neconyd | 7889604f8ce1bd4cc6fb7e9cb8e645bbc5b36c6fb30d5250fba04cc5e1ace1c9

Analysis

max time kernel
114s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-01-2025 01:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7889604f8ce1bd4cc6fb7e9cb8e645bbc5b36c6fb30d5250fba04cc5e1ace1c9.exe
Size

88KB
MD5

b80b91e774206ac0a892f1a142188ed1
SHA1

b2116de24cde14d95765d44fc06474f2211b9cee
SHA256

7889604f8ce1bd4cc6fb7e9cb8e645bbc5b36c6fb30d5250fba04cc5e1ace1c9
SHA512

f5907b69eaa2315357a98d3c25764611ec2729677bc6df06ec3a6912965c7a333521845033d493a0756f4eab96cc571dfbc0992a333b9fa30ca14b2dff616d13
SSDEEP

1536:1d9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5D:9dseIOMEZEyFjEOFqTiQm5l/5D

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 2 IoCs

pid	Process
2664	omsecor.exe
5076	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7889604f8ce1bd4cc6fb7e9cb8e645bbc5b36c6fb30d5250fba04cc5e1ace1c9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3304 wrote to memory of 2664	3304	7889604f8ce1bd4cc6fb7e9cb8e645bbc5b36c6fb30d5250fba04cc5e1ace1c9.exe	83
PID 3304 wrote to memory of 2664	3304	7889604f8ce1bd4cc6fb7e9cb8e645bbc5b36c6fb30d5250fba04cc5e1ace1c9.exe	83
PID 3304 wrote to memory of 2664	3304	7889604f8ce1bd4cc6fb7e9cb8e645bbc5b36c6fb30d5250fba04cc5e1ace1c9.exe	83
PID 2664 wrote to memory of 5076	2664	omsecor.exe	100
PID 2664 wrote to memory of 5076	2664	omsecor.exe	100
PID 2664 wrote to memory of 5076	2664	omsecor.exe	100

C:\Users\Admin\AppData\Local\Temp\7889604f8ce1bd4cc6fb7e9cb8e645bbc5b36c6fb30d5250fba04cc5e1ace1c9.exe
"C:\Users\Admin\AppData\Local\Temp\7889604f8ce1bd4cc6fb7e9cb8e645bbc5b36c6fb30d5250fba04cc5e1ace1c9.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3304
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:5076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
88KB

MD5
5628bd8d3d5e902c5cbff02350b423bf

SHA1
a664d9a63cdda37eef937d7ebc0e9d7ddc07522d

SHA256
c223ba3cf90e0df0a6dcb73cd439276e945c9af67c79c44eb2ac39fb92f0197b

SHA512
adebcb17c21511f71f51b5d2e89af3d3f53b8d836785ac94222eecf6d78afc34ff7845c43fe598cf578825b6391d1b7cd21af4ef580b4841439c65b358990eea

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
88KB

MD5
af98dea01b952f44fbd4717ccdbc74f0

SHA1
2fadae4f08355641b20d384e7ff5a4183cab4e88

SHA256
dd3547ab4d0ddc394b6c880c0c324398e13626ad71bb83abbfc276f0bb0fe407

SHA512
dd05c40d9371d3a259d64abcb07f3edcb8970b58ac736722f2cc79e1f8004a525083f50826ff0551c9b134a63b8be1be48076efb4ff1685aadb680fb3fe70426

Download Submit