neconyd | 25ab8d0b58f13ed8dacefa17a8ff1e644df9fbc98fc935c6baf23dfbd78f2bd8

Analysis

max time kernel
145s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2024 20:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25ab8d0b58f13ed8dacefa17a8ff1e644df9fbc98fc935c6baf23dfbd78f2bd8.exe
Size

62KB
MD5

d1896f5ae8cf8436b83b2f6542117083
SHA1

3f873aff30a32926a4485d1398c22b2d8dc17cbd
SHA256

25ab8d0b58f13ed8dacefa17a8ff1e644df9fbc98fc935c6baf23dfbd78f2bd8
SHA512

35442b9fd60aa2ee142abf19b1583a051f0ebff2539778e7db9f16dc06af217d8f7d734132936cb0132b2f45cf9c13ad9a84279089cbf8aaff9ab2c0d17311d4
SSDEEP

768:nMEIvFGvZEr8LFK0ic46N47eSdYAHwmZQp6JXXlaa5uAF:nbIvYvZEyFKF6N4yS+AQmZtl/5N

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1148	omsecor.exe
3968	omsecor.exe
3552	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	25ab8d0b58f13ed8dacefa17a8ff1e644df9fbc98fc935c6baf23dfbd78f2bd8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1524 wrote to memory of 1148	1524	25ab8d0b58f13ed8dacefa17a8ff1e644df9fbc98fc935c6baf23dfbd78f2bd8.exe	84
PID 1524 wrote to memory of 1148	1524	25ab8d0b58f13ed8dacefa17a8ff1e644df9fbc98fc935c6baf23dfbd78f2bd8.exe	84
PID 1524 wrote to memory of 1148	1524	25ab8d0b58f13ed8dacefa17a8ff1e644df9fbc98fc935c6baf23dfbd78f2bd8.exe	84
PID 1148 wrote to memory of 3968	1148	omsecor.exe	94
PID 1148 wrote to memory of 3968	1148	omsecor.exe	94
PID 1148 wrote to memory of 3968	1148	omsecor.exe	94
PID 3968 wrote to memory of 3552	3968	omsecor.exe	95
PID 3968 wrote to memory of 3552	3968	omsecor.exe	95
PID 3968 wrote to memory of 3552	3968	omsecor.exe	95

C:\Users\Admin\AppData\Local\Temp\25ab8d0b58f13ed8dacefa17a8ff1e644df9fbc98fc935c6baf23dfbd78f2bd8.exe
"C:\Users\Admin\AppData\Local\Temp\25ab8d0b58f13ed8dacefa17a8ff1e644df9fbc98fc935c6baf23dfbd78f2bd8.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1524
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1148
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3968
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
62KB

MD5
2d9e27e4f4bd5354d15d7d676685cca1

SHA1
795fc0b336769a9ae9b5eb8f06d044c0361a50a1

SHA256
6fbfb6515786bc2259e794d22b0b596fbc25bfb9eb5de39bac377f0ad7cee78e

SHA512
1d9c079fe8f9e2213d1196819d31905f46292aafed93035a44103a63af1f441d5b548ae66b7cc017400fb13f8a87c07076bce3c490fbf71ebd8e8e6b0d6ed8f6

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
62KB

MD5
2cd7c80517cdbc9aca05e6e3c66a1406

SHA1
e8ff84a35fd25236dc4a51574108a677cc2387d2

SHA256
d11035c40016617ab62d44d807262d8f6dd441aa05dee9b46c23edb9ba5ea1da

SHA512
a67e6a227a08162892e9a4eead28d3129a67431bff3b713351492bf2a4d705867bd914d837355cbec1862a8bd249bc4222675ab010c50fdae6605f05c35d0cc0

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
62KB

MD5
40aa27b1c476bb634b4cf4590ce3090e

SHA1
1519525da6d6b08281c592c9e352fa8950131e0e

SHA256
7eb378ad675e28e2fe6bb159dcd4ee0d75771376f54e7a122d4942a3763fa161

SHA512
082e856f084ab5f4eb556257f2aaf18a0210f33c5159942753e84f128a4aa3172fee911268dad197d4a9c24aa0a73169c8e3debec416ecf310305a59ed310087

Download Submit