neconyd | 8b8afce48da1552e0d3315b8e9166ec9625504971e2efaa740dee78587b1a1e9

Analysis

max time kernel
114s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-01-2025 02:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8b8afce48da1552e0d3315b8e9166ec9625504971e2efaa740dee78587b1a1e9N.exe
Size

92KB
MD5

c787be34fed9da0b7e0cc61ffb5491b0
SHA1

91a99a52693ae79932866f7e13c28c627669bb53
SHA256

8b8afce48da1552e0d3315b8e9166ec9625504971e2efaa740dee78587b1a1e9
SHA512

5bbf2274912ae12e6191bb4a5434438a5f84cbaf8e06977407a1426de2ac5bb4a1753bcacbe47ee44da183010d3f629b7dae906301bbafbcf1fdc5401c9d7c6b
SSDEEP

1536:Vd9dseIOcEr3bIvYvZEyF4EEOF6N4yS+AQmZTl/5f:ddseIOyEZEyFjEOFqTiQm5l/5f

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2596	omsecor.exe
4060	omsecor.exe
2804	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8b8afce48da1552e0d3315b8e9166ec9625504971e2efaa740dee78587b1a1e9N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 2596	2784	8b8afce48da1552e0d3315b8e9166ec9625504971e2efaa740dee78587b1a1e9N.exe	82
PID 2784 wrote to memory of 2596	2784	8b8afce48da1552e0d3315b8e9166ec9625504971e2efaa740dee78587b1a1e9N.exe	82
PID 2784 wrote to memory of 2596	2784	8b8afce48da1552e0d3315b8e9166ec9625504971e2efaa740dee78587b1a1e9N.exe	82
PID 2596 wrote to memory of 4060	2596	omsecor.exe	92
PID 2596 wrote to memory of 4060	2596	omsecor.exe	92
PID 2596 wrote to memory of 4060	2596	omsecor.exe	92
PID 4060 wrote to memory of 2804	4060	omsecor.exe	93
PID 4060 wrote to memory of 2804	4060	omsecor.exe	93
PID 4060 wrote to memory of 2804	4060	omsecor.exe	93

C:\Users\Admin\AppData\Local\Temp\8b8afce48da1552e0d3315b8e9166ec9625504971e2efaa740dee78587b1a1e9N.exe
"C:\Users\Admin\AppData\Local\Temp\8b8afce48da1552e0d3315b8e9166ec9625504971e2efaa740dee78587b1a1e9N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4060
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
92KB

MD5
e16dd2139b114b1a12140889e4b96cfa

SHA1
a9115d91f6593300666425ba0441051fc58399ad

SHA256
b734fa658521cf6aeebebdb2a7a1346981b7571ffc5198afca2c2106175715c9

SHA512
eeeb2c3b1e408a18989a2ea2c2fbdfcef74f802d84ba78878491f557b638f5b69000c2ea198332058e81ab9ac14a884d3d768733c7df3bccbb00019ab9704c8e

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
92KB

MD5
6156a874680b83f66bb4ae74e59c5bc2

SHA1
fcbc055b5c57025cfa7acf0310d386c6d0a79c92

SHA256
23332e19aab915072c6ea6ff412edbd377711528c619bbec78589c45048f099a

SHA512
3683499583b778827229360d11dc4fd148165df63acabcf51340c308d6f4af6bf2ec43ff3bf2d786b3a308266e509eb4518b065d4e882bdea0f0612fa3e91e20

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
92KB

MD5
60c04a14fbfe75fc17735534d777c348

SHA1
245ec143d96d3e5529fef64435f7d1c764f98759

SHA256
5d80533b44e56eabb1ace352a659f29868e4d34c08a25fe50d7463af50a0f0f4

SHA512
2c1c2a3e38e3ac907152c24b29aa3e94d7f1e14d7eb2fe2c0040d11de8f2ec46d30af7ea603d43005d6b6d9003730fdc58a2d91a0fcc471e8d0ef15b363e9874

Download Submit
memory/2596-4-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2596-7-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2596-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2784-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2784-6-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2804-18-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2804-20-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4060-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4060-17-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download