neconyd | b71d57382a6567da6e1867c4f8754b5dd019e46cda62cb1ff720d2c1d088ba1c

Analysis

max time kernel
114s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16/01/2025, 04:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b71d57382a6567da6e1867c4f8754b5dd019e46cda62cb1ff720d2c1d088ba1c.exe
Size

65KB
MD5

e4ff0fdaf9755cdf8427bb42af18c3d8
SHA1

11ddbf277b764f01345aa299c75224defe885ada
SHA256

b71d57382a6567da6e1867c4f8754b5dd019e46cda62cb1ff720d2c1d088ba1c
SHA512

2c7f97f96e3268985e096424f0f4ea568dd70eb2bc2a2f16048e7bb9cdcc63e34f438d41b9da31e3852237012745e5eb6ac264732aadf08c942765f5bb5aa606
SSDEEP

1536:Md9dseIOc+93bIvYvZEyF4EEOF6N4yS+AQmZ/Hzf:0dseIO+EZEyFjEOFqTiQmRHzf

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2040	omsecor.exe
1968	omsecor.exe
3744	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b71d57382a6567da6e1867c4f8754b5dd019e46cda62cb1ff720d2c1d088ba1c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 972 wrote to memory of 2040	972	b71d57382a6567da6e1867c4f8754b5dd019e46cda62cb1ff720d2c1d088ba1c.exe	82
PID 972 wrote to memory of 2040	972	b71d57382a6567da6e1867c4f8754b5dd019e46cda62cb1ff720d2c1d088ba1c.exe	82
PID 972 wrote to memory of 2040	972	b71d57382a6567da6e1867c4f8754b5dd019e46cda62cb1ff720d2c1d088ba1c.exe	82
PID 2040 wrote to memory of 1968	2040	omsecor.exe	92
PID 2040 wrote to memory of 1968	2040	omsecor.exe	92
PID 2040 wrote to memory of 1968	2040	omsecor.exe	92
PID 1968 wrote to memory of 3744	1968	omsecor.exe	93
PID 1968 wrote to memory of 3744	1968	omsecor.exe	93
PID 1968 wrote to memory of 3744	1968	omsecor.exe	93

C:\Users\Admin\AppData\Local\Temp\b71d57382a6567da6e1867c4f8754b5dd019e46cda62cb1ff720d2c1d088ba1c.exe
"C:\Users\Admin\AppData\Local\Temp\b71d57382a6567da6e1867c4f8754b5dd019e46cda62cb1ff720d2c1d088ba1c.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:972
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1968
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
39f80e12aad06ead448b2e05688c2bf0

SHA1
56ddd9a44fb2120b91f9f377e2cac78945465505

SHA256
f599898bb6a0ab4f10f482f92d124624f59f2faa6e5d437879ec04a8af2a1d11

SHA512
52ff53283f21aa8c6c9aac477b1f753b9f1dd0801eb846bc33367d71900e681ff8e2e3725696985b8f7d5b58700af042073afde3b9a0a06325ae7218dd7b621a

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
65KB

MD5
5f5cfdf7f19818afdf8bdabcd85b28bc

SHA1
91e29fe3f96f6484cebfe8430788d091b0b438d5

SHA256
df4816b0eb7c9235454e1bba0c02737f42c5ce211b5d4b0fa31043fe25ae562d

SHA512
6fc29f96cfaddf7f74ab0648b87bc613e29eb94d3c3d1f4845dfc05861911f4d9e914e45640bcdedec54a9c5baa6304273a8a61888b6100ef7a059dd3e39048e

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
65KB

MD5
aeae2bca8f90409a6700e1f3d79325e9

SHA1
b4bd3f1f31f8a981b702cc5e54578900135ea716

SHA256
a19fdcc5b777533714832fc4e1f65a728de6ed2bc71ce6d387c9a7414bf86a5e

SHA512
c793d2ee1d65303e8eb3f34e03d69f545c747a77dac931c9f965ca46ab218bde6cad90b0d4e7e58ade43828b01b34b89db88a540ed7c291005dfa0637c123de2

Download Submit
memory/972-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/972-6-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1968-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1968-17-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2040-4-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2040-7-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2040-13-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3744-19-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3744-20-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download