neconyd | 9597773a6634133454920291b96fb461bee793c79074a5a55c35874a70b874a3

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-06-2024 00:22

Target

9597773a6634133454920291b96fb461bee793c79074a5a55c35874a70b874a3.exe
Size

80KB
MD5

068e41ce4cae090e7c4ed4fb2e565fcd
SHA1

1ff006594e18f31bf4d3b8fd7931812427c3969f
SHA256

9597773a6634133454920291b96fb461bee793c79074a5a55c35874a70b874a3
SHA512

360124e9097e2112000034027038a4821f66ba9851bc4b9aba712a773a6806e8d2d6e61e2a0d19916668f1bb1cbb1817f8808358965d638773463ef57016bab1
SSDEEP

768:RfMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:RfbIvYvZEyFKF6N4yS+AQmZTl/5

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 3 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exe

pid process

632 omsecor.exe
3492 omsecor.exe
4792 omsecor.exe
Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

9597773a6634133454920291b96fb461bee793c79074a5a55c35874a70b874a3.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 3380 wrote to memory of 632	3380	9597773a6634133454920291b96fb461bee793c79074a5a55c35874a70b874a3.exe	omsecor.exe
PID 3380 wrote to memory of 632	3380	9597773a6634133454920291b96fb461bee793c79074a5a55c35874a70b874a3.exe	omsecor.exe
PID 3380 wrote to memory of 632	3380	9597773a6634133454920291b96fb461bee793c79074a5a55c35874a70b874a3.exe	omsecor.exe
PID 632 wrote to memory of 3492	632	omsecor.exe	omsecor.exe
PID 632 wrote to memory of 3492	632	omsecor.exe	omsecor.exe
PID 632 wrote to memory of 3492	632	omsecor.exe	omsecor.exe
PID 3492 wrote to memory of 4792	3492	omsecor.exe	omsecor.exe
PID 3492 wrote to memory of 4792	3492	omsecor.exe	omsecor.exe
PID 3492 wrote to memory of 4792	3492	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\9597773a6634133454920291b96fb461bee793c79074a5a55c35874a70b874a3.exe
"C:\Users\Admin\AppData\Local\Temp\9597773a6634133454920291b96fb461bee793c79074a5a55c35874a70b874a3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3380

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
PID:4792

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
80KB

MD5
c5362c904e6569da778c27afbf056c65

SHA1
9dd5909c22f4aca98ae8232b41df1ce22d3458ee

SHA256
c9d54d355768d2a7d795eb6b6e9a8bdf7c51d311058e55b1071428097e1e94a1

SHA512
8a539f653e8dc43ebab51c756e3bcb417f778b5552dbb696463b05b81744d40147c35e9d59aebdeb8ed5b2ee2f5d31f84ae4217a3962facd866782f546e55e88

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
80KB

MD5
86a79b243ef27a434c91fa3bdb9ce0c2

SHA1
ef34019665fea072ea2794647f691ac630c2a9a9

SHA256
df81167aa620081d5ac2eab5cebafc2d44292a387d4c2c61869674b18b106193

SHA512
1abbf0243a3d696db7deea7ab271e21a4f7b734da373322fc7a89d9c76117e370b3078e5f2d8f6cf357d7910ef383d61428d9263fee547c3e26c6b1213ae02e6

Download Submit
C:\Windows\SysWOW64\omsecor.exe
Filesize
80KB

MD5
c949f12d8520185069596d0e615d40c8

SHA1
dda3e4d67f6ac97342bd98df16b9cd7ae8601ee6

SHA256
6396a8a24bf5288e693849ef15b4e5c0d1cead148a7445ff952d3b845ee04771

SHA512
ec70b725806889ab37b0f71b4f5efeeecc9e876f7ab9791574e3457264bcfddcc7cbebd2d4a7508df70b0e9fe6e44417222735247017f3ca00c347fb8d93e096

Download Submit