neconyd | c966db3d63243bc569d4885d5e287cdd70b5424e56170809f1f1f1812d214f76

Analysis

max time kernel
115s
max time network
124s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
16-01-2025 13:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c966db3d63243bc569d4885d5e287cdd70b5424e56170809f1f1f1812d214f76.exe
Size

64KB
MD5

aab4f2433346d23f9d0d8a935ca9f441
SHA1

e64bb91c75ad5a2ecd5c1e24466f22f1fce5f7b4
SHA256

c966db3d63243bc569d4885d5e287cdd70b5424e56170809f1f1f1812d214f76
SHA512

bac30460964dc6928d2fdb85cb53b5e6a755f580f077c85780bddf27e2404ed42ad96d660ac5b646266a97d95a3e8413f79f677dd2b0d0790a3d7891b94f6585
SSDEEP

768:sMEIvFGvZEr8LFK0ic46N47eSdYAHwmZwSp6JXXlaa5uAt:sbIvYvZEyFKF6N4yS+AQmZcl/5V

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 2 IoCs

pid	Process
2460	omsecor.exe
1748	omsecor.exe

Loads dropped DLL 4 IoCs

pid	Process
2432	c966db3d63243bc569d4885d5e287cdd70b5424e56170809f1f1f1812d214f76.exe
2432	c966db3d63243bc569d4885d5e287cdd70b5424e56170809f1f1f1812d214f76.exe
2460	omsecor.exe
2460	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c966db3d63243bc569d4885d5e287cdd70b5424e56170809f1f1f1812d214f76.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 2460	2432	c966db3d63243bc569d4885d5e287cdd70b5424e56170809f1f1f1812d214f76.exe	29
PID 2432 wrote to memory of 2460	2432	c966db3d63243bc569d4885d5e287cdd70b5424e56170809f1f1f1812d214f76.exe	29
PID 2432 wrote to memory of 2460	2432	c966db3d63243bc569d4885d5e287cdd70b5424e56170809f1f1f1812d214f76.exe	29
PID 2432 wrote to memory of 2460	2432	c966db3d63243bc569d4885d5e287cdd70b5424e56170809f1f1f1812d214f76.exe	29
PID 2460 wrote to memory of 1748	2460	omsecor.exe	31
PID 2460 wrote to memory of 1748	2460	omsecor.exe	31
PID 2460 wrote to memory of 1748	2460	omsecor.exe	31
PID 2460 wrote to memory of 1748	2460	omsecor.exe	31

C:\Users\Admin\AppData\Local\Temp\c966db3d63243bc569d4885d5e287cdd70b5424e56170809f1f1f1812d214f76.exe
"C:\Users\Admin\AppData\Local\Temp\c966db3d63243bc569d4885d5e287cdd70b5424e56170809f1f1f1812d214f76.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:1748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
197239f2d8f9038ee9a61ab6b8f864dd

SHA1
9fa37f100036ed391f00c7723c07f018b9833ddd

SHA256
95f5c6b99ccf1dfa46d7dacd38f8728c1437a1f21a971f87d70f8ba921c9bc6d

SHA512
2affe30370e4690c7742a6527cb67651973af39d10b3f5d19a9f06e2bb0ac4b89a743818c641f170cd102f1f273019c41e2d392173469fc5d51c89ba3d66c81a

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
64KB

MD5
f2c7ae175988f8c01b14c1bac2b05000

SHA1
f8248a128102b76565e4df692b39004679d6895a

SHA256
a3799212dbb332558373498c5479a21bdd4ab8030c1520e564d300d4e4547905

SHA512
2168b3c7a0e9760529f618b238a63d1a9ead7b76c0a74a2fc2d8f0144564f29f1cc7ece4ef29cefa68691835c02d2949ca3eedb406a912f1403432be50700636

Download Submit