neconyd | f4bf44219aa89fd1cad096bb332bc4f7fb5d1e34322d5745b23710b69ce30f47

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-01-2025 10:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f4bf44219aa89fd1cad096bb332bc4f7fb5d1e34322d5745b23710b69ce30f47.exe
Size

76KB
MD5

3ec6bfba8944e2ba6b17cd488ec7eb17
SHA1

a290ba70e0fbb91ae287404f7eca37cbedca849f
SHA256

f4bf44219aa89fd1cad096bb332bc4f7fb5d1e34322d5745b23710b69ce30f47
SHA512

d49d13ea2fcd6366c402feab6a25f5218282f05cdeda11ace102b7d9217d0b4f64d61affca9b9e3799b57fed643fd585a963d01584e2caefd7970582fc4a55f3
SSDEEP

1536:1d9dseIOcE93bIvYvZEyF4EEOF6N4XS+AQmZTl/5w11H:9dseIOMEZEyFjEOFqaiQm5l/5w11H

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
4416	omsecor.exe
3556	omsecor.exe
3280	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f4bf44219aa89fd1cad096bb332bc4f7fb5d1e34322d5745b23710b69ce30f47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4376 wrote to memory of 4416	4376	f4bf44219aa89fd1cad096bb332bc4f7fb5d1e34322d5745b23710b69ce30f47.exe	82
PID 4376 wrote to memory of 4416	4376	f4bf44219aa89fd1cad096bb332bc4f7fb5d1e34322d5745b23710b69ce30f47.exe	82
PID 4376 wrote to memory of 4416	4376	f4bf44219aa89fd1cad096bb332bc4f7fb5d1e34322d5745b23710b69ce30f47.exe	82
PID 4416 wrote to memory of 3556	4416	omsecor.exe	92
PID 4416 wrote to memory of 3556	4416	omsecor.exe	92
PID 4416 wrote to memory of 3556	4416	omsecor.exe	92
PID 3556 wrote to memory of 3280	3556	omsecor.exe	93
PID 3556 wrote to memory of 3280	3556	omsecor.exe	93
PID 3556 wrote to memory of 3280	3556	omsecor.exe	93

C:\Users\Admin\AppData\Local\Temp\f4bf44219aa89fd1cad096bb332bc4f7fb5d1e34322d5745b23710b69ce30f47.exe
"C:\Users\Admin\AppData\Local\Temp\f4bf44219aa89fd1cad096bb332bc4f7fb5d1e34322d5745b23710b69ce30f47.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4376
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4416
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3556
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
da05dd3ad9aa7d985cd5b62343032507

SHA1
81ead91486e85d2aa6d7f223ce87874f2622c740

SHA256
4ad4cf04495b4ed7576c7f120866e7ba3677422103a8e5b66e408485ddd97a7e

SHA512
35459844399f8bcdfa4a5df1039d1e38d918e6a1e8df92ae0e780e605a3db9caa0646a047d08824963e1f6c8aabefcca7c078fbf4fe2da8c113600d4a5def60b

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
d84ecb40c785c8c373ae9d847b04b6b2

SHA1
9619f66be38c89962789e501444742008b39ad4c

SHA256
01dc12fe46bceb3e8ec467b051b3da2fcfc456f9333d3a2574dba8a2c1d33e7b

SHA512
c5f15552211f32c1515094089933c11db741946da17a141f0faa80f53a5dea5edc36c0de95773a81122ab5fd575d38bc84344be1c55fdfbe7290eec4e72a18d4

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
e6aa9fef65f6d447aa423eeeb6b2679d

SHA1
dba6fb7c7b9943731edd6a334ecb1cd092431f3e

SHA256
238e6988bece2ea037e71dbe78de93f6cc18fdba0d87d13c41ecce578aa5394f

SHA512
2611bbeff6c498e12225fef82f59037522960aea717ad1ceec51631554e23e1bc03338264c704421e6c0a614c8328c6ed9f746b6410c34346a195a4b7dea2e5a

Download Submit
memory/3280-18-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3280-20-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3556-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3556-17-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4376-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4376-6-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4416-4-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4416-7-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4416-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download