neconyd | 5074cf9bbea6edb5e02d13f59505235b32b938d857c83fef8ced628e3a248bca

Analysis

max time kernel
145s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-01-2025 00:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5074cf9bbea6edb5e02d13f59505235b32b938d857c83fef8ced628e3a248bca.exe
Size

80KB
MD5

1be45c634fbcc66ae879f6df6189eaf1
SHA1

81f88506aebebb2758352317c4b0c66f836051cd
SHA256

5074cf9bbea6edb5e02d13f59505235b32b938d857c83fef8ced628e3a248bca
SHA512

d8e78a3cc4b01e8cc95034edfe93680d8a6a3b10356627374e1ad8631e09a28c7587ece71a9917e90ddb1a054d4daac2d670e1c08b1e67eb80000fb5e344a36a
SSDEEP

1536:Bd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9XwzB:xdseIOMEZEyFjEOFqTiQmOl/5xPvwN

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
4560	omsecor.exe
404	omsecor.exe
2100	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5074cf9bbea6edb5e02d13f59505235b32b938d857c83fef8ced628e3a248bca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2428 wrote to memory of 4560	2428	5074cf9bbea6edb5e02d13f59505235b32b938d857c83fef8ced628e3a248bca.exe	82
PID 2428 wrote to memory of 4560	2428	5074cf9bbea6edb5e02d13f59505235b32b938d857c83fef8ced628e3a248bca.exe	82
PID 2428 wrote to memory of 4560	2428	5074cf9bbea6edb5e02d13f59505235b32b938d857c83fef8ced628e3a248bca.exe	82
PID 4560 wrote to memory of 404	4560	omsecor.exe	92
PID 4560 wrote to memory of 404	4560	omsecor.exe	92
PID 4560 wrote to memory of 404	4560	omsecor.exe	92
PID 404 wrote to memory of 2100	404	omsecor.exe	93
PID 404 wrote to memory of 2100	404	omsecor.exe	93
PID 404 wrote to memory of 2100	404	omsecor.exe	93

C:\Users\Admin\AppData\Local\Temp\5074cf9bbea6edb5e02d13f59505235b32b938d857c83fef8ced628e3a248bca.exe
"C:\Users\Admin\AppData\Local\Temp\5074cf9bbea6edb5e02d13f59505235b32b938d857c83fef8ced628e3a248bca.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4560
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:404
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
bda65c3b825170cb0cc0cd0b7fe62bfe

SHA1
6a95758957049c214e53a05b17337be998cf8fac

SHA256
6c003d64ca5ce8a31852d332a0f8257e5fc6dd88e86ab2d914936372681158ea

SHA512
0339aa97e08e46e81a6ce0cb43e1f188ef4512dc9d7cdad37f1726417f46934a031ca5c08bd6f78a69f17f9ae85e222c3578cadecd138f17ebf1dad9bfb75983

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
f62aebc9707542d10e59fa0b674b7605

SHA1
6b4b3e81f915cc6c5539cc0a9310f84feb5b4b5c

SHA256
4369ae6ea54d7a46c9762d205d4696c0634f5f1351e552e995bbefe2e16fe8d1

SHA512
18e439ea5c5b91e9aab9a5e99c80567558214542892994a007c4d075b2326d979cb651fdb96eb80d0db10ef87ff2468a7546bf1f852a9807118612ec4008a213

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
8d70cd3324825b98047fa0a65b4245d6

SHA1
5265c1185e4dd54d0b17e502ef6ef9306182dbdf

SHA256
784a2aad43bc68b3add0e2e8cb50e2e6ee8cd2a9bf9de1ca0a5bb761c4fb194d

SHA512
37dd9968aa846206c1b0aae36a4ce134c138f2a6a3c2392ad2c1cca30355334fc9251be5d76b029c4ff8a5a89b7f4e2c35128d5ee8c840f848167fb13cc90d9b

Download Submit