neconyd | 285b7db68291687f8e352b8fbfffc2608e472116b22a623fea185c6e29c83527

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
23-06-2024 01:32

Target

285b7db68291687f8e352b8fbfffc2608e472116b22a623fea185c6e29c83527_NeikiAnalytics.exe
Size

80KB
MD5

55092c4be3c874709a6560330c7f2690
SHA1

2daa2f8536add16b483f6187fd298066667d61d3
SHA256

285b7db68291687f8e352b8fbfffc2608e472116b22a623fea185c6e29c83527
SHA512

730463fc5091c32b347758d423de65e7d1758ec52d5f79c37bc6ca19e2477acddb30d7c131bb7fd9c9c1f7e2adb103dbf16bc8f5a3b6647e980bd413089bab83
SSDEEP

768:zfMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:zfbIvYvZEyFKF6N4yS+AQmZTl/5

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Executes dropped EXE 2 IoCs

Processes:

omsecor.exeomsecor.exe

pid process

3544 omsecor.exe
3848 omsecor.exe
Drops file in System32 directory 2 IoCs

Processes:

omsecor.exeomsecor.exe

description ioc process

File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe
File opened for modification C:\Windows\SysWOW64\merocz.xc6 omsecor.exe

pid	process
3544	omsecor.exe
3848	omsecor.exe

description	ioc	process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

285b7db68291687f8e352b8fbfffc2608e472116b22a623fea185c6e29c83527_NeikiAnalytics.exeomsecor.exe

description	pid	process	target process
PID 4664 wrote to memory of 3544	4664	285b7db68291687f8e352b8fbfffc2608e472116b22a623fea185c6e29c83527_NeikiAnalytics.exe	omsecor.exe
PID 4664 wrote to memory of 3544	4664	285b7db68291687f8e352b8fbfffc2608e472116b22a623fea185c6e29c83527_NeikiAnalytics.exe	omsecor.exe
PID 4664 wrote to memory of 3544	4664	285b7db68291687f8e352b8fbfffc2608e472116b22a623fea185c6e29c83527_NeikiAnalytics.exe	omsecor.exe
PID 3544 wrote to memory of 3848	3544	omsecor.exe	omsecor.exe
PID 3544 wrote to memory of 3848	3544	omsecor.exe	omsecor.exe
PID 3544 wrote to memory of 3848	3544	omsecor.exe	omsecor.exe

C:\Users\Admin\AppData\Local\Temp\285b7db68291687f8e352b8fbfffc2608e472116b22a623fea185c6e29c83527_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\285b7db68291687f8e352b8fbfffc2608e472116b22a623fea185c6e29c83527_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4476 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
1⤵
PID:4284

C:\Users\Admin\AppData\Roaming\omsecor.exe
Filesize
80KB

MD5
a3e76dd81f15da754f059d9feddbb885

SHA1
a3a9879a1ca337e4c77828d7f044e1ccc7d227ce

SHA256
aad9dbfe3a618ca2db523eb54f2a070a41ceba970f4c4626ec7cd95a21f5c9d2

SHA512
f63c6607da743ef34c922e468449131f99f08b34736dc34a3f3a30b76f2183206e9a5e2bfcf432557960170a72cd9a804cf180cf99d0ce763fb20a953092e3b6

Download Submit
C:\Windows\SysWOW64\omsecor.exe
Filesize
80KB

MD5
79ba0951c6077c148e819689d8609cb3

SHA1
894cea784d57b665827e723225e575d4d7b7afe4

SHA256
a057390a450dee9e69de36eb99d386e9ad5679a6e6ab9fd0b5d39c1383fe9432

SHA512
ad8e807e66eca4e2645780ca1adf7dda70882dd7bb8ef99532f684cd824a732c5ed22f9e04729d2f213cd978c7eef93f56d6d5dcdc70f263d6129e50ebad0e7c

Download Submit