neconyd | 52a2f3427764b71e5c9bb4ad8d06f2faa459fae8e5a7163cc0b03aeba40161e7

Analysis

max time kernel
146s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-01-2025 04:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

52a2f3427764b71e5c9bb4ad8d06f2faa459fae8e5a7163cc0b03aeba40161e7.exe
Size

71KB
MD5

21cc6c38f55dc1d69047ff39215232c0
SHA1

94c2c34f29f4446f31cfcb34a173e099d12491a5
SHA256

52a2f3427764b71e5c9bb4ad8d06f2faa459fae8e5a7163cc0b03aeba40161e7
SHA512

5bb568df180a048c0b3030544db0bf98fc5724aa67552eba353d0adac9c1d4b35b131028dcb25497a06e1e0cc6e19cde5e6fdfaead0929a9d14964a2d1aa4b14
SSDEEP

1536:Hd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZSDHIbHH:vdseIOMEZEyFjEOFqTiQmQDHIbHH

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
3532	omsecor.exe
3712	omsecor.exe
2516	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	52a2f3427764b71e5c9bb4ad8d06f2faa459fae8e5a7163cc0b03aeba40161e7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3976 wrote to memory of 3532	3976	52a2f3427764b71e5c9bb4ad8d06f2faa459fae8e5a7163cc0b03aeba40161e7.exe	85
PID 3976 wrote to memory of 3532	3976	52a2f3427764b71e5c9bb4ad8d06f2faa459fae8e5a7163cc0b03aeba40161e7.exe	85
PID 3976 wrote to memory of 3532	3976	52a2f3427764b71e5c9bb4ad8d06f2faa459fae8e5a7163cc0b03aeba40161e7.exe	85
PID 3532 wrote to memory of 3712	3532	omsecor.exe	103
PID 3532 wrote to memory of 3712	3532	omsecor.exe	103
PID 3532 wrote to memory of 3712	3532	omsecor.exe	103
PID 3712 wrote to memory of 2516	3712	omsecor.exe	104
PID 3712 wrote to memory of 2516	3712	omsecor.exe	104
PID 3712 wrote to memory of 2516	3712	omsecor.exe	104

C:\Users\Admin\AppData\Local\Temp\52a2f3427764b71e5c9bb4ad8d06f2faa459fae8e5a7163cc0b03aeba40161e7.exe
"C:\Users\Admin\AppData\Local\Temp\52a2f3427764b71e5c9bb4ad8d06f2faa459fae8e5a7163cc0b03aeba40161e7.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3976
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3532
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3712
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
71KB

MD5
826020a968a7f2ed65b65677f756aa88

SHA1
ca52f685fcf8155443e66bd93533a36a348bd7e5

SHA256
3d2be98d463f1ac53f9ff835f01fec01cc5635eacd354585f10375507eb59393

SHA512
3ba95f92e250dce0e340056824c4853c4a4fb5ae00451852a4b1f50812ef8d7bf3f66afb1b5711e86ddc522d0a21dcd64a8755a4c551d8360bbfcdbb46bb6266

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
71KB

MD5
7d6b4ebf35a1d1cb220ad2416d8d7fde

SHA1
e619156eabb9763cb053389d89b179702e279e7c

SHA256
d3a460e4e4104aefe151dca3bd858008418217c3a7c27dbf7841706dbd24afd0

SHA512
d266ed8046cde5d5902a4a987e6297f90c1a2b013601b2285028d7485bfff1b38c98cc5cfdde40a6c61c7af234fd42e590e18aae51abef314acd98e8b8b4f998

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
71KB

MD5
c194279b781ba0c0b0b8d757a0b6eb8d

SHA1
bc93430bb5c1a9de022dbc52006f8480ef73e0f3

SHA256
c203048c7e35fa93df3ffdf2a04ba5915f0183469e9d0e4dbc647d386e52bd2f

SHA512
a0d612eacb072be80ad2a2923708ce70640223969f61e0472530e736e7b7bb58bce059e0b95e12e02f7ba9a0520f8674ee02575fd66a3963d0018f1d1d1c206d

Download Submit
memory/2516-18-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2516-20-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3532-4-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3532-7-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3532-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3712-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3712-16-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3976-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3976-6-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download