neconyd | ba19289241b57a93d7e26d5b275892f3b11fccdfa6fc3e4e0002c8a67854fa52

Analysis

max time kernel
118s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-01-2025 01:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba19289241b57a93d7e26d5b275892f3b11fccdfa6fc3e4e0002c8a67854fa52N.exe
Size

70KB
MD5

f188a8c2e84ed1be1d02a7b2a248eb40
SHA1

eef8a31ae6d45f8992fbb40fee3fd331d5fa462a
SHA256

ba19289241b57a93d7e26d5b275892f3b11fccdfa6fc3e4e0002c8a67854fa52
SHA512

bc3da1760d0f4970315e48b034fc028d7542b7f6f9cad1ca4e39264a61622f350e2ab9c323c8d7d160934e0f99152ec781616c40c3fc99221edf4676ea3958f6
SSDEEP

1536:cd9dseIOcE93bIvYvZEyF4EEOF+N4yS+AQmZsDHNzfE:kdseIOMEZEyFjEOFuTiQm+DHNzfE

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 2 IoCs

pid	Process
3688	omsecor.exe
2512	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ba19289241b57a93d7e26d5b275892f3b11fccdfa6fc3e4e0002c8a67854fa52N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 3688	2344	ba19289241b57a93d7e26d5b275892f3b11fccdfa6fc3e4e0002c8a67854fa52N.exe	82
PID 2344 wrote to memory of 3688	2344	ba19289241b57a93d7e26d5b275892f3b11fccdfa6fc3e4e0002c8a67854fa52N.exe	82
PID 2344 wrote to memory of 3688	2344	ba19289241b57a93d7e26d5b275892f3b11fccdfa6fc3e4e0002c8a67854fa52N.exe	82
PID 3688 wrote to memory of 2512	3688	omsecor.exe	92
PID 3688 wrote to memory of 2512	3688	omsecor.exe	92
PID 3688 wrote to memory of 2512	3688	omsecor.exe	92

C:\Users\Admin\AppData\Local\Temp\ba19289241b57a93d7e26d5b275892f3b11fccdfa6fc3e4e0002c8a67854fa52N.exe
"C:\Users\Admin\AppData\Local\Temp\ba19289241b57a93d7e26d5b275892f3b11fccdfa6fc3e4e0002c8a67854fa52N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3688
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
70KB

MD5
f572df81092422c9dd0d6612733c8e11

SHA1
0c10742e81376d0185171ed9c62b4833a3ad738a

SHA256
6329224fa74b7698e5b7954ec88e8bf33b0052b4b475d0e8db7fbff19a313007

SHA512
7b3b800513bc2dc6de0ed1103dc2ce2ec7b003a41207b05730178df2d658cf42c033e11cf3c55730b7126def43be9f4073171efd63d71f28a2cc08d3437ade55

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
70KB

MD5
b95ca5236fdc91328c16bb6de869efcf

SHA1
d0576c03be8960b633cb991d399b565e1397b1d0

SHA256
881b787b0a9e96981bd22d6ce004a937ef1bb0f29ae113e19809dc719d296621

SHA512
f9fe08657b8327047e6b9e232bb5d61e4d6df2bfbea85004c56709cae2f6786adba7985ce61865d5650a2fb305788dcd7b292d00448513d0a70ed6d2b7f0b1ef

Download Submit
memory/2344-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2344-6-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2512-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2512-14-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3688-4-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3688-7-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3688-13-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download