1d9a0086da577da1b0eee5413faa07abab7339831d6e4

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
61KB

MD5
a3ce96683aa2bed5ea8a53efa8525ec1

SHA1
1a9b48e5c3c33f0bb51e94067142de679bb39638

SHA256
40489cde87d07ff995871f247e3a338d07f4d10375018c022eb489a54fef9e56

SHA512
ec597ff6d6dbaf2db7d2999459a5daeca53a3668441ff0e2622846b0310c13ab755776512eabd7e429d1c22a1f064c93f11bd707993d64070832c92b64521aae

Download Submit
\Windows\SysWOW64\omsecor.exe
Filesize
61KB

MD5
de880990f0c9c5cd6bcfba23d9ea0ee7

SHA1
c278613ee5afeda36c1142f786473aff06980d51

SHA256
016369dad5a1e89683b8243678622cc8b4d3669edf0d71e015c1739cdb40d7c9

SHA512
efc6744693a423ba0cff54b950a3bd8de1ef2ea95978743d04e2bd39930d1cd2930979755a1684f55926da65412a0d8265aab4b5c998f2f857279438af06cba8

Download Submit