neconyd | 86696d68a800c1ae54248d11f1247a5e8a4dfba9924b3af7325272b6969b9065

Analysis

max time kernel
105s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-01-2025 14:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

86696d68a800c1ae54248d11f1247a5e8a4dfba9924b3af7325272b6969b9065N.exe
Size

64KB
MD5

3bda97468b18ba7d2a0c116b281761a0
SHA1

aa1d379911bc389465892ed4df92875c707d3193
SHA256

86696d68a800c1ae54248d11f1247a5e8a4dfba9924b3af7325272b6969b9065
SHA512

f5043927dadd14300a9a8fe412d076183bf0556fc95515afe5d3494d4ddeb7a5063fb60ec88367351a44ea5c1c7f6d75ea6ddd9f71c7d455c94ba327c1861d39
SSDEEP

768:oMEIvFGvZEr8LFK0ic46N47eSdYAHwmZwSp6JXXlaa5uAN:obIvYvZEyFKF6N4yS+AQmZcl/51

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
4820	omsecor.exe
3620	omsecor.exe
2252	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	86696d68a800c1ae54248d11f1247a5e8a4dfba9924b3af7325272b6969b9065N.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3932 wrote to memory of 4820	3932	86696d68a800c1ae54248d11f1247a5e8a4dfba9924b3af7325272b6969b9065N.exe	83
PID 3932 wrote to memory of 4820	3932	86696d68a800c1ae54248d11f1247a5e8a4dfba9924b3af7325272b6969b9065N.exe	83
PID 3932 wrote to memory of 4820	3932	86696d68a800c1ae54248d11f1247a5e8a4dfba9924b3af7325272b6969b9065N.exe	83
PID 4820 wrote to memory of 3620	4820	omsecor.exe	101
PID 4820 wrote to memory of 3620	4820	omsecor.exe	101
PID 4820 wrote to memory of 3620	4820	omsecor.exe	101
PID 3620 wrote to memory of 2252	3620	omsecor.exe	102
PID 3620 wrote to memory of 2252	3620	omsecor.exe	102
PID 3620 wrote to memory of 2252	3620	omsecor.exe	102

C:\Users\Admin\AppData\Local\Temp\86696d68a800c1ae54248d11f1247a5e8a4dfba9924b3af7325272b6969b9065N.exe
"C:\Users\Admin\AppData\Local\Temp\86696d68a800c1ae54248d11f1247a5e8a4dfba9924b3af7325272b6969b9065N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3932
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4820
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3620
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
7a04fcb9b5cdd0677b69c699fb55b4fe

SHA1
9ff0d42df7cfe0742ed6ab76710adfc151edb705

SHA256
11f8cc9a1fa0a0042a82f2b8968d7f1c6bced5a8c59027a711c38b55950f73f9

SHA512
2bd658aca5f08993d750d0e739a0dc6fb110afed83d7aed8cafdcd1155abeb0e48bdfdae5b2a5cd33ef4ef93487f29b601752a94d662dd9e18c342fd1b84b985

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
e8172aa27ac4ad31fef6abf816bad2e0

SHA1
1016f50a13bee21711e6627be238de9bd7956b89

SHA256
bbcc81bb6acf190a3f17ee0a8eb50e018f79b595e538f5cda94002a46a10ca76

SHA512
866cf62ae6fb928427a1f0df0bc8867f12803a424e5f318612428dd8036d926f300fbcd9217969a34e47d9f58df262ee630055d67ec0e22cfb4638dc866d3113

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
64KB

MD5
76ce0e0cd92f5e90cd1f74b3675e6bc6

SHA1
f7c35961532d342a005e1770c60a5d807aa3240f

SHA256
90fce58a1e367ccbf3629b4a63c847028673825ed286c8aa026f51bd7cc86dd7

SHA512
5c45702ef725ffa22d179814571871ba18dc81228cc7d239e42f0bf842e63bf057e13d5caf6262133af20944a5d04398bda3038f658647f519bab93ea24cfe4a

Download Submit