neconyd | 68b03f81eef7e2c8f39670ad8fa7c126383c502c653ded556b45d59eaee856a2

Analysis

max time kernel
146s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
21-06-2024 11:29

Target

68b03f81eef7e2c8f39670ad8fa7c126383c502c653ded556b45d59eaee856a2_NeikiAnalytics.exe
Size

76KB
MD5

c6928f88335e8de599699531bfb05da0
SHA1

05bab1e52ed3986f3b9e03458ad38dac9e51769c
SHA256

68b03f81eef7e2c8f39670ad8fa7c126383c502c653ded556b45d59eaee856a2
SHA512

a6288be35b8b02e547244a5f8b07cc865d4fa6df837a16a6c321a9823280816cd368331dc96c55c0c7d084c10909b64d36c6ea1f1b954eeff6a44c1d20ac56ac
SSDEEP

1536:ad9dseIOcE93dIvYvZEyF4EEOF6N4yS+AQmZTl/5R11:6dseIOKEZEyFjEOFqTiQm5l/5R11

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 2 IoCs

Processes:

omsecor.exeomsecor.exe

pid process

4884 omsecor.exe
3152 omsecor.exe
Drops file in System32 directory 2 IoCs

Processes:

omsecor.exeomsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe
File opened for modification C:\Windows\SysWOW64\merocz.xc6 omsecor.exe

pid	process
4884	omsecor.exe
3152	omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

68b03f81eef7e2c8f39670ad8fa7c126383c502c653ded556b45d59eaee856a2_NeikiAnalytics.exeomsecor.exe

description	pid	process	target process
PID 4692 wrote to memory of 4884	4692	68b03f81eef7e2c8f39670ad8fa7c126383c502c653ded556b45d59eaee856a2_NeikiAnalytics.exe	omsecor.exe
PID 4692 wrote to memory of 4884	4692	68b03f81eef7e2c8f39670ad8fa7c126383c502c653ded556b45d59eaee856a2_NeikiAnalytics.exe	omsecor.exe
PID 4692 wrote to memory of 4884	4692	68b03f81eef7e2c8f39670ad8fa7c126383c502c653ded556b45d59eaee856a2_NeikiAnalytics.exe	omsecor.exe
PID 4884 wrote to memory of 3152	4884	omsecor.exe	omsecor.exe
PID 4884 wrote to memory of 3152	4884	omsecor.exe	omsecor.exe
PID 4884 wrote to memory of 3152	4884	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\68b03f81eef7e2c8f39670ad8fa7c126383c502c653ded556b45d59eaee856a2_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\68b03f81eef7e2c8f39670ad8fa7c126383c502c653ded556b45d59eaee856a2_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4692

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
76KB

MD5
5ed2b3da5601676f7dcab676d04c19d7

SHA1
44ced867ecd6435f0283c46544bf6c574d09ddb8

SHA256
3261f5a6b0bea00bfbc1a1a53a7489fe4b56f3402525845ccd0e38735574e4c0

SHA512
76c5e8dccd146799d45ad554ede8e231551188e1a997bbf8019f9144eb8c9e011a471fae18ecfc7ebcdcfbbbef05e5c66b53d4d590e17348cb0eae99f49d0197

Download Submit
C:\Windows\SysWOW64\omsecor.exe
Filesize
76KB

MD5
144ea80d6170bfcc140ee2b8bdf8e206

SHA1
d0bd692c15fca14241d3785e154245f97928587b

SHA256
68cca0011c6e7cb555a24ab70494a2bc1b2da5dd2842fdefd327f538b936ffc1

SHA512
aae0bf998d2df0d24a03756aca39e77377f9dd9f30969e3d3a6b1df3447b9af9817665d454493bd758adc4c517c432e6f08386fefcaff1fa494f4d4d2b86daf6

Download Submit
memory/3152-13-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3152-14-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4692-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4692-5-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4884-6-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4884-7-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4884-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download