neconyd | 65d5017e053b23fbcfa34607137019ab58e488c4753f51a905d402fce82fdcc3

Analysis

max time kernel
114s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-01-2025 08:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65d5017e053b23fbcfa34607137019ab58e488c4753f51a905d402fce82fdcc3.exe
Size

33KB
MD5

b4fb7aa55093dabeb9843970eb9914d1
SHA1

bb1aab0f590f8771b286ff584da3ad6000a7fdf1
SHA256

65d5017e053b23fbcfa34607137019ab58e488c4753f51a905d402fce82fdcc3
SHA512

1bf4345bd11957f2a66000b8a5253970ab2cc275d83d83ab035a56da6bad87b1607af3d1d29af8a2606ea1da9247478f2913bf89ea009c97ba467d563a0f55e1
SSDEEP

768:/fVhP/4kt3+9IV6Y90ksQ1oWHT0hh0vy9S5fsYGbTmoN/yE56hlSQ7D/:/fVRztyHo8QNHTk0qE5fslvN/956qo

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 2 IoCs

pid	Process
4548	omsecor.exe
1020	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	65d5017e053b23fbcfa34607137019ab58e488c4753f51a905d402fce82fdcc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4816 wrote to memory of 4548	4816	65d5017e053b23fbcfa34607137019ab58e488c4753f51a905d402fce82fdcc3.exe	82
PID 4816 wrote to memory of 4548	4816	65d5017e053b23fbcfa34607137019ab58e488c4753f51a905d402fce82fdcc3.exe	82
PID 4816 wrote to memory of 4548	4816	65d5017e053b23fbcfa34607137019ab58e488c4753f51a905d402fce82fdcc3.exe	82
PID 4548 wrote to memory of 1020	4548	omsecor.exe	92
PID 4548 wrote to memory of 1020	4548	omsecor.exe	92
PID 4548 wrote to memory of 1020	4548	omsecor.exe	92

C:\Users\Admin\AppData\Local\Temp\65d5017e053b23fbcfa34607137019ab58e488c4753f51a905d402fce82fdcc3.exe
"C:\Users\Admin\AppData\Local\Temp\65d5017e053b23fbcfa34607137019ab58e488c4753f51a905d402fce82fdcc3.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4816
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4548
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:1020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
33KB

MD5
e93700c04a2acca4562f5e8bc520dfe2

SHA1
36a38201996dd8f8a45497c2e02faa421366dfc0

SHA256
b3f090aea96180d067de8acbd2ba30d89e70c9ae74fd281434e9b04be29b10ff

SHA512
02793a34a59bf4bf1f854a812e513e8122fe63d4c32cdbc21217c6924f7809667c77d4a212b6e365be67e6b641a2dac1ca03036fb206e64ef40368108a69811d

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
33KB

MD5
3cc98079d69f461d99f461ac4de45c28

SHA1
233aa580f52fa15e9a8fb38a7ce9c21c456bf055

SHA256
a26984829f8024bdf5dc73c856ef105eba504b4aa4cd477d3616eee05322e1fe

SHA512
097deb1c0bd9d4e28dbbfc4b93d40c7a46ac306d4399fac335cc909e34c1f8639672f40100f084dd99a41363b3d2c556491575252b4b30894e95b65897ab2c83

Download Submit
memory/1020-19-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1020-23-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4548-4-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4548-8-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4548-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4548-14-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4548-15-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4548-22-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4816-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4816-7-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download