neconyd | b71d57382a6567da6e1867c4f8754b5dd019e46cda62cb1ff720d2c1d088ba1c

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16/01/2025, 04:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b71d57382a6567da6e1867c4f8754b5dd019e46cda62cb1ff720d2c1d088ba1c.exe
Size

65KB
MD5

e4ff0fdaf9755cdf8427bb42af18c3d8
SHA1

11ddbf277b764f01345aa299c75224defe885ada
SHA256

b71d57382a6567da6e1867c4f8754b5dd019e46cda62cb1ff720d2c1d088ba1c
SHA512

2c7f97f96e3268985e096424f0f4ea568dd70eb2bc2a2f16048e7bb9cdcc63e34f438d41b9da31e3852237012745e5eb6ac264732aadf08c942765f5bb5aa606
SSDEEP

1536:Md9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZ/Hzf:0dseIO+EZEyFjEOFqTiQmRHzf

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
3960	omsecor.exe
4984	omsecor.exe
1516	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b71d57382a6567da6e1867c4f8754b5dd019e46cda62cb1ff720d2c1d088ba1c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4628 wrote to memory of 3960	4628	b71d57382a6567da6e1867c4f8754b5dd019e46cda62cb1ff720d2c1d088ba1c.exe	83
PID 4628 wrote to memory of 3960	4628	b71d57382a6567da6e1867c4f8754b5dd019e46cda62cb1ff720d2c1d088ba1c.exe	83
PID 4628 wrote to memory of 3960	4628	b71d57382a6567da6e1867c4f8754b5dd019e46cda62cb1ff720d2c1d088ba1c.exe	83
PID 3960 wrote to memory of 4984	3960	omsecor.exe	100
PID 3960 wrote to memory of 4984	3960	omsecor.exe	100
PID 3960 wrote to memory of 4984	3960	omsecor.exe	100
PID 4984 wrote to memory of 1516	4984	omsecor.exe	101
PID 4984 wrote to memory of 1516	4984	omsecor.exe	101
PID 4984 wrote to memory of 1516	4984	omsecor.exe	101

C:\Users\Admin\AppData\Local\Temp\b71d57382a6567da6e1867c4f8754b5dd019e46cda62cb1ff720d2c1d088ba1c.exe
"C:\Users\Admin\AppData\Local\Temp\b71d57382a6567da6e1867c4f8754b5dd019e46cda62cb1ff720d2c1d088ba1c.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4628
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3960
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4984
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
8399a5b239f0e91d1c1908c5bc891f02

SHA1
b95428519681b5766225b0ed971449f3aeb11f70

SHA256
8b09b1af0f276c0fbab83807dab5d76f523ccc164d503896083f7b000b2702b0

SHA512
2e7d843b59553bddb38547f5d415a7643d61f78dcca69e6678fa61c1461389cbfa3eebd3d25389eba2b1382d2e6e0fbec323692c2ef6982023476bd439825417

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
5f5cfdf7f19818afdf8bdabcd85b28bc

SHA1
91e29fe3f96f6484cebfe8430788d091b0b438d5

SHA256
df4816b0eb7c9235454e1bba0c02737f42c5ce211b5d4b0fa31043fe25ae562d

SHA512
6fc29f96cfaddf7f74ab0648b87bc613e29eb94d3c3d1f4845dfc05861911f4d9e914e45640bcdedec54a9c5baa6304273a8a61888b6100ef7a059dd3e39048e

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
65KB

MD5
13fa702b8ef44f7d315b333560e62268

SHA1
138c07d2720b555eba63e98586a4dc64e7cd115b

SHA256
d7e91952b16ab3d3449f4aaf333d05022ebdb98898582711d781d529164cd0bd

SHA512
edbb63bedb511d8eb652b7bdb8736f92f88ff5f989bcd8252ee812ce7ee50e4e1573ba8f0eb4cbe84fce7efc6ee0bf08345c0a6ac7208efe475dca7124b2a265

Download Submit
memory/1516-17-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1516-20-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3960-5-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3960-7-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3960-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4628-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4628-6-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4984-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4984-18-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download