neconyd | 225bafd029a722cce6c1b6e0f33897b92b74469123bddec3b33b0d92c66e4166

Analysis

max time kernel
145s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
21-06-2024 00:15

Target

225bafd029a722cce6c1b6e0f33897b92b74469123bddec3b33b0d92c66e4166_NeikiAnalytics.exe
Size

84KB
MD5

3cccb437868232dba633287f5e7cd3d0
SHA1

c0063f89554c9eef85e02baf11d12c359015d88f
SHA256

225bafd029a722cce6c1b6e0f33897b92b74469123bddec3b33b0d92c66e4166
SHA512

1c73aab60ca41f6490db74b888c98e7259ba69ed89374bae539de375fc875f0816b1d1ded2b8ef45ad213654da8f1ff901a4aecd6faafce2258943d5511b8d14
SSDEEP

1536:Kd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:KdseIOMEZEyFjEOFqTiQm5l/5

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 3 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exe

pid process

1248 omsecor.exe
4768 omsecor.exe
2616 omsecor.exe
Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

225bafd029a722cce6c1b6e0f33897b92b74469123bddec3b33b0d92c66e4166_NeikiAnalytics.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 1000 wrote to memory of 1248	1000	225bafd029a722cce6c1b6e0f33897b92b74469123bddec3b33b0d92c66e4166_NeikiAnalytics.exe	omsecor.exe
PID 1000 wrote to memory of 1248	1000	225bafd029a722cce6c1b6e0f33897b92b74469123bddec3b33b0d92c66e4166_NeikiAnalytics.exe	omsecor.exe
PID 1000 wrote to memory of 1248	1000	225bafd029a722cce6c1b6e0f33897b92b74469123bddec3b33b0d92c66e4166_NeikiAnalytics.exe	omsecor.exe
PID 1248 wrote to memory of 4768	1248	omsecor.exe	omsecor.exe
PID 1248 wrote to memory of 4768	1248	omsecor.exe	omsecor.exe
PID 1248 wrote to memory of 4768	1248	omsecor.exe	omsecor.exe
PID 4768 wrote to memory of 2616	4768	omsecor.exe	omsecor.exe
PID 4768 wrote to memory of 2616	4768	omsecor.exe	omsecor.exe
PID 4768 wrote to memory of 2616	4768	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\225bafd029a722cce6c1b6e0f33897b92b74469123bddec3b33b0d92c66e4166_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\225bafd029a722cce6c1b6e0f33897b92b74469123bddec3b33b0d92c66e4166_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1000

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
PID:2616

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
84KB

MD5
e3ec2b661cf8c831e47f8509a729914b

SHA1
cb7b7517272857393c2cd3775bb7a93b316ecdbc

SHA256
d8c65828ff53782b7a8b5ef741c8f0be345576065d28b6ea78705019511da063

SHA512
3e8be4a143e97fed220dc9f1507f9a33be18c67a7223508e7bf9eae1db4493ba47feb89590f2d743ee7c25bdf615d8236dec3f2a7c9ab4725ae536603613927b

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
84KB

MD5
aae4bf58a341d254c8636c5e65555e88

SHA1
06f420d5b29543299cba9f88ab337cefa3528489

SHA256
d20cd6c5e20036357b511160740cb3de352b32e0f81a9e4c651da12f86fa490f

SHA512
4e362f96017c2e0a4d2495ed5a4c69bf25851e5cd7bb0584e6d43962fda16a00458317845287e04f835aa17ccb554fae93b76a1c33ac6a5d77ae864246243ec7

Download Submit
C:\Windows\SysWOW64\omsecor.exe
Filesize
84KB

MD5
4e27cb0fda8b93dee7a1e4393817367a

SHA1
7d6ff00625c90736f2f7dff738155044c01c3d8c

SHA256
841dee9925897cfdae66904ada53c83e95e37d137a776f864b0a211da083783f

SHA512
b7bab6003192afaff29e612acf6dea36c60891834510c93403688fdd6c6a84bcef6b335a04b1f34789841dd00b0cf10c336458b13ea252a839a990983b261a59

Download Submit