neconyd | ee92827d2bcf2c0399a596b357aa44ac252260ad81a147ebfb0914e2fe371983

Analysis

max time kernel
114s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-01-2025 11:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee92827d2bcf2c0399a596b357aa44ac252260ad81a147ebfb0914e2fe371983.exe
Size

72KB
MD5

bdc3613df5600a4ead19a4bd3d6eed70
SHA1

14aef4aa9567ae26709b18edf2b9c02fa8f29045
SHA256

ee92827d2bcf2c0399a596b357aa44ac252260ad81a147ebfb0914e2fe371983
SHA512

993216f180cc004899be4987415570903439180aaf5cc8310abd7ab23e7990ed08a41f4d68c2273c453bf1ce29ec8946974cbc27cc3d783b892071df1e55fad8
SSDEEP

1536:7d9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5211l:LdseIOMEZEyFjEOFqTiQm5l/5211l

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 2 IoCs

pid	Process
2320	omsecor.exe
1928	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ee92827d2bcf2c0399a596b357aa44ac252260ad81a147ebfb0914e2fe371983.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3604 wrote to memory of 2320	3604	ee92827d2bcf2c0399a596b357aa44ac252260ad81a147ebfb0914e2fe371983.exe	84
PID 3604 wrote to memory of 2320	3604	ee92827d2bcf2c0399a596b357aa44ac252260ad81a147ebfb0914e2fe371983.exe	84
PID 3604 wrote to memory of 2320	3604	ee92827d2bcf2c0399a596b357aa44ac252260ad81a147ebfb0914e2fe371983.exe	84
PID 2320 wrote to memory of 1928	2320	omsecor.exe	94
PID 2320 wrote to memory of 1928	2320	omsecor.exe	94
PID 2320 wrote to memory of 1928	2320	omsecor.exe	94

C:\Users\Admin\AppData\Local\Temp\ee92827d2bcf2c0399a596b357aa44ac252260ad81a147ebfb0914e2fe371983.exe
"C:\Users\Admin\AppData\Local\Temp\ee92827d2bcf2c0399a596b357aa44ac252260ad81a147ebfb0914e2fe371983.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3604
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:1928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
72KB

MD5
c7708cd8d35a805b29db689f512e88d6

SHA1
cbdec7168a52a0035244714b776b081dd31aca30

SHA256
ee653e973743f5663dd4cd3779bce83ed59086d852c2a2c645e8d5c26ad5d682

SHA512
fbb94aa5dee5d010efc56b1aefbc61dd7394e0b79df1c65f1f96bfead2cec7f751af70e752cdbe2778c944247bd8fdbaf51a2b2cd9c7e3f78957d17aac9a1ed5

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
72KB

MD5
d9937f20440a38db7f06938c1db8ed06

SHA1
f109ec769cbb4e84980e6f0b54697bbc1327220a

SHA256
7cca52549f1130937c2aa69b49c358964f756a635daf89d88b08fb1769471241

SHA512
265be49ead75ee3fc52023096cce6679fecd7a0d551e394e8a2f43082687a2c64bf0b8e00e0c7e945c0c0514bbbd54b1b009653408788e6ce735e5f9923bc0ac

Download Submit