neconyd | 8856f35ea01bb1c8f68b8f55c67983850465cac06215d0b6267e622dd828a76b

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
22-06-2024 07:32

Target

8856f35ea01bb1c8f68b8f55c67983850465cac06215d0b6267e622dd828a76b_NeikiAnalytics.exe
Size

72KB
MD5

2617c44198b9173681552cf20deec850
SHA1

8e8dd9c39d1dac69c335b9e18272c5bc250f2e0b
SHA256

8856f35ea01bb1c8f68b8f55c67983850465cac06215d0b6267e622dd828a76b
SHA512

2aa143bbdcef7eb08684f4c3e4f69c96e1b0755a4ca410b380af74a6bf2bdb562868a7e5b57b28e7da1e8f9fd443c5ebe75106c94816ce03bf7093e2054842e4
SSDEEP

1536:Rd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5211:hdseIOMEZEyFjEOFqTiQm5l/5211

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 2 IoCs

Processes:

omsecor.exeomsecor.exe

pid process

468 omsecor.exe
3056 omsecor.exe
Drops file in System32 directory 2 IoCs

Processes:

omsecor.exeomsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe
File opened for modification C:\Windows\SysWOW64\merocz.xc6 omsecor.exe

pid	process
468	omsecor.exe
3056	omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

8856f35ea01bb1c8f68b8f55c67983850465cac06215d0b6267e622dd828a76b_NeikiAnalytics.exeomsecor.exe

description	pid	process	target process
PID 4296 wrote to memory of 468	4296	8856f35ea01bb1c8f68b8f55c67983850465cac06215d0b6267e622dd828a76b_NeikiAnalytics.exe	omsecor.exe
PID 4296 wrote to memory of 468	4296	8856f35ea01bb1c8f68b8f55c67983850465cac06215d0b6267e622dd828a76b_NeikiAnalytics.exe	omsecor.exe
PID 4296 wrote to memory of 468	4296	8856f35ea01bb1c8f68b8f55c67983850465cac06215d0b6267e622dd828a76b_NeikiAnalytics.exe	omsecor.exe
PID 468 wrote to memory of 3056	468	omsecor.exe	omsecor.exe
PID 468 wrote to memory of 3056	468	omsecor.exe	omsecor.exe
PID 468 wrote to memory of 3056	468	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\8856f35ea01bb1c8f68b8f55c67983850465cac06215d0b6267e622dd828a76b_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8856f35ea01bb1c8f68b8f55c67983850465cac06215d0b6267e622dd828a76b_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1392 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8
1⤵
PID:4432

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
72KB

MD5
290996f55477b319b637103c5b319568

SHA1
4dfb0b9eca56eb63a79b08f8d1e77d01162534f2

SHA256
b2558f0ef0683cdb634af7df82a0da419ea092b8f5e5a7e0300ad2846944c7a1

SHA512
1117e56c656f524ad70673042d7d6ef041a18d97385f8bda0a174461166641abbde783569ca6f2a757c83336fa537dd67fa1adf10dcd740fddcf750af1129baf

Download Submit
C:\Windows\SysWOW64\omsecor.exe
Filesize
72KB

MD5
4a89c6969e25b4de71c6e7f1d4aa5530

SHA1
762e73e293924dabe12bdd68c61c1ba15a6e78fa

SHA256
8894557ac0107787e1108d698a6091f84e4ab4cfe9e4bc2a153d8bef6dba9736

SHA512
699e0619026fc2f19b15933e09aadbd6ba7f5f3de2dece1b2609f728a2a9b87fa55db0719aaa22d87e9a3f429f57b53cb9c1f39a1e5b2d9d67f90178bdc1c1c9

Download Submit