neconyd | aefed05e41800481ddaf818d2ad5d0bac11a3f8f505c8fc780784872b1acb874

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-01-2025 03:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aefed05e41800481ddaf818d2ad5d0bac11a3f8f505c8fc780784872b1acb874.exe
Size

92KB
MD5

47d993f1bd5705986bdd012fd96fc70f
SHA1

4f07bd8b004d48dd25d5d74621104d7231b8f36f
SHA256

aefed05e41800481ddaf818d2ad5d0bac11a3f8f505c8fc780784872b1acb874
SHA512

6171987abdca94c22ffb1366f9f2982269b89914f3dbcea964016ecb379b6df401b06a6c885f74da32e6aa53d6c247a605ce52aeb0db4dc9e8c9800a554ea422
SSDEEP

1536:cd9dseIOcEr3bIvYvZEyF4EEOF6N4yS+AQmZTl/5d:kdseIOyEZEyFjEOFqTiQm5l/5d

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2692	omsecor.exe
1932	omsecor.exe
4300	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aefed05e41800481ddaf818d2ad5d0bac11a3f8f505c8fc780784872b1acb874.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2428 wrote to memory of 2692	2428	aefed05e41800481ddaf818d2ad5d0bac11a3f8f505c8fc780784872b1acb874.exe	83
PID 2428 wrote to memory of 2692	2428	aefed05e41800481ddaf818d2ad5d0bac11a3f8f505c8fc780784872b1acb874.exe	83
PID 2428 wrote to memory of 2692	2428	aefed05e41800481ddaf818d2ad5d0bac11a3f8f505c8fc780784872b1acb874.exe	83
PID 2692 wrote to memory of 1932	2692	omsecor.exe	101
PID 2692 wrote to memory of 1932	2692	omsecor.exe	101
PID 2692 wrote to memory of 1932	2692	omsecor.exe	101
PID 1932 wrote to memory of 4300	1932	omsecor.exe	102
PID 1932 wrote to memory of 4300	1932	omsecor.exe	102
PID 1932 wrote to memory of 4300	1932	omsecor.exe	102

C:\Users\Admin\AppData\Local\Temp\aefed05e41800481ddaf818d2ad5d0bac11a3f8f505c8fc780784872b1acb874.exe
"C:\Users\Admin\AppData\Local\Temp\aefed05e41800481ddaf818d2ad5d0bac11a3f8f505c8fc780784872b1acb874.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1932
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
92KB

MD5
292f84944fb913a034fcf99ec8367200

SHA1
c96e66ef392f34b72f111ec5b2680557cd16234e

SHA256
649947b2cfc2ad8ae228d5a7d48066c6d70ee8a983ed85d9873810ef30668542

SHA512
bc32f9dade39acf80e3b5759f0a5ba7982153d04aba6e52fea6176eab5239ee913be4fef636f5fa40380d56d0a32390b0584df3f8478b77ee8b2584493d779a4

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
92KB

MD5
1aa1486631d89f1c89d18dc32cd231f8

SHA1
166fd6e3bb346e8f6ebcf2be5f21f7e026abe0c4

SHA256
b8724fa98fc644e74c5510e4a1a34e4e930aabca7fcd5d3fff742a44db8908d7

SHA512
01eb55c9be870a97e429512ecd0ffa49b210e6483028b7617d1aee1fab4768d357f68be3cb448fa29febd229d181a0fb94da7c4ad7d73b30bd2f2e355dbe2671

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
92KB

MD5
4c2dbbfa9a699638d0ead5158c209ef6

SHA1
5623bbd3a600284e859ad58b3c5b96350bda8a7b

SHA256
91349538413bacf6f3ab143c62110bb6974459245514dbc6896b1f5f1bd267a3

SHA512
1461bdebd0fcb77ae15d5aaea58cb914241dca8fdb4acda588a9d9bd57242e7fea45c7a8ba88569a74519d2034c025a0607a2ef3c30d09ef30099c7fb232cbc6

Download Submit
memory/1932-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1932-17-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2428-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2428-6-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2692-4-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2692-7-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2692-13-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4300-19-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4300-20-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download