neconyd | 5a93186c290d62ba1631b75affb13915af593b50d3ce2d8aa17c4d6f45a1eb14

Analysis

max time kernel
146s
max time network
149s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
22-06-2024 22:31

Target

5a93186c290d62ba1631b75affb13915af593b50d3ce2d8aa17c4d6f45a1eb14.exe
Size

76KB
MD5

0ea8c24805504a09f0875abbb81bab14
SHA1

db97edd57526877cbc1f9ac919db244b7c642636
SHA256

5a93186c290d62ba1631b75affb13915af593b50d3ce2d8aa17c4d6f45a1eb14
SHA512

64d9fec3ab72577c83622418f4bfd9f1510f1146442e90788b824c35b50409327a78c8cb50877acd128b552d800f87f7c3602899428d131a2bc51c16ee6a04e1
SSDEEP

768:mMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAW:mbIvYvZEyFKF6N4yS+AQmZTl/5O

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 3 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exe

pid process

3040 omsecor.exe
1796 omsecor.exe
2332 omsecor.exe

Loads dropped DLL 6 IoCs

Processes:

5a93186c290d62ba1631b75affb13915af593b50d3ce2d8aa17c4d6f45a1eb14.exeomsecor.exeomsecor.exe

pid	process
2988	5a93186c290d62ba1631b75affb13915af593b50d3ce2d8aa17c4d6f45a1eb14.exe
2988	5a93186c290d62ba1631b75affb13915af593b50d3ce2d8aa17c4d6f45a1eb14.exe
3040	omsecor.exe
3040	omsecor.exe
1796	omsecor.exe
1796	omsecor.exe

Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

5a93186c290d62ba1631b75affb13915af593b50d3ce2d8aa17c4d6f45a1eb14.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 2988 wrote to memory of 3040	2988	5a93186c290d62ba1631b75affb13915af593b50d3ce2d8aa17c4d6f45a1eb14.exe	omsecor.exe
PID 2988 wrote to memory of 3040	2988	5a93186c290d62ba1631b75affb13915af593b50d3ce2d8aa17c4d6f45a1eb14.exe	omsecor.exe
PID 2988 wrote to memory of 3040	2988	5a93186c290d62ba1631b75affb13915af593b50d3ce2d8aa17c4d6f45a1eb14.exe	omsecor.exe
PID 2988 wrote to memory of 3040	2988	5a93186c290d62ba1631b75affb13915af593b50d3ce2d8aa17c4d6f45a1eb14.exe	omsecor.exe
PID 3040 wrote to memory of 1796	3040	omsecor.exe	omsecor.exe
PID 3040 wrote to memory of 1796	3040	omsecor.exe	omsecor.exe
PID 3040 wrote to memory of 1796	3040	omsecor.exe	omsecor.exe
PID 3040 wrote to memory of 1796	3040	omsecor.exe	omsecor.exe
PID 1796 wrote to memory of 2332	1796	omsecor.exe	omsecor.exe
PID 1796 wrote to memory of 2332	1796	omsecor.exe	omsecor.exe
PID 1796 wrote to memory of 2332	1796	omsecor.exe	omsecor.exe
PID 1796 wrote to memory of 2332	1796	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
PID:2332

\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
76KB

MD5
8f86bf84d62c7b8d4f706485aec06ea8

SHA1
454a049f89ee754e6d962ca11eef4f0f4b42b8cb

SHA256
22f7fb5ba3470902102403337548e10ab9be95ce10e26fe9b7f21bb6fe9490e0

SHA512
8b8388c20c1a51787263a03ba1f6d9b947229c0faefa936717bad7c0983c6c7d4de064172673b67a68f0af1901a0efa12c11ae5362810170dbfc12eebaa73890

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
76KB

MD5
2e8019e159cf6169599b9db9225c7927

SHA1
ff3e20b23bf0902efb8f9f59d4f58508ccca9fbe

SHA256
dcf94d8e0a70fdcb693212efdfb8e1fd9664d8d19f3d22256b8c3d68b35a210d

SHA512
b50c2e54f3febb5b5a1bab7015def0df5ab98549644c59cf8e91ba58a74ae9e536cab1766c57136a1a709a231be94da51400729e23169d8fa11fa29d16f51385

Download Submit
\Windows\SysWOW64\omsecor.exe
Filesize
76KB

MD5
fb576adf04d5a4f5f8584b675cb8164f

SHA1
69c25d8d1127624aecc51d8fea07348e87051ac5

SHA256
d25b0262445184f066851a6540e14742fbe8e357586b0946259e874cf6ab8bd7

SHA512
f5faa85143a9b44518cb4c5df6a0720c221b0ba3ed7a2effb2c83677409e1afc76a720ace3625f0a367c0bf9cb4880d024d9d4e976d90f615943c1fce5f62b92

Download Submit