neconyd | 7acb671acbdf51f46654cb14ce880042627a05da14acf6e8be04ea6ec076770e

Analysis

max time kernel
114s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-01-2025 04:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7acb671acbdf51f46654cb14ce880042627a05da14acf6e8be04ea6ec076770e.exe
Size

72KB
MD5

797b05d00fb1211f8ac5f9426077beb0
SHA1

99c850d26563e145a26f0a6598accadd31715d68
SHA256

7acb671acbdf51f46654cb14ce880042627a05da14acf6e8be04ea6ec076770e
SHA512

37bddad3fb64983ef6725cee4b08d368ff6b39be88eb01e0041d9e3348531b582fc029821e7c5dc62b3bd0af21410ca3fa445c1042102e7d237c7c47fd8ba254
SSDEEP

1536:Ld9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5211v:7dseIOMEZEyFjEOFqTiQm5l/5211v

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
3836	omsecor.exe
2320	omsecor.exe
1104	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7acb671acbdf51f46654cb14ce880042627a05da14acf6e8be04ea6ec076770e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3896 wrote to memory of 3836	3896	7acb671acbdf51f46654cb14ce880042627a05da14acf6e8be04ea6ec076770e.exe	82
PID 3896 wrote to memory of 3836	3896	7acb671acbdf51f46654cb14ce880042627a05da14acf6e8be04ea6ec076770e.exe	82
PID 3896 wrote to memory of 3836	3896	7acb671acbdf51f46654cb14ce880042627a05da14acf6e8be04ea6ec076770e.exe	82
PID 3836 wrote to memory of 2320	3836	omsecor.exe	92
PID 3836 wrote to memory of 2320	3836	omsecor.exe	92
PID 3836 wrote to memory of 2320	3836	omsecor.exe	92
PID 2320 wrote to memory of 1104	2320	omsecor.exe	93
PID 2320 wrote to memory of 1104	2320	omsecor.exe	93
PID 2320 wrote to memory of 1104	2320	omsecor.exe	93

C:\Users\Admin\AppData\Local\Temp\7acb671acbdf51f46654cb14ce880042627a05da14acf6e8be04ea6ec076770e.exe
"C:\Users\Admin\AppData\Local\Temp\7acb671acbdf51f46654cb14ce880042627a05da14acf6e8be04ea6ec076770e.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3896
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3836
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2320
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
c52823731f52dbc5514078361c5391e4

SHA1
5916db477f52f617226150787ea99d013ecd4ac8

SHA256
1d77415d94dc293745ac33b20829a57d953ef5b833f63d914158062e12e3d942

SHA512
bc14c89b38ae5a0f0689458ce5e3dbe2efe895f08f997e75858571cb4b51ee49538439eb1def7e3746224657b7d827f7781fc97f9cc3fddfdc2656a8a563ade2

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
928eabe07d1f7645e93a2c093b27bb34

SHA1
8e3d58350449766b3ca712ca0afab58b81a9e285

SHA256
6a99192e7e47fc75d1bd064d1409532cccff64793b768db09739fd420fc238eb

SHA512
11a8f660fc36079b44f88f2964618d536a43cda92b46ea626dd3794c8b3dee25b2c8353557edc8eea97c0d5a61b195d272a9bb81ec9034500b0e16910a337dd1

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
72KB

MD5
ebc1e6f6b66438b1ac542dd5a3c3e75c

SHA1
9d945e4355bdc078fa028c4acbdce09cf4017d10

SHA256
4ea726113584d82daacfab5cbb64743b49ec5dc5d9ca983b98f7145dbe3f8f90

SHA512
f2df414db3ddc3e9f0ca8c12f2d27b60498632276c1b382b159bec5040309e0b6365c3e1ec370a4277d8396da8c2b4439222fa7d9e081e6d9693a9c4a66a0015

Download Submit