neconyd | 9149dac69f1a4cb1a039e460f7f562aafb66a54d47099162e630668defbde9d0

Analysis

max time kernel
145s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-01-2025 00:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9149dac69f1a4cb1a039e460f7f562aafb66a54d47099162e630668defbde9d0.exe
Size

76KB
MD5

7cf0b22925596438209e6ef658887cbc
SHA1

07ee522680da1341203441a23326042118ad1ad5
SHA256

9149dac69f1a4cb1a039e460f7f562aafb66a54d47099162e630668defbde9d0
SHA512

11c0c7fd0e737a507d383c8c27490597b812c1c808a11b7fcea888f69cdb1ee8f7086cfcc3eff364683146516ece3f440acda52828187d328bf0022e6e51590e
SSDEEP

768:sMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAWb:sbIvYvZEyFKF6N4yS+AQmZTl/5Ob

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 2 IoCs

pid	Process
2828	omsecor.exe
2312	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9149dac69f1a4cb1a039e460f7f562aafb66a54d47099162e630668defbde9d0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 2828	3000	9149dac69f1a4cb1a039e460f7f562aafb66a54d47099162e630668defbde9d0.exe	82
PID 3000 wrote to memory of 2828	3000	9149dac69f1a4cb1a039e460f7f562aafb66a54d47099162e630668defbde9d0.exe	82
PID 3000 wrote to memory of 2828	3000	9149dac69f1a4cb1a039e460f7f562aafb66a54d47099162e630668defbde9d0.exe	82
PID 2828 wrote to memory of 2312	2828	omsecor.exe	92
PID 2828 wrote to memory of 2312	2828	omsecor.exe	92
PID 2828 wrote to memory of 2312	2828	omsecor.exe	92

C:\Users\Admin\AppData\Local\Temp\9149dac69f1a4cb1a039e460f7f562aafb66a54d47099162e630668defbde9d0.exe
"C:\Users\Admin\AppData\Local\Temp\9149dac69f1a4cb1a039e460f7f562aafb66a54d47099162e630668defbde9d0.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:2312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
aa68fbc2ea326c7c3d497f5ae6179abd

SHA1
9cd6423ca2c0dc48e5598f567e3681c6f6a48f63

SHA256
fa69905cccb571913c5fc79329cd402b74d7f768a65b16ab827d68a8a0f66f0f

SHA512
516569d0d309c9049ccff0be6bdcca9e5a719874096e1a1b5b69676c2b9b5868a424b2b30e58ae78b6694d0ca036e75da13ae5ae949ec0d8c9ee7e7c6f635920

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
929aa21a135f20334230ca2d3cc3a913

SHA1
a0c7f6684868492da4fa45d4792e986d1255bcd0

SHA256
48299fbebe153e12864e868797cc074d6b8145da10ae155a3ec1ad896ffa397e

SHA512
fbc745659b0441138133cdb8ef712bc70f6db4b2e5bc1235648f152a336cc13e4c3a7593d0e84f3e55e0729f9f8c59d7d46b5199ddbca711c36b4510958c67a2

Download Submit