neconyd | 285b7db68291687f8e352b8fbfffc2608e472116b22a623fea185c6e29c83527

Analysis

max time kernel
146s
max time network
149s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
23-06-2024 01:32

Target

285b7db68291687f8e352b8fbfffc2608e472116b22a623fea185c6e29c83527_NeikiAnalytics.exe
Size

80KB
MD5

55092c4be3c874709a6560330c7f2690
SHA1

2daa2f8536add16b483f6187fd298066667d61d3
SHA256

285b7db68291687f8e352b8fbfffc2608e472116b22a623fea185c6e29c83527
SHA512

730463fc5091c32b347758d423de65e7d1758ec52d5f79c37bc6ca19e2477acddb30d7c131bb7fd9c9c1f7e2adb103dbf16bc8f5a3b6647e980bd413089bab83
SSDEEP

768:zfMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:zfbIvYvZEyFKF6N4yS+AQmZTl/5

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 3 IoCs

Processes:

omsecor.exeomsecor.exeomsecor.exe

pid process

3008 omsecor.exe
1620 omsecor.exe
1744 omsecor.exe

Loads dropped DLL 6 IoCs

Processes:

285b7db68291687f8e352b8fbfffc2608e472116b22a623fea185c6e29c83527_NeikiAnalytics.exeomsecor.exeomsecor.exe

pid	process
2984	285b7db68291687f8e352b8fbfffc2608e472116b22a623fea185c6e29c83527_NeikiAnalytics.exe
2984	285b7db68291687f8e352b8fbfffc2608e472116b22a623fea185c6e29c83527_NeikiAnalytics.exe
3008	omsecor.exe
3008	omsecor.exe
1620	omsecor.exe
1620	omsecor.exe

Drops file in System32 directory 1 IoCs

Processes:

omsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

285b7db68291687f8e352b8fbfffc2608e472116b22a623fea185c6e29c83527_NeikiAnalytics.exeomsecor.exeomsecor.exe

description	pid	process	target process
PID 2984 wrote to memory of 3008	2984	285b7db68291687f8e352b8fbfffc2608e472116b22a623fea185c6e29c83527_NeikiAnalytics.exe	omsecor.exe
PID 2984 wrote to memory of 3008	2984	285b7db68291687f8e352b8fbfffc2608e472116b22a623fea185c6e29c83527_NeikiAnalytics.exe	omsecor.exe
PID 2984 wrote to memory of 3008	2984	285b7db68291687f8e352b8fbfffc2608e472116b22a623fea185c6e29c83527_NeikiAnalytics.exe	omsecor.exe
PID 2984 wrote to memory of 3008	2984	285b7db68291687f8e352b8fbfffc2608e472116b22a623fea185c6e29c83527_NeikiAnalytics.exe	omsecor.exe
PID 3008 wrote to memory of 1620	3008	omsecor.exe	omsecor.exe
PID 3008 wrote to memory of 1620	3008	omsecor.exe	omsecor.exe
PID 3008 wrote to memory of 1620	3008	omsecor.exe	omsecor.exe
PID 3008 wrote to memory of 1620	3008	omsecor.exe	omsecor.exe
PID 1620 wrote to memory of 1744	1620	omsecor.exe	omsecor.exe
PID 1620 wrote to memory of 1744	1620	omsecor.exe	omsecor.exe
PID 1620 wrote to memory of 1744	1620	omsecor.exe	omsecor.exe
PID 1620 wrote to memory of 1744	1620	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
4⤵
- Executes dropped EXE
PID:1744

\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
80KB

MD5
a3e76dd81f15da754f059d9feddbb885

SHA1
a3a9879a1ca337e4c77828d7f044e1ccc7d227ce

SHA256
aad9dbfe3a618ca2db523eb54f2a070a41ceba970f4c4626ec7cd95a21f5c9d2

SHA512
f63c6607da743ef34c922e468449131f99f08b34736dc34a3f3a30b76f2183206e9a5e2bfcf432557960170a72cd9a804cf180cf99d0ce763fb20a953092e3b6

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
80KB

MD5
0ddf8a3d6cea64b70cf9c5a1e8f894db

SHA1
96f824fa8c776cea26a5d7920bd52666933aae2a

SHA256
c33d6d8a536dc8e2ddfc11110a71e7c94f08ca92277585b8db0a92e073e76015

SHA512
9e1de3668e5565e9d57953e78fe5bd26bc1055cc448804d43995891430eecc291e69b6e0ca6ca20d5047123fccd7c7dce3ef942c4e8f5f668bdc3f5c0e7e6847

Download Submit