neconyd | 5c8725b21d51e538d5fe7e010e1c00c418455ef5bfcd922da7d2adbf0134ebf3

Analysis

max time kernel
116s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15-07-2024 00:48

Target

4f600b3c249e431b55f753a9b05e5be0N.exe
Size

88KB
MD5

4f600b3c249e431b55f753a9b05e5be0
SHA1

df5254615f7bd8d329fc08f6012c8e5eb293afc0
SHA256

5c8725b21d51e538d5fe7e010e1c00c418455ef5bfcd922da7d2adbf0134ebf3
SHA512

5c6b67149766dd8ced476c80a8b8461df826afa5eebeb93840e14b3358077a769c929081e1b989003af8a4247d6ad98496108ee99da5b443ebcdb10466b972a6
SSDEEP

768:JMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAx:JbIvYvZEyFKF6N4yS+AQmZTl/5Z

Score

10^/10

neconyd trojan

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Executes dropped EXE 3 IoCs

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1784 wrote to memory of 844	1784	4f600b3c249e431b55f753a9b05e5be0N.exe	84
PID 1784 wrote to memory of 844	1784	4f600b3c249e431b55f753a9b05e5be0N.exe	84
PID 1784 wrote to memory of 844	1784	4f600b3c249e431b55f753a9b05e5be0N.exe	84
PID 844 wrote to memory of 2952	844	omsecor.exe	90
PID 844 wrote to memory of 2952	844	omsecor.exe	90
PID 844 wrote to memory of 2952	844	omsecor.exe	90
PID 2952 wrote to memory of 1096	2952	omsecor.exe	91
PID 2952 wrote to memory of 1096	2952	omsecor.exe	91
PID 2952 wrote to memory of 1096	2952	omsecor.exe	91

C:\Users\Admin\AppData\Local\Temp\4f600b3c249e431b55f753a9b05e5be0N.exe
"C:\Users\Admin\AppData\Local\Temp\4f600b3c249e431b55f753a9b05e5be0N.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1784
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:844
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2952
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      PID:1096

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
88KB

MD5
9ca6996f98ca3a0b4b2fb1e55318a1a0

SHA1
5bd639369bf8be69938f758505837c5fd4ea0ac8

SHA256
e2c97a31ceb6efb8993026ee26ed254e707f35813e2fd59394e23dc8b7f449a1

SHA512
208cdb72532d6ff55185e39145ae9e4cdfb224718b6c32c2992666d2a674a7db48a7d791afccd1931a3018805a610d261249968a27101678061d21131c0f2d8e

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
88KB

MD5
be3af599abe96a1183325d0c10c439fb

SHA1
96bf81fdc4f33785f530a319b60a8de339f472cd

SHA256
60d2ad533b1aa93e15dc24ac7dbfc2d31d4da7f77f6cbb89ed224c193621153f

SHA512
18e4b75063e6133f61344229291fb70a76377f45e896b0c6b7b692e881684e4e40ae1437855abad3f6df91265788f82cda44e554934d2ad255a6193a20fbfa94

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
88KB

MD5
079e9042fae3350d742d67f49e07ca42

SHA1
feda3c9ca885c5d2b0e138c4342f9a89c9bb7c74

SHA256
bea1a6370c6a055dbb0d5b470ef828c08db785c9f6f96e242d3ac8ca4619369a

SHA512
788d19e1e4fb798cf38ee8d471559210a609ced70baf2a3788a3d4fe072ec3295d0c96c9daa52223b7cf7ba030e2f51c136960c0edecc06d752cc5ff152b193d

Download Submit