neconyd | 3e9b205e59fe5b80997bd8dc9c289527a6b5ee10546eeba9935c1cd8a58a07e5

Analysis

max time kernel
142s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20-06-2024 06:23

Target

3e9b205e59fe5b80997bd8dc9c289527a6b5ee10546eeba9935c1cd8a58a07e5_NeikiAnalytics.exe
Size

89KB
MD5

5c0519629d68730c9f5f70d3a1c601f0
SHA1

9fcf52a1fd7aa359872d21eaa76dac0ad09e6b76
SHA256

3e9b205e59fe5b80997bd8dc9c289527a6b5ee10546eeba9935c1cd8a58a07e5
SHA512

34c1e5b1de7a7a04bca024083ec8106d82b25f7ce3dddad568decdb7bb6ce9a35b2d7f922f6499c4b30ada948fdb90c0be82d2ada9133b768683961a6285c255
SSDEEP

768:pMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:pbIvYvZEyFKF6N4yS+AQmZTl/5

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 3 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exe

pid process

4644 omsecor.exe
4220 omsecor.exe
5020 omsecor.exe
Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

3e9b205e59fe5b80997bd8dc9c289527a6b5ee10546eeba9935c1cd8a58a07e5_NeikiAnalytics.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 3152 wrote to memory of 4644	3152	3e9b205e59fe5b80997bd8dc9c289527a6b5ee10546eeba9935c1cd8a58a07e5_NeikiAnalytics.exe	omsecor.exe
PID 3152 wrote to memory of 4644	3152	3e9b205e59fe5b80997bd8dc9c289527a6b5ee10546eeba9935c1cd8a58a07e5_NeikiAnalytics.exe	omsecor.exe
PID 3152 wrote to memory of 4644	3152	3e9b205e59fe5b80997bd8dc9c289527a6b5ee10546eeba9935c1cd8a58a07e5_NeikiAnalytics.exe	omsecor.exe
PID 4644 wrote to memory of 4220	4644	omsecor.exe	omsecor.exe
PID 4644 wrote to memory of 4220	4644	omsecor.exe	omsecor.exe
PID 4644 wrote to memory of 4220	4644	omsecor.exe	omsecor.exe
PID 4220 wrote to memory of 5020	4220	omsecor.exe	omsecor.exe
PID 4220 wrote to memory of 5020	4220	omsecor.exe	omsecor.exe
PID 4220 wrote to memory of 5020	4220	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\3e9b205e59fe5b80997bd8dc9c289527a6b5ee10546eeba9935c1cd8a58a07e5_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3e9b205e59fe5b80997bd8dc9c289527a6b5ee10546eeba9935c1cd8a58a07e5_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3152

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
PID:5020

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
89KB

MD5
0bf6fbc6501949537b1b56b3a85671a8

SHA1
c36110ccbd508e2ab86559468127f747004b2f31

SHA256
ba12275bbc409d1a36d0abc4b1022e071da0ae33d3d442d13defaa985c0ba471

SHA512
d77ba27aabd75b6fde06ed6297f85108f7011c44422cf1ef5bb7d9e04ded15f332d480e9ba38c84f943d785f45f121a9bee7c187fd702421c568378c9b98111b

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
89KB

MD5
e52986ee168e1d7047383e93337b5c79

SHA1
c21e48fdc44c75eff8d7c8d0692a96678228892b

SHA256
1f480270ef537195ab187e18f62c00321bbf8b7abd987dab0d35d2224d2a70f1

SHA512
a338c29fb22b64029d1123e5f3f1432da31d3753a3613cb8402e9b3cd1acf3da97a4db7e6912b9e89732229d29a532685435f33c7db3fda24a60480ad9013bf0

Download Submit
C:\Windows\SysWOW64\omsecor.exe
Filesize
89KB

MD5
79f8783fb55c38c80861da484c2becdf

SHA1
fe1f2643a6d7e3e4bcc78c2fc245ab924317c31f

SHA256
1d5e2ffcb13994dd6c541abeb747f5140121c1f4eb78d367cf97085f7bbb5ea2

SHA512
4322dcfef7daf1dea9d20d22321a7817a5512ef94ab2fa5ab0e523da0b0b697b6f3ec70589c39ed68a5527b6c9f2648fdc7f59a9fdf5466e0711f623c794f08c

Download Submit