neconyd | 52a2f3427764b71e5c9bb4ad8d06f2faa459fae8e5a7163cc0b03aeba40161e7

Analysis

max time kernel
114s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-01-2025 04:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

52a2f3427764b71e5c9bb4ad8d06f2faa459fae8e5a7163cc0b03aeba40161e7.exe
Size

71KB
MD5

21cc6c38f55dc1d69047ff39215232c0
SHA1

94c2c34f29f4446f31cfcb34a173e099d12491a5
SHA256

52a2f3427764b71e5c9bb4ad8d06f2faa459fae8e5a7163cc0b03aeba40161e7
SHA512

5bb568df180a048c0b3030544db0bf98fc5724aa67552eba353d0adac9c1d4b35b131028dcb25497a06e1e0cc6e19cde5e6fdfaead0929a9d14964a2d1aa4b14
SSDEEP

1536:Hd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZSDHIbHH:vdseIOMEZEyFjEOFqTiQmQDHIbHH

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
452	omsecor.exe
4068	omsecor.exe
4976	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	52a2f3427764b71e5c9bb4ad8d06f2faa459fae8e5a7163cc0b03aeba40161e7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1496 wrote to memory of 452	1496	52a2f3427764b71e5c9bb4ad8d06f2faa459fae8e5a7163cc0b03aeba40161e7.exe	84
PID 1496 wrote to memory of 452	1496	52a2f3427764b71e5c9bb4ad8d06f2faa459fae8e5a7163cc0b03aeba40161e7.exe	84
PID 1496 wrote to memory of 452	1496	52a2f3427764b71e5c9bb4ad8d06f2faa459fae8e5a7163cc0b03aeba40161e7.exe	84
PID 452 wrote to memory of 4068	452	omsecor.exe	102
PID 452 wrote to memory of 4068	452	omsecor.exe	102
PID 452 wrote to memory of 4068	452	omsecor.exe	102
PID 4068 wrote to memory of 4976	4068	omsecor.exe	103
PID 4068 wrote to memory of 4976	4068	omsecor.exe	103
PID 4068 wrote to memory of 4976	4068	omsecor.exe	103

C:\Users\Admin\AppData\Local\Temp\52a2f3427764b71e5c9bb4ad8d06f2faa459fae8e5a7163cc0b03aeba40161e7.exe
"C:\Users\Admin\AppData\Local\Temp\52a2f3427764b71e5c9bb4ad8d06f2faa459fae8e5a7163cc0b03aeba40161e7.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:452
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4068
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
71KB

MD5
71c92aaed5a7e2819b5c5dc9ae8fbc50

SHA1
b5db65641251e50c0272a438ce8443718fabf5df

SHA256
e3e4585c645e29ca968eb34b4d3274bbe017ae6dce3dab12d46c9b7ff10c00d2

SHA512
3cb68094e095d7cf5436a542344e9d323d23b26aa4618f0bd52cf724fcf6a1fe00a283f64062306214ef424b673d31669c01541b065b7633a52294b549933b50

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
71KB

MD5
7d6b4ebf35a1d1cb220ad2416d8d7fde

SHA1
e619156eabb9763cb053389d89b179702e279e7c

SHA256
d3a460e4e4104aefe151dca3bd858008418217c3a7c27dbf7841706dbd24afd0

SHA512
d266ed8046cde5d5902a4a987e6297f90c1a2b013601b2285028d7485bfff1b38c98cc5cfdde40a6c61c7af234fd42e590e18aae51abef314acd98e8b8b4f998

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
71KB

MD5
86100bfee8b1208a7ca03efe79be43a0

SHA1
aa385c3e387d7cdfd41883e2b6e710d570d36cfa

SHA256
6080a30080a859f12ee303970c251122907b80cde735ad92bd8b63d49df3edd5

SHA512
d61f3ae423bcf027b3a4660ed2cdbdc4df94f89c617b8ff6a0871ac6ae6856d345d9ebb2c00aafdf2a81fb9d5cbb9c3dc0a05bd11efd58ee43fdfa87f12734fc

Download Submit
memory/452-5-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/452-7-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/452-13-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1496-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1496-6-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4068-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4068-16-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4976-18-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4976-20-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download