neconyd | dd60cb6e921170cbd1a6d487628f8e9ff229c82de2466bee6571eda95acb9048

Analysis

max time kernel
148s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
07-07-2024 05:38

Target

458f57f74187638d4e9d10336bd8bd30N.exe
Size

88KB
MD5

458f57f74187638d4e9d10336bd8bd30
SHA1

f52f03ba0f62aaba58f1a542eb61ab968217a3f7
SHA256

dd60cb6e921170cbd1a6d487628f8e9ff229c82de2466bee6571eda95acb9048
SHA512

de197f4629b1e85b07990a35dca3360cec3eef7301cfff0483db70561cdb71f3813232b7c717ffc3880f8408931c86cc24a807b82658234663a66f5d06cb4f82
SSDEEP

1536:7d9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:LdseIOMEZEyFjEOFqTiQm5l/5

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Executes dropped EXE 3 IoCs

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1264 wrote to memory of 4696	1264	458f57f74187638d4e9d10336bd8bd30N.exe	85
PID 1264 wrote to memory of 4696	1264	458f57f74187638d4e9d10336bd8bd30N.exe	85
PID 1264 wrote to memory of 4696	1264	458f57f74187638d4e9d10336bd8bd30N.exe	85
PID 4696 wrote to memory of 4496	4696	omsecor.exe	89
PID 4696 wrote to memory of 4496	4696	omsecor.exe	89
PID 4696 wrote to memory of 4496	4696	omsecor.exe	89
PID 4496 wrote to memory of 4400	4496	omsecor.exe	90
PID 4496 wrote to memory of 4400	4496	omsecor.exe	90
PID 4496 wrote to memory of 4400	4496	omsecor.exe	90

C:\Users\Admin\AppData\Local\Temp\458f57f74187638d4e9d10336bd8bd30N.exe
"C:\Users\Admin\AppData\Local\Temp\458f57f74187638d4e9d10336bd8bd30N.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1264
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4696
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4496
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      PID:4400

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
88KB

MD5
36c23fdf524dfbb67afdf28b69aaed06

SHA1
baedc3c396cafc968d5c4f6ae37e1af5b5bc203c

SHA256
51ebd81b37111824246b9d57036433b8ae9ba6acab830cd9f3153fe2fa7c3065

SHA512
d60bae8f46376d3acf53751def9425b9c41d72bbfdff31b5217370708082074c6c88eeab2196f07b378ec23c87b07e087e6832f8bf1ffb2f43b10e1c64cd5be5

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
88KB

MD5
4c73acf5af3bf0a9ca569805102321be

SHA1
53be636e2d99cd009fd8a8c37bfb9edbef7df5a7

SHA256
75eb1ef8197f055adfb46768ccdd391cf527175f7dd5d45a576d3caa5900f867

SHA512
0ef0cdec4f4943a9bf6d89c654155420356ca12898eb439ac675f84028fe0242bad452133215eaabbd3d3b900d37624ceb8f23b1b3b371a1d5855aea228ee976

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
88KB

MD5
1034ac5396d1ef203ef53ff0165e2a12

SHA1
97b8750c8ced144edebb8e964234a69ad93c8010

SHA256
769b3cc5f62ac6af037427229b059bd16c83b9b7a5f47a71b85e281288b1fd44

SHA512
2e277898c3ab5b97514aa3bf8e688b04145a92606a38cba1fe6ab405d716def083ab3acf7cf9e106c8b7b7b8e5e3653a9aa621b30f3e430f57bbca807e957878

Download Submit