neconyd | a314a6b8b2b9441fdcb3ec7905ca7b3b3d877bc485870e023a580dae7569f1eb

Analysis

max time kernel
114s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-01-2025 22:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a314a6b8b2b9441fdcb3ec7905ca7b3b3d877bc485870e023a580dae7569f1eb.exe
Size

89KB
MD5

d4982f12d75480793c716cb83b68012a
SHA1

aff01301f46f20d0e8bc54ee554d26c6cb21f129
SHA256

a314a6b8b2b9441fdcb3ec7905ca7b3b3d877bc485870e023a580dae7569f1eb
SHA512

8849be50401eaf11211f5cf9c0ca8bd313256db72cf6a7fac3119d656093ba86f7376525f5f08813c33fa0df6a6f344760c71f757ca80f915eadee3791e66422
SSDEEP

768:4MEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAP:4bIvYvZEyFKF6N4yS+AQmZTl/5H

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
400	omsecor.exe
4720	omsecor.exe
1788	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a314a6b8b2b9441fdcb3ec7905ca7b3b3d877bc485870e023a580dae7569f1eb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 668 wrote to memory of 400	668	a314a6b8b2b9441fdcb3ec7905ca7b3b3d877bc485870e023a580dae7569f1eb.exe	83
PID 668 wrote to memory of 400	668	a314a6b8b2b9441fdcb3ec7905ca7b3b3d877bc485870e023a580dae7569f1eb.exe	83
PID 668 wrote to memory of 400	668	a314a6b8b2b9441fdcb3ec7905ca7b3b3d877bc485870e023a580dae7569f1eb.exe	83
PID 400 wrote to memory of 4720	400	omsecor.exe	100
PID 400 wrote to memory of 4720	400	omsecor.exe	100
PID 400 wrote to memory of 4720	400	omsecor.exe	100
PID 4720 wrote to memory of 1788	4720	omsecor.exe	101
PID 4720 wrote to memory of 1788	4720	omsecor.exe	101
PID 4720 wrote to memory of 1788	4720	omsecor.exe	101

C:\Users\Admin\AppData\Local\Temp\a314a6b8b2b9441fdcb3ec7905ca7b3b3d877bc485870e023a580dae7569f1eb.exe
"C:\Users\Admin\AppData\Local\Temp\a314a6b8b2b9441fdcb3ec7905ca7b3b3d877bc485870e023a580dae7569f1eb.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:668
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:400
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4720
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
89KB

MD5
01209306eb222a3d20b8693e41c957e1

SHA1
3a53a640b782668f9ab8e17706f1005f88f02007

SHA256
f81435fa63ddf7f8e63e07d8c12bcbd22d5ffe0e400f3497a4a73aa3a5433696

SHA512
404477794d894ff16366425cee8b9884447d1f0aff96eae81a4a9cda1c6b647e48f8151005610f333e6b35281f40d6940028e91931324968eeab89511d05c5b0

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
89KB

MD5
44decfb986f53671f572de1ca9beccee

SHA1
3a796d9d7aa6e58b24d3e8b40e0fa1f3b1d48677

SHA256
3df5f0cd4ee1155f59525f97ed0bc549b371cd88e8d3f55e34b2a90256311830

SHA512
cc3c7fcd0c8f9c4d9ed8e265131b33525258943b2f6c33a386e2c977efa2d2ef42b55109fe1af79583a1b6e4f29107ed8e2de77180800facd2fb11967485b1e0

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
89KB

MD5
42d2efdb4159cace68b88c051cff4fbf

SHA1
3d2fa6d8aed4a6d5993010d8de78a0e4ce4ec082

SHA256
7ccf8b43a71984bc4b3f583a6caaecef440cb42c48ea99b4f97dd16343a9d20c

SHA512
7f078341d917ceda7d853b880aa12681ea66fb6478558f4a1037abf0c23c65af182c586eac93eed7499c1f78b7b1880ded17984f8e7a418b504704e3c0766f8b

Download Submit