neconyd | fac1232e2a8e5afcb882d9f556441e5c91f316a344f4a9f760289b270a8ccec5

Analysis

max time kernel
146s
max time network
149s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
20-06-2024 05:44

Target

fac1232e2a8e5afcb882d9f556441e5c91f316a344f4a9f760289b270a8ccec5.exe
Size

84KB
MD5

89521907ab2d4883740b5a0af3763785
SHA1

7b1bee9219065ea6aa4422b308a2073bd97d0c53
SHA256

fac1232e2a8e5afcb882d9f556441e5c91f316a344f4a9f760289b270a8ccec5
SHA512

b71198c73ab4f0e71ea6b3d62b6d0022ca4986475928a02072c38334b725b8b75ba5c941f939b1ab04b5ffbd3897c5f45c94bc6b33fcdb9840772158f7b3ab06
SSDEEP

1536:td9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:FdseIOMEZEyFjEOFqTiQm5l/5

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 3 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exe

pid process

1624 omsecor.exe
2020 omsecor.exe
2328 omsecor.exe

Loads dropped DLL 6 IoCs

Processes:

fac1232e2a8e5afcb882d9f556441e5c91f316a344f4a9f760289b270a8ccec5.exeomsecor.exeomsecor.exe

pid	process
2964	fac1232e2a8e5afcb882d9f556441e5c91f316a344f4a9f760289b270a8ccec5.exe
2964	fac1232e2a8e5afcb882d9f556441e5c91f316a344f4a9f760289b270a8ccec5.exe
1624	omsecor.exe
1624	omsecor.exe
2020	omsecor.exe
2020	omsecor.exe

Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

fac1232e2a8e5afcb882d9f556441e5c91f316a344f4a9f760289b270a8ccec5.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 2964 wrote to memory of 1624	2964	fac1232e2a8e5afcb882d9f556441e5c91f316a344f4a9f760289b270a8ccec5.exe	omsecor.exe
PID 2964 wrote to memory of 1624	2964	fac1232e2a8e5afcb882d9f556441e5c91f316a344f4a9f760289b270a8ccec5.exe	omsecor.exe
PID 2964 wrote to memory of 1624	2964	fac1232e2a8e5afcb882d9f556441e5c91f316a344f4a9f760289b270a8ccec5.exe	omsecor.exe
PID 2964 wrote to memory of 1624	2964	fac1232e2a8e5afcb882d9f556441e5c91f316a344f4a9f760289b270a8ccec5.exe	omsecor.exe
PID 1624 wrote to memory of 2020	1624	omsecor.exe	omsecor.exe
PID 1624 wrote to memory of 2020	1624	omsecor.exe	omsecor.exe
PID 1624 wrote to memory of 2020	1624	omsecor.exe	omsecor.exe
PID 1624 wrote to memory of 2020	1624	omsecor.exe	omsecor.exe
PID 2020 wrote to memory of 2328	2020	omsecor.exe	omsecor.exe
PID 2020 wrote to memory of 2328	2020	omsecor.exe	omsecor.exe
PID 2020 wrote to memory of 2328	2020	omsecor.exe	omsecor.exe
PID 2020 wrote to memory of 2328	2020	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
PID:2328

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
84KB

MD5
a97e0e0ee726098f71805bbdbc5b0be1

SHA1
563e9814c43845884380c1fb22b9afd44ea09751

SHA256
554b3233ea3f389f3f10197cfd709d799937e6d4fcbed807e63b38543a3e70e0

SHA512
33b307b988cd396d3a74b831cc689fa048796c920930520ce026f0133e58a19b8a194b6dd81b8a2e1fc7922867631aa41b12c5c10cf387298ecfa063f38ab213

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
84KB

MD5
4101d3aa205da249687d826f846fe548

SHA1
e397513a129f42c9c90737377da0e0b318b018d3

SHA256
55e7db61bde4c476eb479af8801114219b1ff6b9de00978ffedebd54635d0c7b

SHA512
accb5957e745b9dc4794d387681974b109c35e6d7109e438d7cbb8a002ab1ecfb953712673c71374a9128055b0c5728bea6c8a0254dbad680c458e25ad6fd59a

Download Submit
\Windows\SysWOW64\omsecor.exe
Filesize
84KB

MD5
caf505c601c3fe8982ca9e52fd4ecebf

SHA1
bd6a4df4a2fb82e85a9aa601e46ee9f73c5f2332

SHA256
019d7226ea8503616e9164e8b92e846b36f48768531bd9f89350ffcc5e590457

SHA512
704109d65f58c5d8e6139230f5c801e10fd4bfb1de22f490663f77079844ebedfc13d823f6e219e6227cb7b2bb777dc057129c504da37181295ad9145df3f2f7

Download Submit