neconyd | c22b3166089a020c67c4b277127311ec85fc53feb5433e02f4f4b021cbd7c2ae

Analysis

max time kernel
114s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-01-2025 22:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c22b3166089a020c67c4b277127311ec85fc53feb5433e02f4f4b021cbd7c2aeN.exe
Size

71KB
MD5

9ee6e6a3aee111dea260c4500c4c34f0
SHA1

00d961b5e29126a2dc0f3c10f4ba3416ad1746c0
SHA256

c22b3166089a020c67c4b277127311ec85fc53feb5433e02f4f4b021cbd7c2ae
SHA512

ae100dd7fcb57213e95305884e8a687b6de5fd8cb16cd5ace748015c767f6027570dbd23a2486591af3b8ec91043b0c8fd9b1f48c4722f211f116403a9f229aa
SSDEEP

1536:xd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZSDHIbHt:BdseIOMEZEyFjEOFqTiQmQDHIbHt

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
680	omsecor.exe
4380	omsecor.exe
2520	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c22b3166089a020c67c4b277127311ec85fc53feb5433e02f4f4b021cbd7c2aeN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1224 wrote to memory of 680	1224	c22b3166089a020c67c4b277127311ec85fc53feb5433e02f4f4b021cbd7c2aeN.exe	81
PID 1224 wrote to memory of 680	1224	c22b3166089a020c67c4b277127311ec85fc53feb5433e02f4f4b021cbd7c2aeN.exe	81
PID 1224 wrote to memory of 680	1224	c22b3166089a020c67c4b277127311ec85fc53feb5433e02f4f4b021cbd7c2aeN.exe	81
PID 680 wrote to memory of 4380	680	omsecor.exe	92
PID 680 wrote to memory of 4380	680	omsecor.exe	92
PID 680 wrote to memory of 4380	680	omsecor.exe	92
PID 4380 wrote to memory of 2520	4380	omsecor.exe	93
PID 4380 wrote to memory of 2520	4380	omsecor.exe	93
PID 4380 wrote to memory of 2520	4380	omsecor.exe	93

C:\Users\Admin\AppData\Local\Temp\c22b3166089a020c67c4b277127311ec85fc53feb5433e02f4f4b021cbd7c2aeN.exe
"C:\Users\Admin\AppData\Local\Temp\c22b3166089a020c67c4b277127311ec85fc53feb5433e02f4f4b021cbd7c2aeN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:680
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4380
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
71KB

MD5
4b8ef5603142f04617ebd125727c01c5

SHA1
31c960a960b93177c06c459af58f446a6f87e5a1

SHA256
a33aa3181525651b667b25be0cc088c96958a338f957004dd757b8520f8e15f6

SHA512
ae01f5fca118263e014dbfeb5acdd636c4ee215431a66139bdde2dfb38edf0e9a38a37ec0151a07b5690f11056ebf85184793e2299d1d79240246579821b839d

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
71KB

MD5
0442df80e72317c63122fef8b403891e

SHA1
78a4d777a90712067a785f8d51ed22f3617c51db

SHA256
14144c798c12f7987dd7195830d4ffcb9ad6d2e6788d1be5dcd221e92b423fc9

SHA512
371d07149ebc2d54b7827c0b426eef69a59457c11e2b18d73616e48640774ca5c1e9e23e5188a974f6a664c35b377b2281e8c89c823f92da61a1444a52e1abae

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
71KB

MD5
97a13f73d517be9f8984ad3193c7a86b

SHA1
5ee56b4c747ed34ed6dc8216bd70df723245219b

SHA256
b9f9b7fd02a58d12b7fcbcc58978de1309866d9593bde8505b480ce76d46585d

SHA512
cb8181bb5c37366efb245c760c1a4e506f6bcb86e51ff81743093cd9360d43b8eb41891db6606ed440420ff70a3defacb9f3c9808842381f47550bf88610e086

Download Submit
memory/680-4-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/680-7-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/680-13-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1224-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1224-6-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2520-19-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2520-20-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4380-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4380-17-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download