neconyd | 71560bb5e31c7950958baeeca6ec5a2c0bc35427a534793230feff0bb362d040

Analysis

max time kernel
114s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-01-2025 11:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

71560bb5e31c7950958baeeca6ec5a2c0bc35427a534793230feff0bb362d040N.exe
Size

64KB
MD5

c905133d04e42e3abb677b0d3b4b44d0
SHA1

598ef8b9725a06652b38ff5ba174a1ffd019128e
SHA256

71560bb5e31c7950958baeeca6ec5a2c0bc35427a534793230feff0bb362d040
SHA512

d5a65b42fe4e922cb8e60f0e5e419d800eb733abbb5d26694debfe9cd4d2974c64837cffa081211c7583aabbda4ee1f79c4eab40291dc5e86cb2f3e442cbaeef
SSDEEP

768:sMEIvFGvZEr8LFK0ic46N47eSdYAHwmZwSp6JXXlaa5uAH:sbIvYvZEyFKF6N4yS+AQmZcl/5f

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1244	omsecor.exe
1960	omsecor.exe
5048	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	71560bb5e31c7950958baeeca6ec5a2c0bc35427a534793230feff0bb362d040N.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3472 wrote to memory of 1244	3472	71560bb5e31c7950958baeeca6ec5a2c0bc35427a534793230feff0bb362d040N.exe	83
PID 3472 wrote to memory of 1244	3472	71560bb5e31c7950958baeeca6ec5a2c0bc35427a534793230feff0bb362d040N.exe	83
PID 3472 wrote to memory of 1244	3472	71560bb5e31c7950958baeeca6ec5a2c0bc35427a534793230feff0bb362d040N.exe	83
PID 1244 wrote to memory of 1960	1244	omsecor.exe	100
PID 1244 wrote to memory of 1960	1244	omsecor.exe	100
PID 1244 wrote to memory of 1960	1244	omsecor.exe	100
PID 1960 wrote to memory of 5048	1960	omsecor.exe	101
PID 1960 wrote to memory of 5048	1960	omsecor.exe	101
PID 1960 wrote to memory of 5048	1960	omsecor.exe	101

C:\Users\Admin\AppData\Local\Temp\71560bb5e31c7950958baeeca6ec5a2c0bc35427a534793230feff0bb362d040N.exe
"C:\Users\Admin\AppData\Local\Temp\71560bb5e31c7950958baeeca6ec5a2c0bc35427a534793230feff0bb362d040N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3472
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1244
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1960
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
f79945811f4132c4463997f4c7b773dc

SHA1
3cbcb605e40ebfb9dc3aab338332f79fc796cdcb

SHA256
f893baa51770b78444199fcc93ca4bef61667811d0cc2c41198a0c54ae91ba02

SHA512
99b32ba06488d631e2c75bb52c2846297958ce71d96635d97f0b2c4c648fb9e9b33b1e346036aa72d6a20a372a33f5e79dc8d6b16d6391a77993b4eeff51cc44

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
d561583e1927aea6c72ca11a5c80c8be

SHA1
55dc2f33d5234ada72de7cf6c70d3487eaf576f0

SHA256
a55adea243226763110365e46acc7ac13b86d0bbb1df630a3543076ae143b152

SHA512
0381c894591915031d6ef3fc4360704f5d96ce7f33cdea96f253f4c389fde23a491343337e4f0dcb811e73e40315a2c988c588d4cb8327a691190ae61a013d7a

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
64KB

MD5
feaf7a521e3593da08e734503b09fee4

SHA1
4addcdb7ca8e072c7d1f13a4a02fe94a89900886

SHA256
7133ad98a7a76701ed6a28f14e6f0143f185f9f6fd1729d507c78e2bfbea298d

SHA512
0a1724023b21572f7be050570968e770ba203020579ae7afcdec1a1e5cf8558c688d8efae70c8440ff2ad795f25a66b5ce5c8db33d9488d7e84696a3501be17b

Download Submit