neconyd | 662ee72b1c477e0ba7cc9ff86da3da7e1df8792d58582519a7f674147814e944

Analysis

max time kernel
104s
max time network
116s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-01-2025 14:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

662ee72b1c477e0ba7cc9ff86da3da7e1df8792d58582519a7f674147814e944.exe
Size

76KB
MD5

4da380879d70fbcf230ed358131d352a
SHA1

02a0535a9e16715dcb4b7ce607fc1de765e3a7ba
SHA256

662ee72b1c477e0ba7cc9ff86da3da7e1df8792d58582519a7f674147814e944
SHA512

56d9188446c96e1da11bf9aa7252796030c4b03c4be9b163ffda30de25587444f6f77658de7054045f356e56cfa6eb68530321f9d15748893d96d9326309c89c
SSDEEP

768:VMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAWb:VbIvYvZEyFKF6N4yS+AQmZTl/5Ob

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1784	omsecor.exe
3528	omsecor.exe
60	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	662ee72b1c477e0ba7cc9ff86da3da7e1df8792d58582519a7f674147814e944.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1068 wrote to memory of 1784	1068	662ee72b1c477e0ba7cc9ff86da3da7e1df8792d58582519a7f674147814e944.exe	83
PID 1068 wrote to memory of 1784	1068	662ee72b1c477e0ba7cc9ff86da3da7e1df8792d58582519a7f674147814e944.exe	83
PID 1068 wrote to memory of 1784	1068	662ee72b1c477e0ba7cc9ff86da3da7e1df8792d58582519a7f674147814e944.exe	83
PID 1784 wrote to memory of 3528	1784	omsecor.exe	101
PID 1784 wrote to memory of 3528	1784	omsecor.exe	101
PID 1784 wrote to memory of 3528	1784	omsecor.exe	101
PID 3528 wrote to memory of 60	3528	omsecor.exe	102
PID 3528 wrote to memory of 60	3528	omsecor.exe	102
PID 3528 wrote to memory of 60	3528	omsecor.exe	102

C:\Users\Admin\AppData\Local\Temp\662ee72b1c477e0ba7cc9ff86da3da7e1df8792d58582519a7f674147814e944.exe
"C:\Users\Admin\AppData\Local\Temp\662ee72b1c477e0ba7cc9ff86da3da7e1df8792d58582519a7f674147814e944.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1068
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1784
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3528
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:60

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
b7dfe0df2a16995312b445e904f993c3

SHA1
2ef08b3efada5c204fb05829bb71aa5ff020fe97

SHA256
7e77a3a59dcf5ada852d1e5c5c419a1cba4c05b41bddde8c09a3469e7cf86731

SHA512
91a1cb3084c146abbc00057db870add3b3b6aa79dd50e5c627a2674de021de952142030a8de739a167247df063ce16ba3fbca9e2327bf4e42da3c7608a2d639c

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
76KB

MD5
d47b327fea566cbee5e9cc21398a8f1b

SHA1
6730610cdc25b214f6772b6c5a93848406b19e37

SHA256
cc4c5ff639447989c67ed504f40d652712ec290446439404037718dba23ad4f2

SHA512
7c48e0511f1ed0f7af9e9fe50ba80e4388eadc4b3e1e50fabd1f2ed2120d4c1514bd7fa32c1dd4e646828696dcd2eba239d122697786cee82c96ceafe4dfa359

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
76KB

MD5
e3869fd327c0b63fcf15e7e4f0986af3

SHA1
0b7a382fa2f76e8247b65131b15d648c9a1dec29

SHA256
2659f981aa2d25bcfe8c967c7e475986003b92e7fae316416143ce98c9503c66

SHA512
f34e847c2411fde9dc94ffaa0a0eb01b2e4d589cabf621b9816e7c9ee0c9775cb9e3801b7f47ea9259f13457f99ed6416c3c8b971deeb5471faec82a0318b621

Download Submit