neconyd | f5c25fcca2bcf2cd2c68dc7bf354c81941dba2f11235aeedd0913ce10ebd4a8d

Analysis

max time kernel
145s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20-06-2024 05:30

Target

f5c25fcca2bcf2cd2c68dc7bf354c81941dba2f11235aeedd0913ce10ebd4a8d.exe
Size

61KB
MD5

66a69566b110ea0447649d0b566fd205
SHA1

e435b237e620e9ff5d517669835172ec776d9cab
SHA256

f5c25fcca2bcf2cd2c68dc7bf354c81941dba2f11235aeedd0913ce10ebd4a8d
SHA512

f1a8ae297e59c8075e18d254abfeb046461fe75a29bd30ee30cdbb340bf88a4ca0774f22ac09fa3473223a860a77c93a6afce6731eb64dca97d76defa49c8320
SSDEEP

1536:Vd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZIl/5:ddseIOMEZEyFjEOFqTiQm+l/5

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 2 IoCs

Processes:

omsecor.exeomsecor.exe

pid process

5052 omsecor.exe
4580 omsecor.exe
Drops file in System32 directory 2 IoCs

Processes:

omsecor.exeomsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe
File opened for modification C:\Windows\SysWOW64\merocz.xc6 omsecor.exe

pid	process
5052	omsecor.exe
4580	omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

f5c25fcca2bcf2cd2c68dc7bf354c81941dba2f11235aeedd0913ce10ebd4a8d.exeomsecor.exe

description	pid	process	target process
PID 4592 wrote to memory of 5052	4592	f5c25fcca2bcf2cd2c68dc7bf354c81941dba2f11235aeedd0913ce10ebd4a8d.exe	omsecor.exe
PID 4592 wrote to memory of 5052	4592	f5c25fcca2bcf2cd2c68dc7bf354c81941dba2f11235aeedd0913ce10ebd4a8d.exe	omsecor.exe
PID 4592 wrote to memory of 5052	4592	f5c25fcca2bcf2cd2c68dc7bf354c81941dba2f11235aeedd0913ce10ebd4a8d.exe	omsecor.exe
PID 5052 wrote to memory of 4580	5052	omsecor.exe	omsecor.exe
PID 5052 wrote to memory of 4580	5052	omsecor.exe	omsecor.exe
PID 5052 wrote to memory of 4580	5052	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\f5c25fcca2bcf2cd2c68dc7bf354c81941dba2f11235aeedd0913ce10ebd4a8d.exe
"C:\Users\Admin\AppData\Local\Temp\f5c25fcca2bcf2cd2c68dc7bf354c81941dba2f11235aeedd0913ce10ebd4a8d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4224,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=4244 /prefetch:8
1⤵
PID:3764

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
61KB

MD5
a3ce96683aa2bed5ea8a53efa8525ec1

SHA1
1a9b48e5c3c33f0bb51e94067142de679bb39638

SHA256
40489cde87d07ff995871f247e3a338d07f4d10375018c022eb489a54fef9e56

SHA512
ec597ff6d6dbaf2db7d2999459a5daeca53a3668441ff0e2622846b0310c13ab755776512eabd7e429d1c22a1f064c93f11bd707993d64070832c92b64521aae

Download Submit
C:\Windows\SysWOW64\omsecor.exe
Filesize
61KB

MD5
48592281885d2d69458e4f36363a99c4

SHA1
1ee3227bf720e0d9a9f3ea76c6bba4805d39fcd2

SHA256
605e35c45a4006ffbaeee7454f1135c2b7e48690bc33461bed1c23e3d95f0b06

SHA512
cdc88cac48a93c021eb9615d072bc63cbd00912f8b4868878b820c33d0384c83387fc564145c5cc525b82bd9d9bff12bfb4fa4cbc406972eba10ddf8ffdb78f8

Download Submit