neconyd | 9597773a6634133454920291b96fb461bee793c79074a5a55c35874a70b874a3

Analysis

max time kernel
147s
max time network
149s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
22-06-2024 00:22

Target

9597773a6634133454920291b96fb461bee793c79074a5a55c35874a70b874a3.exe
Size

80KB
MD5

068e41ce4cae090e7c4ed4fb2e565fcd
SHA1

1ff006594e18f31bf4d3b8fd7931812427c3969f
SHA256

9597773a6634133454920291b96fb461bee793c79074a5a55c35874a70b874a3
SHA512

360124e9097e2112000034027038a4821f66ba9851bc4b9aba712a773a6806e8d2d6e61e2a0d19916668f1bb1cbb1817f8808358965d638773463ef57016bab1
SSDEEP

768:RfMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:RfbIvYvZEyFKF6N4yS+AQmZTl/5

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 3 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exe

pid process

2192 omsecor.exe
2880 omsecor.exe
1980 omsecor.exe

Loads dropped DLL 6 IoCs

Processes:

9597773a6634133454920291b96fb461bee793c79074a5a55c35874a70b874a3.exeomsecor.exeomsecor.exe

Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

9597773a6634133454920291b96fb461bee793c79074a5a55c35874a70b874a3.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 1792 wrote to memory of 2192	1792	9597773a6634133454920291b96fb461bee793c79074a5a55c35874a70b874a3.exe	omsecor.exe
PID 1792 wrote to memory of 2192	1792	9597773a6634133454920291b96fb461bee793c79074a5a55c35874a70b874a3.exe	omsecor.exe
PID 1792 wrote to memory of 2192	1792	9597773a6634133454920291b96fb461bee793c79074a5a55c35874a70b874a3.exe	omsecor.exe
PID 1792 wrote to memory of 2192	1792	9597773a6634133454920291b96fb461bee793c79074a5a55c35874a70b874a3.exe	omsecor.exe
PID 2192 wrote to memory of 2880	2192	omsecor.exe	omsecor.exe
PID 2192 wrote to memory of 2880	2192	omsecor.exe	omsecor.exe
PID 2192 wrote to memory of 2880	2192	omsecor.exe	omsecor.exe
PID 2192 wrote to memory of 2880	2192	omsecor.exe	omsecor.exe
PID 2880 wrote to memory of 1980	2880	omsecor.exe	omsecor.exe
PID 2880 wrote to memory of 1980	2880	omsecor.exe	omsecor.exe
PID 2880 wrote to memory of 1980	2880	omsecor.exe	omsecor.exe
PID 2880 wrote to memory of 1980	2880	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
PID:1980

\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
80KB

MD5
86a79b243ef27a434c91fa3bdb9ce0c2

SHA1
ef34019665fea072ea2794647f691ac630c2a9a9

SHA256
df81167aa620081d5ac2eab5cebafc2d44292a387d4c2c61869674b18b106193

SHA512
1abbf0243a3d696db7deea7ab271e21a4f7b734da373322fc7a89d9c76117e370b3078e5f2d8f6cf357d7910ef383d61428d9263fee547c3e26c6b1213ae02e6

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
80KB

MD5
8b235e2c81a8294e9bd4db98b34a1967

SHA1
d836aad98f6874565c560f3a5023cb0b7031c8c4

SHA256
2d4fa9915cb8a6d8c5c9a3372bd03f6c24f57bb33b3824211fd20f810b825171

SHA512
e2d729d94cd07eaf2a34549b1be7bb71b0cc7cd56f678aef22efb2600a49e6a6898a2a8c8eecaafcdf8228b934f9e93d7e36e30c84b62aba2c5c0851ed0c7e6a

Download Submit
\Windows\SysWOW64\omsecor.exe
Filesize
80KB

MD5
08da9b2a58f22a6bf0d82183fcadd3db

SHA1
9ac3e9cbca7fcc2e1b4abcb3d92161b2f14c3a40

SHA256
787a177ad9fcf6e1be9ce4ed91a2e85422d350e551dd790ab46123e4a1148e70

SHA512
ef7fc872b3844c6798f6721f980a5f200a45db25b58fac7c39346b9fe9c6dce2f3c6c7eacfdbdad4addd0dc234110c0edc100cae9eeb9e8f38e33537404b3bc0

Download Submit