neconyd | b2962cf9b86a136790359f6c49096c8505f83dc44defdd34284b69b025e46fb8

Analysis

max time kernel
145s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-01-2025 06:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b2962cf9b86a136790359f6c49096c8505f83dc44defdd34284b69b025e46fb8.exe
Size

76KB
MD5

7558ffb530e028c740a509698c85c257
SHA1

4d716b78cf0fb491b10e7523b51f793f69d7ab6f
SHA256

b2962cf9b86a136790359f6c49096c8505f83dc44defdd34284b69b025e46fb8
SHA512

13aca0ec59c3a1d9c0f117f63d8dd62040df2580f88721246a1ce0511afc344e64dc49c18ddf32ced7ba0b4d36639949fdbc37790d767f25a05d20f4d3af0182
SSDEEP

768:BMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAWZ:BbIvYvZEyFKF6N4yS+AQmZTl/5OZ

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2512	omsecor.exe
4668	omsecor.exe
1064	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b2962cf9b86a136790359f6c49096c8505f83dc44defdd34284b69b025e46fb8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4856 wrote to memory of 2512	4856	b2962cf9b86a136790359f6c49096c8505f83dc44defdd34284b69b025e46fb8.exe	83
PID 4856 wrote to memory of 2512	4856	b2962cf9b86a136790359f6c49096c8505f83dc44defdd34284b69b025e46fb8.exe	83
PID 4856 wrote to memory of 2512	4856	b2962cf9b86a136790359f6c49096c8505f83dc44defdd34284b69b025e46fb8.exe	83
PID 2512 wrote to memory of 4668	2512	omsecor.exe	100
PID 2512 wrote to memory of 4668	2512	omsecor.exe	100
PID 2512 wrote to memory of 4668	2512	omsecor.exe	100
PID 4668 wrote to memory of 1064	4668	omsecor.exe	101
PID 4668 wrote to memory of 1064	4668	omsecor.exe	101
PID 4668 wrote to memory of 1064	4668	omsecor.exe	101

C:\Users\Admin\AppData\Local\Temp\b2962cf9b86a136790359f6c49096c8505f83dc44defdd34284b69b025e46fb8.exe
"C:\Users\Admin\AppData\Local\Temp\b2962cf9b86a136790359f6c49096c8505f83dc44defdd34284b69b025e46fb8.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4856
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2512
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4668
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
bb05dc2e407cc27955f7e8c3256db90a

SHA1
2551d02331ff27848b1c41a01689dab101eeaab8

SHA256
912a6b7bd8a4e41ead8b3c5ec36a00f3022070aa441b585a1df58f6ed590478a

SHA512
5ed5de76b974bee19c2e1db8009cfe49d50c5f085cdf9ef9fbe241aef142471b5b2c2dffdbaf3334fd1ab9035d9612897829656941db984562ef9843c8a99329

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
0563ba8dfff8d6ff48c05b27bcc36eed

SHA1
3c4f91d3988992ed9e2913979093a3d14fb4b75c

SHA256
57cd373c28d36bb286c2723c00212bf8f8dde8909cf60f5787a07c0a6f608376

SHA512
f3d2b2d7c17a0e5c56bad4854ecbb2ee29ba73489fe2438d9d3fd6e399d57964aae989d811030b17a42962868978e409dac582802f2c786c881518371a44e5cd

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
dddc620d44e82fd76f78520bc8809a6b

SHA1
1de5f15b1f8b67b27552981eb22e242fd787aa53

SHA256
d2136440e5c4e5c8ebb818d36fa115e8b8372fc6187a007eb47372449594cade

SHA512
3be2cca4c4183af3331bf07b9ccedb582e39dd70b8f0075a35e3ac14b96610a3719b3a68750ac1e6c6d3b28aae103e718323e105816ce1a3a5b87bd8d6ba0d45

Download Submit