neconyd | 25c92a82923530fa591ecc1d616f734d2d9cdf316e0eba9f5077b3751edad16f

Analysis

max time kernel
118s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2024 21:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25c92a82923530fa591ecc1d616f734d2d9cdf316e0eba9f5077b3751edad16f.exe
Size

71KB
MD5

e3e2b715ff511fbbd1319f4d9be1b785
SHA1

f1ca8fd66c392b948dea7821426f49b573d221ac
SHA256

25c92a82923530fa591ecc1d616f734d2d9cdf316e0eba9f5077b3751edad16f
SHA512

2e3ea75048665116096378c6c3b629e1a26d068f60ae6d60e86ad81b33ec5aa5c5e2958249d049e320e59c3b2b32f7949b3f83fe874d5f30fd079e2b16dda754
SSDEEP

1536:Sd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZSDHIbHP:idseIOMEZEyFjEOFqTiQmQDHIbHP

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
3032	omsecor.exe
1548	omsecor.exe
2244	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	25c92a82923530fa591ecc1d616f734d2d9cdf316e0eba9f5077b3751edad16f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 3032	2116	25c92a82923530fa591ecc1d616f734d2d9cdf316e0eba9f5077b3751edad16f.exe	82
PID 2116 wrote to memory of 3032	2116	25c92a82923530fa591ecc1d616f734d2d9cdf316e0eba9f5077b3751edad16f.exe	82
PID 2116 wrote to memory of 3032	2116	25c92a82923530fa591ecc1d616f734d2d9cdf316e0eba9f5077b3751edad16f.exe	82
PID 3032 wrote to memory of 1548	3032	omsecor.exe	92
PID 3032 wrote to memory of 1548	3032	omsecor.exe	92
PID 3032 wrote to memory of 1548	3032	omsecor.exe	92
PID 1548 wrote to memory of 2244	1548	omsecor.exe	93
PID 1548 wrote to memory of 2244	1548	omsecor.exe	93
PID 1548 wrote to memory of 2244	1548	omsecor.exe	93

C:\Users\Admin\AppData\Local\Temp\25c92a82923530fa591ecc1d616f734d2d9cdf316e0eba9f5077b3751edad16f.exe
"C:\Users\Admin\AppData\Local\Temp\25c92a82923530fa591ecc1d616f734d2d9cdf316e0eba9f5077b3751edad16f.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3032
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1548
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
71KB

MD5
bbef9b23693ef8ca1060dde15ff0b5c4

SHA1
7b2c6f0aa9922fb4f38db12f24a4d0eb7592cc6a

SHA256
ffd64392ba306e54ae2bfc64e25897cd7d5002a949123f48ee280f2800267952

SHA512
cd19008bdc73f687f7b30e3bdd5d9d5a3cf0e4e866d7f1d05eec3cff4442da115c41692c47921c73ad612a6dee2b1256dc2b84c262d7152a76458948cd182969

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
71KB

MD5
a4a546865c15275cd7650dc69e579dcc

SHA1
6ae6d3db60b3b832fa0ce809eddb1a1a0ed26591

SHA256
8a63ea7898973bc3cbf3e1d6af5a461fd16568d620fd64528c0a6e10e26c2643

SHA512
48b373235e7c5e6f6993554d37fa94bfdc8a96181e8b56ca980924be900a78d395810b27cb3b7ee94c3353701dd63d3b59fdfc8fa2618a5db1221c594171facf

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
71KB

MD5
7d5ea4513d42f9faf5ab8c4051a97348

SHA1
c44fb01f819d711512e151443c51c2c5a726d959

SHA256
2b465564074250371dbb3342da7bf9f5c4ed346b15618bde2796e4f39991236b

SHA512
10957a11333b349e8b32d8e2a89e86c634a0a05f1abcff1b0745944e0b27de4cba8737fff7b5175db1f489c1b3fe42ba27b935aa8183b949806a33c7ee2a8cc1

Download Submit
memory/1548-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1548-17-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2116-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2116-6-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2244-18-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2244-20-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3032-4-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3032-7-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3032-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download